Report 429 – Cyber Law Watch

APRA raising the bar on Cybersecurity

Dec 01 2015

At the Association of Superannuation Funds of Australia (ASFA) conference held in Brisbane in the last week of November, Stephen Glenfield, APRA’s General Manager of the South West region indicated that an area of significant interest for APRA during 2016 would be the extent to which superannuation funds were prepared for cybersecurity risks.

Mr Glenfield indicated that APRA would be conducting a thematic review of superannuation funds during 2016 which was designed to provide APRA with much more detailed information about the processes that superannuation fund trustees were putting in place to protect their funds and their members from cybersecurity breaches.

As thematic reviews carried out by APRA are usually precursors to further regulatory or prudential reform, this announcement should alert superannuation funds to expect more comprehensive regulatory requirements in relation to the cybersecurity risks in the near future.

It is expected that APRA will be particularly interested in understanding how superannuation fund risk management frameworks address cybersecurity risks and how trustee boards are involved in the oversight of cybersecurity risk management. A likely focus of the reviews will be investigating the measures which superannuation funds have established to:

identify critical assets and data
protect such assets and data
promptly detect when breaches have occurred
respond to breaches including communications and reporting
recover from breaches including reinstatement of systems and learnings from incidents.

This initiative comes on the back of ASIC’s release during March of this year of its Report 429 on Cyber Resilience and underlines how Australia’s financial system Regulators are becoming much more concerned about cybersecurity risks.

Cybersecurity Risk Management – Financial Services Entities Required to Act

Oct 20 2015

By Jim Bulling

It seems clear following the release in March this year of ASIC Report 429 Cyber Resilience, that all Australian Financial Services Licensees and superannuation funds are currently required to include in their risk management framework measures aimed at addressing the risks posed by cybersecurity breaches.

In addressing the risks ASIC recommends that the U.S. National Institute for Standards and Technology (NIST) framework is a relevant risk management tool. The NIST standards set out the key objectives of an appropriate risk framework:

identify the critical assets and governance processes
protect critical assets
detect breaches and incidents
responses to breaches and incidents
recovery and reinstatement of systems.

You can download a copy of the framework here

These objectives will need to be merged into the existing financial services policy frameworks which financial services entities already have in place.

Cyber Resilience for Financial Services Entities

May 20 2015

by Jim Bulling and Julia Baldi

ASIC Report 429
In March this year, the Australian Securities and Investments Commission (ASIC), issued Report 429 Cyber resilience: Health check (REP 429). The report aims to highlight the importance of cyber resilience for entities regulated by ASIC, including Australian Financial Services Licence holders, Australian Credit Licence holders and listed entities. The Report indicates that ASIC is keen to ensure that Australia keeps pace with developments in Europe and the United States in combatting cybersecurity risks.

Click here to read the full article.

Tag:Report 429