The Australian Securities Exchange (ASX) has been given until the end of the year to come up with a “comprehensive” plan to upgrade end-of-life software and hardware in its clearing and settlement facilities.
The deadline was set by the Reserve Bank of Australia (RBA) in an annual assessment of key ASX systems that enable market operations.
A “semi-annual” system and operational risk assessment by the ASX on “selected” critical systems “consistently identified … software currency and hardware age” as “areas of concern”, according to the latest RBA report, released yesterday. [pdf]
“When software reaches end-of-life, vendor support, updates and security patches may cease to be available, raising security and operational concerns,” the RBA wrote.
“Aged hardware can also lead to problems with system processing and capacity. Maintaining appropriate controls for such systems is resource intensive.
“While ASX has recently developed programs to address some of the problems of ageing assets in ASX Clear and ASX Clear (Futures), they do not include funded and prioritised remediations for all critical systems.”
RBA declared the ASX’s approach to be “insufficient to fully ensure resilient, secure and operationally reliable systems.”
“The bank expects ASX to take steps to ensure that this ongoing risk is better managed in future,” it wrote.
It gave the ASX until December 31 to create a “comprehensive” remediation roadmap, with timelines, milestones, dependencies and prioritisation all mapped out.
The RBA said it also expected the ASX to use “short-term controls” to mitigate risk in the interim.
The Reserve Bank also said it had provided “a detailed assessment of ASX’s cyber resilience” to the markets operator.
Scant details were provided, though the RBA said it would work with the Australian Securities and Investments Commission (ASIC) to supervise changes made to cyber security strategy.
The ASX said it will implement the RBA’s recommendations.