The Australian Securities and Investments Commission (ASIC) has made a case to be part of the inner circle of agencies privy to intelligence about active cyber incidents, after finding itself excluded during a recent incident response.
The financial watchdog said it has held “bilateral discussions” with the Australian Signals Directorate, and engaged Home Affairs, to advance its case for a “high-level information-sharing arrangement”.
ASIC said it wanted to be kept abreast of incidents that involve an entity it regulates, “or a key service provider to the financial services and markets sectors”.
It was an incident response involving a regulated entity’s use of a third-party service provider that exposed ASIC’s lack of access to information.
“The affected entity (and the government agencies with which the identity of the vendor was shared) were not permitted to voluntarily share the name of the impacted vendor with ASIC, even as a matter of urgency,” the watchdog said in a parliamentary submission. [pdf]
“At the time, ASIC had substantial concerns that the third-party service provider may pose a systemic risk to Australia’s financial services sector.”
The risk did not eventuate, but ASIC said the incident “highlighted the shortcomings in available mechanisms to support information sharing that enables appropriate consequence management by ASIC.”
The commission backed a proposal in the government’s recent cyber security strategy to create a mechanism that encouraged threat intelligence to be shared but limited the ability of recipients to use the intelligence against the sharer.
“The obligation would prevent ASIC from using the information as part of any investigation or enforcement action,” it said.
“Importantly, enforcement action is not the reason we are seeking access to this information.
“Our intention is to seek this intelligence to manage the broader impacts of a cyber incident on Australia’s financial system.
“We urge the development of an effective and timely information-sharing mechanism that facilitates proactive intervention aimed at minimising the harm of a cyber incident on consumers and the broader financial system.”