MIU – Issue 157 – March 2024
Cyber vulnerabilities exposed by simulated attacks
Market intermediaries and infrastructure providers should ensure they have adequate access controls in place after recent simulated attacks exposed critical vulnerabilities – in particular, inadequate password management.
Together with the Council of Financial Regulators (CFR), we’ve been conducting cyber operational resilience intelligence-led exercises (CORIE) with large organisations across the financial services and markets sectors.
CORIE is a framework used to simulate realistic and coordinated cyber attacks on an organisation, based on current threats. Recent attack simulations have highlighted a concerning trend of inadequate password management, including:
- insecure storage of passwords in clear-text or other easily decoded formats
- data located on file shares and wikis easily accessible to all users
- saving credentials within third-party applications.
Many participants had improper access controls for network file shares, allowing employees across the organisation to access confidential information. These vulnerabilities enabled the attack teams to move between systems in the internal network, compromising critical business services.
Accounts with over-assigned privileges, as well as weak and recycled passwords across multiple accounts, allowed attack teams to gain further access within the network. In some cases, attack teams could use these accounts to escalate their level of access to domain administrator – allowing attack teams to effectively control authorisation and authentication of confidential information and critical business services.
Properly implemented access controls and multifactor authentication can prevent access to sensitive data or resources – restricting administrative privileges is one of the most effective mitigation strategies to ensure the security of systems.
Market participants have an obligation under the market integrity rules to have adequate arrangements to ensure the confidentiality, integrity and availability of information obtained, held or used by the participant.
Act now to find out if you are using a known compromised password and take steps to strengthen your passwords. Visit the Australian Signals Directorate’s Australian Cyber Security Centre for guidance on securing accounts and multifactor authentication.
ASX pays penalty for pre-trade transparency failure
Following our first infringement notice issued to a market operator, ASX Limited (ASX) has paid a $1,050,000 penalty for failing to comply with the market integrity rules.
We issued the notice because we had reasonable grounds to believe that ASX breached the rule requiring pre-trade transparency on 8,417 occasions between 4 April 2019 and 22 December 2022. The rule requires ASX to make certain information about orders available on its trading system. ASX failed to make that information available about orders for certain equity market products as a result of an incorrect system configuration.
This issue arose out of a failure by ASX to correctly configure certain order functionality on its trading system. The incorrect system configuration went undetected until drawn to ASX’s attention by a market participant. On at least two occasions before 22 December 2022, ASX could have, but did not, identify the issue.
In determining the penalty, we found that the consequences of the incorrect system configuration and ASX’s failure to detect and escalate for remediation were aggravating factors.
We also found there was no evidence of other losses suffered as a result of the conduct, but the damage to public confidence in the operation of the market is such that the consequences of the conduct are an aggravating factor in determining the penalty.
We believe that the circumstances giving rise to the system configuration issue were a result of carelessness rather than recklessness or intentional misconduct. Once aware, ASX took immediate steps to remedy the issue and notify ASIC.
Compliance with the infringement notice is not an admission of guilt or liability and by doing so, ASX is not taken to have contravened section 798H(1) of the Corporations Act 2001.
This outcome is separate to our investigation in relation to the ASX CHESS Replacement Program, which is ongoing.
- Read the media release
Orders sought to wind up Prospero Markets
We’ve applied to the Federal Court to wind up retail over-the-counter (OTC) derivative issuer Prospero Markets Pty Ltd (Prospero) on just and equitable grounds.
We commenced our investigation into Prospero following the Australian Federal Police’s Operation Avarus-Nightwolf which resulted in former officers and responsible managers of Prospero being charged with money laundering offences in October 2023 relating to the Changjiang Currency Exchange money remitting chain.
We have a broad range of concerns regarding the management of Prospero’s business, including in relation to compliance with its Australian financial services (AFS) licence conditions and obligations as an OTC derivatives issuer under the Corporations Act 2001.
Prospero's AFS licence was suspended in December 2023 after Prospero failed to lodge its 2023 audited financial accounts.
We understand that Prospero holds substantial client funds and is concerned to see these returned to clients as a priority. We consider that the best way to secure the efficient return of funds to clients is to appoint liquidators.
We’ve applied for the Court to appoint Andrew Cummins, Jonathon Keenan and Peter Krejci, of BRI Ferrier, as joint and several liquidators of Prospero.
The matter was adjourned to 10 April 2024, following a hearing in the Federal Court on 20 March 2024.
- Read the media release
Extending relief to futures markets participants from aggregate loss limits
We’ve extended relief from the aggregate loss limit requirements in the ASIC Market Integrity Rules (Futures Markets) 2017 for three more years.
ASIC Class Rule Waiver [CW 17-0251] was originally issued after it became clear that participants wouldn’t be able to comply with certain aggregate loss limit requirements in Rule 2.2.1(1) once the new ASX 24 trading platform went live on 20 March 2017. The waiver was conditional on a participant implementing appropriate processes to monitor the aggregate loss limits on each of its client and house accounts.
[CW 17-0251] was remade as ASIC Market Integrity Rules (Futures Markets) Class Waiver 2018/313 [CW 2018/313] following consolidation of the market integrity rules in 2017. In March 2020, the relief in [CW 2018/313] was extended for a further two years to allow for additional consultation with industry. This work was suspended due to the COVID-19 pandemic, and to refocus our regulatory efforts in other more critical areas. As a result, in March 2022 the relief in [CW 2018/313] was extended for a further two years.
We consider that affected stakeholders have had sufficient time to adjust to operating in the COVID-19 pandemic environment, and that it’s now appropriate for our consultation to resume. ASIC Market Integrity Rules (Futures Markets) Class Waiver Amendment Instrument 2024/131 extends the relief in [CW 2018/313] and will give participants the certainty they need, and allow us sufficient time to consult with industry about any future proposed rule changes.
Changes to OTC derivative transaction reporting
We’ve finalised minor and technical changes to the ASIC Derivative Transaction Rules (Reporting) 2024 (the 2024 Rules).
Commencing 21 October 2024, the 2024 Rules repeal and replace the current ASIC Derivative Transaction Rules (Reporting) 2022 to align with international reporting standards, consolidate transitional provisions and exemptions within the rules and ensure that the reporting requirements are fit for purpose.
ASIC Derivative Transaction Rules (Reporting) 2024 Amendment Instrument 2024/1 implements the proposed changes to the 2024 Rules set out in Consultation Paper 361a ASIC Derivative Transaction Rules (Reporting) 2024: Follow-on consultation on changes to data elements and other minor amendments (CP 361a) to:
- include seven additional data elements
- provide clarifications and administrative updates to the data elements
- make consequential changes to Chapter 2: Reporting Requirements
- make other administrative updates including re-referencing the location of definitions in the Corporations Act 2001 which have been moved by the Treasury Laws Amendment (2023 Law Improvement Package No. 1) Act 2023.
Feedback to CP 361a was broadly supportive. In response to industry requests the final changes also:
- provide for an additional circumstance where the name of Counterparty 2 isn’t reported
- change how the amount of one kind of collateral is reported.
For more information, read the Explanatory Statement and visit our derivative transaction reporting webpage.