ASX is consulting on new disaster recovery, business continuity and cyber resilience requirements for clearing and settlement participants.
ASX (the Australian Securities Exchange) is proposing guidance note changes that will impose new business continuity and cyber resilience requirements on clearing and settlement participants.
The guidance notes set out ASX’s expectations of the resources and processes that must be in place before it will admit an entity as a participant to clearing and settlement facilities.
Under Guidance Note 1, participants are required to have a risk management framework in place to for identifying and managing or mitigating the risks it will face as a participant, including market risk, liquidity risk, counterparty risk and operational risk.
The latest revision to Guidance Note 1 now also explicitly makes reference to cyber risk. However, ASX expects that existing risk management frameworks should already be designed to identify, manage and mitigate cyber risk, and that the revision is unlikely to impose any material compliance burden on participants.
ASX also proposes amendments to Guidance Note 10, which specifies the minimum disaster recovery and business continuity arrangements participants should have in place to meet their obligations under the operating rules.
Among the key amendments are requirements for participants to:
- maintain up-to-date high level diagrams representing the current and future states of the technology and communications infrastructure used to conduct ASX operations;
- maintain proper records of key clearing and settlement systems and technology; and
- have a clearly defined system and technology replacement policy which includes a process to identify and manage ageing clearing and settlement infrastructure.
ASX also proposes to require participants to maintain detailed records of disruptions impacting clearing and settlement operations, which may be used to demonstrate compliance with their obligations. The proposals also specify the recovery times ASX expects for participants to resume business operations following a disruption.
To avoid a disruption to a participant’s clearing and settlement operations, ASX proposes that participants should have and comply with change management policies and procedures that ensure any changes to clearing and settlement operations are thoroughly assessed, tested and authorised – with appropriate disaster recovery and roll-back arrangements in place – before changes are implemented.
Further, all participants should also establish a framework to ensure they are made aware of all system and infrastructure changes initiated by vendors or service providers that may impact their clearing and settlement operations.
Participants will also be required to allocate overall responsibility for disaster recovery and business continuity to a nominated business continuity officer, who must be a senior member of the management team.
Disaster recovery and business continuity arrangements should be reviewed periodically by compliance, internal or external auditor, or another party independent of the business unit primarily responsible for overseeing the preparation, review, updating and approval of those arrangements.
ASX currently does not intend to impose prescriptive cyber resilience requirements at this time, but to instead require participants to align their cyber resilience arrangements to one or more of the latest global or national cyber standards and guidance. Feedback is sought on this area.
A 6-month transition period after the publication of the guidance notes will be allowed for compliance with all obligations.
Submissions on the consultation, available here, are due by 3 May 2019.