Australian market operators could be subject to tighter rules when outsourcing their IT systems and services following a public consultation.
The Australian Securities and Investments Commission (ASIC) is calling for stricter diligence around the use of third-party service providers in the public trading industry following a series of "major system outages".
Aimed at market operators such as the Australian Securities Exchange (ASX), the National Stock Exchange (NSX) and Sydney Stock Exchange (SSX), the consultation argued poor controls around outsourcing can lead to or exacerbate market disruption.
In a consultation launched on 27 June, ASIC referenced previous occasions when the outsourced service provider failed to follow standard procedures for system maintenance during a critical outage, resulting in settlement failures.
In particular, ASIC noted the choice of using overseas providers, claiming these may have “inadequate oversight of actual service levels”, while timezone differences may hamper the speed of addressing technical issues.
“The responsibilities of a market operator include the provision of critical infrastructure that facilitates trading, compliance oversight and the handling of market-sensitive data,” ASIC said.
“Consequently, the outsourcing of critical systems or the operation or support of those systems brings with it unique risks and challenges that differ from other financial entities.”
Under proposed new rules, market operators would be required to “conduct due diligence prior to entering into an outsourcing arrangement”.
Operators would be compelled to have a legally binding written contract with providers, monitor the service provider’s performance and ensure that ASIC has access to all books, records and information relating to the critical systems and service provider’s maintenance.
ASIC also recognised the changing demands of Australia’s cloud market, noting “increased reliance on cloud service providers may concentrate risk in a small number of service providers and heighten cyber security risks”.
However, the body said it would not propose cloud-specific rules but would “closely monitor developments with cloud computing” and may release further guidance later.
The cyber security threat to integrity
ASIC’s 48-page document also highlighted the need for stronger cyber security diligence in the wake of a number of “penetration attempts across the industry”.
The body claimed there has been a growing number of share sale frauds, where client identification and account details are stolen and share accounts and the shares/funds in those accounts are accessed and stolen.
“Cyber attacks on market operators and market participants may impact on the security, confidentiality, integrity and availability of access to data. Such attacks can also affect investor confidence in the integrity of the markets they invest in,” ASIC stated.
Under a set of new rules, designed to complement Australia’s Privacy Act and international rules, market operators and participants would need to have “adequate arrangements to ensure the confidentiality, integrity and security of data obtained, held or used...in connection with their operations or services.”
In addition, they would have to notify ASIC in writing once aware of any unauthorised access to their critical systems, market-sensitive and confidential or personal data.
Operators and participants would also have to maintain records of any breaches for the subsequent seven-year period.
Following the consultation, ASIC may consider adding the new rules to its existing marketing integrity rules, of which breaches can result in $1 million penalties.
ASIC has given respondents until 9 August this year to reply to the consultation, which can be found on its website.