The Australian Securities Exchange (ASX) suffered an "unprecedented" hardware failure in September 2016, resulting in the outage of its equity market.
Shortly after, the Australian Securities and Investments Commission (ASIC) identified a number of failings on the part of ASX, and made recommendations followings its initial review.
ASIC this week published an update [PDF] on ASX Group's technology governance and operational risk management standards, reporting that while the securities exchange has placed additional focus on risk over the last year, it is expected it will take up to three years to fully implement and embed all the recommendations from the initial review.
According to ASIC, ASX's practices were more comparable to those of other exchanges in the global financial market infrastructure industry, but lagged behind better practices in the broader financial services sector.
"Given the overwhelming extent to which it relies on technology to deliver its services, robust technology governance and operational risk management is central to ASX Group's effectiveness as a market infrastructure provider," ASIC wrote.
In its Review of ASX Group's technology governance and operational risk management standards, ASIC said the ASX board has placed additional focus on risk over the last year and that it has also taken steps to improve its technology governance and operational risk management, which included the appointment of several senior executives across enterprise risk and technology, as well as making changes to internal governance arrangements.
ASX has also adopted new technology and enterprise risk management plans, has commenced staff recruitment and risk management awareness training, and is in the process of identifying fit-for-purpose software tools to support these processes, ASIC reported.
The commission made additional recommendations to the ASX, which were all centred on further improving its operational and technology risk management.
"An organisation that is heavily dependent on technology to maintain its sustained success, such as ASX Group, must have effective technology governance practices in place," ASIC wrote. "Many of the findings and recommendations from the review will be relevant to other important financial sector organisations regulated by ASIC."
Where technology governance is concerned, ASIC recommends the ASX continue to consolidate all technology controls into a single register and agree ownership of controls, as well as establish a formal review cycle in addition to a self-assessment of control appropriateness and effectiveness.
ASIC said that following its initial review, it was concerned the ASX remained behind industry better practice in its broader approach to incident management.
"Even though ASX Group has taken steps to improve its approach, such as the merging and alignment of certain internal incident management processes across business lines, it still needs to make important improvements in this core area of operational risk management," its latest report says. "We have been concerned about ASX Group's approach to root cause analysis of incidents. The improvements to ASX Group's incident management system contained in the work plan will, once fully embedded, address our concerns."
As such, ASIC laid out steps to further improve the exchange's incident management, including continuing the development of a "whole-of-organisation" management of incidents and systems availability, and to develop a single source of truth with respect to IT asset criticality and system dependencies.
The ASX is currently in the process of replacing its Clearing House Electronic Subregister System (CHESS) with a blockchain-based solution.
The previous CHESS system -- which dates back to the 1990s -- is used by the ASX to record shareholdings and manage the clearing and settlement of equity transactions publicly listed in Australia.
US-based blockchain firm Digital Asset is responsible for the CHESS project, with the company building the ASX an enterprise-grade distributed ledger technology solution for core equity clearing and settlement functions.
Initially the solution was slated for go-live at the end of 2020, but earlier this month the ASX reported it was pushing back the earliest commencement date for its new CHESS system to March-April 2021.
The decision followed public consultation on the rollout of the system.
"While there was continued widespread support for delivering new scope on Day 1, respondents questioned whether the proposed implementation window of Q4 2020 to Q1 2021 was achievable given the significance of the technology change and the range of new scope being introduced," the ASX wrote [PDF] in its response to public feedback on the CHESS system.
In addition to pushing back go-live, the ASX said it will also provide an additional six months for user development and testing and extend mandatory accreditation by six months.
The ASX said the majority of those participating in consultation were supportive of, or expressed no specific objection to, the plan for a single cutover date to the new system, while a few supported a more phased implementation approach.
"ASX acknowledges this feedback, but remains of the view -- informed by previous experience transitioning critical market infrastructure systems -- that the single cutover weekend is the most appropriate solution and is lower risk than other alternatives such as running multiple systems in parallel," it said.
The exchange also recently went live with its new futures trading platform, which it said allows for low latency, better risk management, as well as for a better -- and faster -- response to customer problems.
PREVIOUS AND RELATED COVERAGE
In delivering its first-half AU$230.5 million after-tax profit, the ASX unveiled a number of tech-based projects it has in the pipeline aimed at making business easier for ASX-listed companies, as well as for its own internal processes.
After more than two years of experimenting, the Australian Securities Exchange has announced that it will be employing Digital Asset to deliver its clearing and equity settlement system.
The exchange has migrated 'mission-critical' legacy applications to Red Hat, after first deploying the company's JBoss Enterprise Application Platform in 2011.
The Australian Securities Exchange has said a hardware failure in the main database used by the system was behind a series of trading glitches.