New Regulations for the Securities Market
As securities markets have become increasingly dependent on technology and automated systems, cybers security and resilient systems have become key concerns in the financial marketplace. The presence of cyber criminals, recent high-profile system failures, as well as broader concerns related to cyber security and system resiliency, have led to system vulnerabilities with major impact to market participants.
The response locally has seen the development of a Cyber Security Strategy, released in April 2016, setting out the Government’s philosophy and program for meeting the dual challenges of the digital age—advancing and protecting interests online. This was accompanied by a new $230m cyber security package for measures ranging from the establishment of Joint Cyber Threat Centres to ‘health checks’ for the top 100 ASX-listed companies.
In the US, the Securities and Exchange Commission (SEC) and Commodity Futures Trading Commission (CFTC) have each introduced new regulations, strengthening existing guidelines and establishing new safeguards for the systems of financial market infrastructure organisations. Compliance with these regulations requires significant effort in order to amend policies, processes and controls, and to implement enhanced testing protocols.
In addition to cyber security and resiliency, the regulations also include requirements to enhance business continuity, disaster recovery, availability and system uptime. They both aim to strengthen the first line of defence by implementing enhanced controls, increase the level of information technology (IT) governance and implement more robust testing requirements, many of which must be performed by independent parties.
While these regulations are not currently applicable to Australian companies, they are considered to be an indicator of future requirements and best practices.
Key areas of focus
- Scoping of systems is a critical component of compliance. The decision process involved in the classification of systems should be based on a thorough analysis and clearly documented. The risk assessment that is performed should be a key input into this process, and individuals at the appropriate levels within the organisation should be involved. One key consideration is how systems are logically or physically segregated, and how potential intruders could move amongst systems.
- In cases where an organisation has outsourced systems, those systems should be considered as if they were internal with the appropriate level of monitoring performed on the service provider. There should be clear lines of responsibilities between the organisations to ensure compliance with internal and external policies and regulations.
- An independent third party is a necessity for many of the testing requirements. An outside organisation can also provide several additional advantages to help ensure compliance. The right provider can seamlessly integrate requirements into existing compliance programs, perform gap assessments in a timely manner to allow for remediation efforts and assist with interpretations of regulations and best practices.
- From a testing perspective, an experienced provider can work with the risk functions (compliance, internal audit, etc.) to leverage testing work performed on a periodic basis. This provides the benefit of reducing the impact on control owners and reduces the cost of the annual testing, while still demonstrating to the regulators, and market, that an independent third party performed the review.
The new requirements apply to any computer, electronic, technical, automated or similar system, with respect to securities, that directly supports trading, clearance and settlement, order routing, market data, regulation or surveillance. This includes all layers of technology.
- Policies and procedures: implement written policies and procedures related to several elements of systems, systems compliance with legislation and the identification of responsible personnel.
- Systems classification: classify systems based on their function and the level of risk associated with them. This designation drives the requirements for each system.
- Events: once an event (i.e., system disruption, system compliance issue, system intrusion) is identified, there is a requirement to take corrective action, notify the regulator and in some cases, disseminate information.
- Reporting system changes: on a quarterly basis, the regulator must be provided with a report describing past, present and future material changes to any key system. Reports must indicate dates of commencement and completion (or proposed dates), as well as the nature of the changes to the system.
- Business continuity and disaster recovery: conduct a business continuity and disaster recovery test at least once per year. Designate participation and coordinate the test on an industry- or sector-wide basis with other related entities.
- Compliance testing: conduct an independent review of all key systems on a regular basis. These tests must meet two distinct requirements—perform a risk assessment, and conduct an assessment of internal control design and operating effectiveness.
- Penetration testing: perform independent penetration testing every three years.
CFTC systems safeguard regulation
Organisations are required to report on testing protocols, provide results to senior management and the board of directors, and establish and follow appropriate procedures for the remediation of issues which conflict with the regulatory requirements.
A thorough testing framework is required to be implemented which includes:
- quarterly vulnerability testing, with at least two quarters per year performed by an independent party
- annual penetration testing performed by an independent party
- controls testing at least every two years, performed by an independent party
- annual security incident response plan testing, performed by internal or external resources
- annual enterprise technology risk assessments, performed by internal or external resources.
The Exchange Proposal portion of the proposed rule adds ERM and governance to the list of required categories of system safeguards-related risk management and oversight. As proposed, the ERM and governance requirements include, but are not limited to five areas:
- assessment, mitigation and monitoring of security and technology risk
- capital planning and investment with respect to security and technology
- board of directors and management oversight of system safeguards
- IT audit and controls assessment
- remediation of deficiencies.
Organisations must act quickly to identify and address areas of heightened risk, more so in regards technology and automated systems due to the level of reliance placed on them. A qualified third party is a key asset, allowing companies to achieve compliance and helping to satisfy necessary external testing requirements, while also providing greater insights to reduce costs and improve the overall risk environment.