Although cybersecurity has long been an integral part of the Australian financial sector, the idea of ‘cyber resilience’ is newer and more complicated. Instead of focusing on the tools or solutions required to protect an organisation, cyber resilience goes a step further to encompass frameworks, philosophies and applicable responsibilities.
The Australian Securities and Investments Commission (ASIC) calls cyber resilience ‘essential to all organisations operating in the digital economy.’ That’s part of the reason ASIC actively enforced compliance with cybersecurity regulations.
Learn more about regulatory compliance for cyber resilience and how it impacts your firm.
An overview of the landscape
The digital world has many moving parts, which means every financial services organisation is constantly battered by forces outside its control. Here’s a closer look at how all these parts come together:
According to the Australian Cyber Security Centre’s (ACSC) most recent Annual Cyber Threat Report, there were over 76,000 cybercrime reports between 2021 and 2022 — an increase of 13% from the previous year. ACSC consider each report to represent a cost of between $39,000 ad $62,000, and that’s a significant concern for small to large businesses. Perhaps that’s why cybersecurity is consistently considered one of the top risks to the Australian financial system.
Regulations and regulatory change
ASIC imposes a broad regulatory framework for Australian Financial Services (AFS) licensees — one intended to protect consumer information, minimise risks and identify systemic vulnerabilities. Most regulations are built around a licensee’s responsibility to detect, address and report certain events or breaches. While the main goal is to protect consumers, compliance also ensures that financial firms themselves are safer and better prepared to navigate a fast-moving digital environment.
However, one of the most significant challenges in maintaining cybersecurity compliance is keeping up with regulatory change. ASIC and other organisations constantly release updates that can have significant impacts on day-to-day processes, reporting requirements and more — and if your firm fails to adhere to even one change, you could face enforcement action (including serious financial penalties).
The risk of falling behind
One AFS licensee, RI Advice, was recently ordered to pay $750,000 in fines and fees when the Federal Court found that it breached its obligation to implement cybersecurity risk management solutions. The organisation was also required to engage a cybersecurity expert for further review and correction. This judgement was based on a variety of factors, including outdated antivirus software, inadequate system backups and poor password habits.
At the time, this was called ‘an Australian first.’ However, as ASIC regulations grow more stringent and regulatory change continues to accelerate, noncompliance with such requirements will likely put more firms in the spotlight for fines, fees, licence action and more.
Although ASIC doesn’t ‘prescribe technical standards’ or ‘provide specific requirements for individual licence-holders,’ the organisation does include cyber resilience and risk management in its AFS licence obligations. ASIC has provided some essential resources for AFSL holders including:
- Access to the Cyber Pulse survey to help firms assess their cyber resilience.
- Key questions for your board to consider.
- Good practices for cyber resilience.
For AFS licensees, ASIC requires your firm to determine the risk of cyber attacks and apply the necessary controls to minimise those risks. . This means you’re wholly responsible for doing all things necessary including interpreting regulations, keeping up with changes and implementing updates to all affected documents or policies as soon as possible. If you fail to uphold this responsibility, you could face civil and financial penalties.
Next steps for your firm
To avoid stumbling into the same expensive pitfall as RI Advice, it’s crucial for your firm to follow all relevant guidelines and stay on top of regulatory change. Here are a few steps recommended by ASIC:
#1: Understand the risks
Although you have a responsibility to take action and protect consumers, you must also understand why these steps are so important. This isn’t just to ensure that you implement them properly; it’s also to help proactively identify and eliminate other risks, vulnerabilities or shortcomings.
#2: Don’t let risk management stagnate
Cybersecurity risk management goes far beyond using up-to-date antivirus software, strong backups and smart passwords — although these habits could have helped RI Advice avoid significant fines. To fully comply with ASIC regulations, you must also continuously improve your cybersecurity measures and regularly assess risks and preparedness.
#3: Move quickly and proactively
Many ASIC requirements prioritise proactive measures to protect your firm and consumers from cyber threats. However, it’s impossible to completely eliminate cybersecurity risks — so in the event of a breach or other suspicious activity, ASIC requires you to act quickly in detection, mitigation and response measures.
#4: Report relevant incidents
Should your firm experience a cyber incident, fulfil reporting requirements as effectively as possible, especially where required by ASIC. The organisation also encourages you to report these events to ACSC.
#5: Unify your approach
Disjointed and unintegrated regtech won’t help keep you or your consumers protected from cybercrime. Instead, use an all-in-one solution like RegsWeb to visually connect your processes and policies to official regulatory documentation. This helps you keep up with regulatory change, improve your cybersecurity approach and stay compliant at the same time.
Ready to strengthen your cyber resilience? Contact us today to see how MIntegrity and RegsWeb can keep you compliant and therefore secure.
Image by rawpixel.com on Freepik← Back to Blog