Follow us


Corporate regulator introduces fresh rules in drive to strengthen governance and bolster technological resilience.

Earlier this month, ASIC introduced the ASIC Market Integrity Rules (Securities Markets and Futures Markets) Amendment Instrument 2022/74 (the Amendment Instrument) which amends the ASIC Market Integrity Rules (Securities Markets) 2017 and the ASIC Market Integrity Rules (Futures Markets) 2017 (together, the Rules). Further background on the amendments may be found in Report 719: Response to submissions on CP 314 Market integrity rules for technological and operational resilience

The Rules will commence on 10 March 2023 and:

  • introduce additional obligations on market participants and operators in relation to technological and operational resilience;
  • reinforce the broader regulatory focus on deterring inadequate systems and operational governance and controls (for example, ASIC’s ongoing litigation against RI Advice Group Pty Ltd – see our legal briefing on that here);
  • seek to create greater alignment with international standards and other domestic standards; and
  • add to existing requirements on entities in respect of information security and operational resilience, such as APRA’s Prudential Standard CPS 234: Information Security.

What are the key changes under the Rules?

  1. Market participants and operators must establish business continuity plans to respond to major events that have the potential to cause significant disruptions to operations or materially impact their services. This includes pandemics, natural disasters, cyber-attacks or power failures. Business continuity plans are to be reviewed and tested annually at a minimum and each time there is a material change.  
  2. The Board or senior management must have overall oversight of business continuity plans (a shift following consultation from ASIC’s initial proposal that the Board and senior management have oversight).
  3. Market participants and operators must have adequate arrangements to identify, assess, manage and monitor risks to ‘ensure the resilience, reliability, integrity and security of [their] Critical Business Services.’ Critical Business Services is broadly defined -  ‘functions, infrastructure, processes or systems which in the event of failure to operate effectively, would or would be likely to cause significant disruptions to operations or materially impact services.’ A failure of a critical business service does not automatically mean a market participant or operator has failed to have adequate arrangements.
  4. Market participants and operators must have adequate arrangements and controls in place to ensure confidentiality, integrity and protection of information. This includes recovery backup systems. Records must be maintained for at least seven years following an event of unauthorised access.
  5. Outsourcing arrangements involving a third party provider either providing, operating or supporting Critical Business Services are regulated by the Rules. Due diligence must be conducted to ensure that the third party provider has the ability and capacity to provide the services effectively. The performance of the third party provider must be monitored to ensure that the services covered by the outsourcing arrangement are being provided and that the third party has the ability and capacity to continue to provide effectively the services over the duration of the arrangement. Conflict management systems must also be in place for outsourcing arrangements.  
  6. Trading controls (market operators only). A market operator is required under the Rules to have trading controls in place, including automated controls, enabling immediate suspension, limitation or prohibition of the entry by a market participant of trading messages where required for the purposes of ensuring that the market is fair, orderly and transparent. 
  7. Notification obligations. There are a range of notification obligations:
    • Major events. Both market participants and operators must notify ASIC immediately upon becoming aware of a major event. This includes natural disasters, cyber-attacks, power failures or the failure of or disruption to a Critical Business Service (including one operated by a third party provider).

      Within seven days after the notification of a major event or an unexpected disruption, the notifier must provide a written report to ASIC detailing the circumstances and steps taken to manage the major event or unexpected disruption. 
    • Unauthorised access or use. Market operators must also notify ASIC, in writing as soon as possible, and no later than 72 hours, after becoming aware of unauthorised access or use of their Critical Business Services that impacts their operation, or results in unauthorised access or use of market-sensitive, confidential or personal information.
    • Unexpected disruptions. Market operators must also notify ASIC immediately upon becoming aware of an unexpected disruption to the usual operation of a Critical Business Service that may interfere with the fair, orderly or transparent operation of any market.

Comparison with APRA standards

It may be that market participants need to comply with both the Rules as well as the existing obligations in APRA Prudential Standards CPS 231 (Outsourcing), 232 (Business continuity management) and 234 (Information Security) to the extent they are APRA regulated entities (such as banks and insurers). We have provided a short overview of some of the key differences below.

