Cyber Awareness for AFSL Holders and Investment Managers
What should a company Board understand about cyber security?
Boards, Responsible Managers and Compliance Managers of Australian Financial Services Licence (‘AFSL’) holders need to be aware of the emerging challenges and opportunities regarding cyber security.
The leaders of the business should be building awareness of cyber risks to their funds and investment management businesses.
ASIC has been busy in supporting AFSL holders by providing guidance relating to emerging cyber issues. A recent ASIC guidance note called Cyber Resilience Good Practices provides a great starting point for Boards, Responsible Managers and Compliance Managers of AFSL Holders.
I’ve broken down the eleven key points provided by ASIC to assist AFS Licensees to navigate the cyber awareness space.
1. Board responsibility
Cybersecurity is a Board responsibility that should be regularly assessed by the Board with the assistance of management and the regular cyber assessment documented in compliance and Board papers. Under s912A of the Corporations Act, the licensee should at all times show that it has sufficient technological resources to carry out its obligations under the AFSL.
2. Alignment with overall governance framework
Overall cybersecurity should be aligned with AFSL risk management policies and procedures. This means that documented cyber strategies, principles, policies, rules and procedures are in line with the overall AFSL governance framework.
3. Cyber risk management and third party experts
Cybersecurity should be supported by third-party experts who can assist the AFSL holder with regular cyber risk awareness training and penetration testing. These experts should be engaged using a robust management services agreement and reviewed regularly.
Penetration testing is becoming a regular security exercise for AFSL holders where cybersecurity experts simulate attacks to identify vulnerabilities in the AFSL holder’s IT infrastructure, applications, or processes. By simulating the tactics of malicious actors, penetration testers uncover weaknesses that could be exploited by real attackers, allowing organisations to strengthen their IT defences based on the feedback provided by the cybersecurity experts.
4. Third-party risk management
In an AFSL setting, AFSL holders need to be able to define their risk appetite regarding third-party suppliers and identify risks relevant to their business. This definition of risk appetite is critical to ensuring the AFSL holder can put in place risk management mitigants that are appropriate to the nature, scale and complexity of their business. Larger customers of AFSL holders will generally have higher third party-standards and as funds management businesses grow, and their clients become more institutional, third-party suppliers and partners should be regularly assessed to guarantee compliance with the required security standards of their institutional clients.
5. Collaboration and information sharing
AFSL holders may seek to use the services of their third-party IT experts who can assist the AFSL holder undertake regular security monitoring and assessments and where appropriate, share the findings of this monitoring with the relevant Federal authorities such as the Australian Cyber Security Centre. Collaboration from a cyber security perspective is characterised by confidential information-sharing arrangements with other financial institutions, security agencies and law enforcement.
6. Asset management
The AFSL holder should discuss with their IT third-party experts how inventories for hardware, software and data, both internal and external to the organisation, should be managed. ASIC generally expects that the effective management of organisational assets is characterised by a centralised management systems for critical internal and external assets such as software and data. Configuration management is important for ensuring there is visibility of critical assets across the organisation, and for managing software versions and security patches.
7. Cyber awareness and training
The AFSL board should consider how its compliance strategies are based on a program of continuous development of knowledge and awareness as the AFSL holder grows its business. There is recognition from the regulator that effective cyber resilience requires a strong ‘cultural’ focus driven by the AFSL holder Board and reflected in organisation-wide programs for staff awareness and education. Through ongoing vigilance, directors and staff become an effective defence against malicious cyber activities by preventing incidents arising, for example, from attempted phishing attacks.
8. Proactive measures and controls for cyber risks
Proactive measures and controls for cyber risks are characterised by implementation of the Australian Signals Directorate’s (‘ASD’) Strategies to mitigate targeted cyber intrusions. The ASD has released an ‘essential eight' strategies to mitigate targeted cyber incidents. In an AFSL setting, the AFSL holder may seek to institute the mitigation strategies that constitute the ASD ‘essential eight’:
1) patch applications
2) patch operating systems
3) multi-factor authentication
4) restrict administrative privileges
5) application control
6) restrict Microsoft Office macros
7) user application hardening
8) regular backups.
As ASIC is referring to the ‘essential eight’ in their current cyber security guidance, AFSL holders should consider that ASIC is expecting AFSL holders to incorporate the ‘essential eight’ into their proactive measures and controls for cyber risks.
9. Detection systems and processes
Good practices relating to detection systems and processes are characterised by the use of enterprise-wide continuous monitoring systems and the use of data analytics to integrate sources of threats in real time. For example, continuous monitoring systems are implemented to monitor events on the organisation’s network and systems using Security Information and Event Management (‘SIEM’) technologies. The AFSL holder should consider how to employ continuous monitoring systems using SIEM technologies to assist with cyber detection in conjunction with their third-party experts and include the provision detection systems and processes as part of the service level agreement between the AFSL holder and IT service provider.
10. Response and recovery planning
Response planning for cyber risk is different from standard business continuity planning because the scenarios are not as predictable, in part due to the speed at which the sophistication levels of attacks are changing and the range of actual threat sources. ASIC has reported that good practices they have observed in the financial services industry include routine and detailed scenario planning, war gaming, proactive reporting to the board and well-developed communication plans. For example, proactive reporting to the board involves reporting of changing and emerging cyber threats and the countermeasures in place by the AFSL holder.
11. Recovery planning
Recovery planning involves the execution of a previously designed strategy that outlines the organisation's IT recovery and how the organisation is going to respond to a cybersecurity incident. The AFSL holder should have a plan that focuses on safeguarding critical IT systems and data to ensure business continuity and compliance in the event of a disruption. These strategies could form part of the service level agreement between the AFSL holder and external IT service provider expert and also be included in the AFSL holder’s policies and procedures.
Conclusion
The AFSL holder’s Board is responsible for cyber resilience.
ASIC guidance suggests that boards should take ownership of cyber strategy and ensure the strategy is reviewed on a periodic basis to assess progress against the success measures outlined in the firm’s overall IT strategy. The ownership of cyber strategy should also be supported by a qualified Responsible Manager.
Many AFSL Boards we see, do not have a Director or Responsible Manager that is a knowledgeable IT governance professional.
If you are a board that is not as familiar with cyber resilience as you would wish, please contact me to discuss how I can assist your board with regular reporting and review of your IT strategy to maintain compliance of your AFSL.
https://www.andrewsmcneil.com/