ASIC warns AFSLs of cyber-attack risk

Australian Financial Services Licensees (AFSLs) are being urged to ensure they meet their cyber-security obligations following the release of the Australian Securities and Investments Commission's (ASIC's) Cyber resilience: Health Check report.

ASIC chairman, Greg Medcraft, warned AFSLs that cyber-attacks posed a "major risk" to the financial services sector.

"The electronic linkages within the financial system mean the impact of a cyber-attack can spread quickly—potentially affecting the integrity and efficiency of global markets, and trust and confidence in the financial system," he said.

"This report outlines some ‘health check prompts' to help businesses review their cyber resilience—including flagging relevant legal and compliance requirements, particularly on risk management and disclosure.

VIEW ALL

View all

"We encourage businesses, particularly where their exposure to a cyber-attack may have a significant impact on financial consumers and investors or market integrity, to consider using the United States' NIST Cybersecurity Framework to manage their cyber risks or stocktake their risk management practices."

The report stated that AFSLs were required to "explicitly identify the risks" they face and have measures in place to mitigate or avoid those risks.

ASIC said it expected AFSLs to ensure their risk management systems will:

• be based on a structured and systematic process that takes into account your obligations under the Corporations Act;
• identify and evaluate risks faced by your business, focusing on risks that adversely affect consumers or market integrity (this includes risks of non-compliance with the financial services laws);
• establish and maintain controls designed to manage or mitigate those risks; and
• fully implement and monitor those controls to ensure they are effective.