Topic

Rules

APRA standards

Application to entities

Apply to market participants and operators only.

Apply to APRA-regulated entities such as ADIs, general insurers, life companies, private health insurers and RSE licensees.

Incident management and business continuity plans

Business continuity plan required.

Business continuity plan required as well as an incident management plan.

Governance

Market participants and operators must have appropriate governance arrangements and adequate financial, technological and human resources in place to comply with the Rules. Oversight of business continuity plans is required from the board or senior management.

The board of an APRA-regulated entity is ultimately responsible for:

  • the information security;

  • outsourcing of material business activities; and

  • business continuity planning.

​Critical business services and critical business services arrangements

Market participants and operators must identify and assess Critical Business Services.

Identification of material business activities (which is framed in similar terms to Critical Business Services) must occur for outsourcing arrangements. 

Outsourcing arrangements to third parties

Market participants and operators must have in place adequate arrangements to identify and manage conflicts of interest and to comply with the Corporations Act and the Rules in relation to outsourcing arrangements. This includes that arrangements with third party providers ensure resilience, reliability and security of Critical Business Services, ensure confidentiality and deal with major events.

Entities must:

  • maintain a policy;

  • have monitoring processes in place to manage the outsourcing of material business activities;

  • consult with APRA prior to entering into agreements to outsource material business to service providers that conduct their activities outside Australia; and

  • notify APRA after entering into agreements to outsource material business activities. 

Information asset identification and classification

Information and information technology assets must be identified, including software, hardware and data and assessment of how integral the information assets are to operations and services.

Information and information technology, including software, hardware and data must be identified and classified by criticality and sensitivity.

Controls

Controls (including automated) designed to identify and prevent unauthorised access to information assets must be implemented.

Information security controls must be in place to protect information assets.

Reporting obligations

Market participants and operators must notify ASIC immediately upon becoming aware of a major event. Market operators must also notify ASIC immediately upon becoming aware of an unexpected disruption to the usual operation of a Critical Business Service that may interfere with the fair, orderly or transparent operation of any market.

Within seven days after the notification of a major event or an unexpected disruption, a written report must be provided to ASIC detailing the circumstances and steps taken to manage the major event or unexpected disruption.

Market operators must also notify ASIC, in writing as soon as possible, and no later than 72 hours, after becoming aware of any unauthorised access to or use of:

  • their Critical Business Services that impacts their operation or the delivery of those services, or

  • market-sensitive, confidential or personal information.  

An APRA-regulated entity must notify APRA as soon as possible, but no later than 72 hours after becoming aware of an information security incident.

Notification must also occur no later than 10 business days after becoming aware of a material information control weakness which the entity expects will not be able to be remedied within a timely manner.

What is next?

It will be important for market participants and operators to ensure that steps are being taken to implement the new obligations under the Rules in time for their commencement on 10 March 2023.

ASIC has foreshadowed that regulatory guides will be updated to provide guidance on the amendments and expectations on how these apply in practice: specifically Regulatory Guides 265 (Guidance on ASIC market integrity rules for participants of securities markets), 266 (Guidance on ASIC market integrity rules for participants of futures markets) and 172 (Financial markets: Domestic and overseas operators).

During the course of this year, APRA plans to consult on enhanced requirements for operational risk management (including minimum expectations for systems, controls and remediation, business continuity and arrangements with third parties). It is intended that the new Prudential Standard CPS 230 (Operational Risk Management) will update and replace existing requirements in CPS 231 and 232, and the equivalent superannuation standards. APRA expects CPS 230 to come into effect from 2024.

Key contacts

Luke Hastings photo

Luke Hastings

Partner, Sydney

Luke Hastings
Peter Jones photo

Peter Jones

Partner, Sydney

Peter Jones
Andrew Eastwood photo

Andrew Eastwood

Partner, Sydney

Andrew Eastwood
Christine Wong photo

Christine Wong

Partner, Sydney

Christine Wong

Stay in the know

We’ll send you the latest insights and briefings tailored to your needs