Compliance & Cyber Security: 2023 Wrap Up & 2024 Look Forward

In Brief

As we kick off 2024, we know one thing for sure, the regulatory landscape in Australia continues to evolve. This update aims to keep you informed about key developments from 2023 and share our approach for navigating the compliance & Cyber Security landscape in 2024.

2023 Regulatory & Market Landscape

Cyber Security

• The Medibank and Optus data breaches from earlier in the year set the tone for the broader business community’s approach to Cyber Security. The recent attacks on St Vincents and the Victorian Counts further emphasis the need for vigilance. Government and regulators responded with legislative reforms including consulting on gaps in existing laws to strengthen security of critical infrastructure legislation; reforms to privacy legislation; and an expansion of the Australian Government Digital ID System.
• The Government also released their 2023-2030 Australian Cyber Security Strategy and accompanying Action Plan. The documents outlined the threat environment and opportunities for business to strengthen their cyber posture described as the “6 Cyber Shields”.
• The Australian Signals Directorate (ASD) released their Annual Cyber Threat Report 2022/23. The document provided an overview of trends based on the ASD’s response to Cyber incidents during 2023.

Compliance

• Regulators were also active during the period. The Australian Securities & Investments Commission (ASIC) continued to deliver on its Corporate Plan further ensuring market adherence to the Product Design and Distribution Obligations (DDO). BoardRoom engaged with ASIC on their market surveillance as clients began to receive notices to produce documents. BoardRoom also worked with a number of clients to update their online applications during the year in response to ASIC’s “best practice observations”.
• IDR Reporting commenced in 2023 with some BoardRoom clients expected to report during 2024. BoardRoom has engaged with its service providers to update our complaints capturing tools to record data consistent with the IDR Reporting Handbook and will be able to assist those clients due to report by 29 February 2024. BoardRoom will also provide training to ensure staff accurately capture and store information.
• ASIC made changes to Breach Reporting (ASIC RG 78) requirements clarifying the circumstances in which licensees may group multiple reportable situations and additional guidance for licensees.
• The Attorney General’s department has made clear that there will be changes to Australia’s AML/ CTF Regime to bring Australia in line with its international peers. The changes are intended to make the rules for regulated industries easier to follow; and extend the regime to perceived high risk professions including lawyers, accountants, trusts and company service providers, real estate agents etc.

Emerging Themes

Digital Technology and Data

The advancements in Australia’s payments sector (e.g. New Payments Platform, QR codes, PayTo, and the inclusion of “write access” in the Consumer Data Right (CDR) regime) necessitate compliance oversight to ensure investors are protected and client data remains secure. We are closely monitoring these changes to ensure that our registry operations align with evolving regulations and industry standards, and to support our clients in navigating these changes.

Legislation, Regulation and Enforcement

Recent enforcement actions by ASIC, APRA, and AUSTRAC, especially concerning AML/CTF failures, underscore the necessity for robust compliance structures within financial institutions. As a registry, we are keenly aware of the need for clear accountability frameworks to facilitate responsible decision-making and problem resolution. Our role involves not just adhering to these standards but also assisting our clients in understanding and implementing effective accountability frameworks. This includes regular updates, monitoring, and alignment with business capabilities and the latest industry standards.

BoardRoom’s Approach

Cyber Security

BoardRoom is responding to the changing Cyber Security landscape.

We continue to monitor for changes to legislation or regulation that may impact our clients. We continue to provide input into consultations and are part of various working groups to ensure engagement with our peers and the industry more generally. During 2023, BoardRoom responded to three consultations across managed investment schemes; future of ASX Managed Fund Settlement Services; and modernising the AML/ CTF regime.

Over the past 12 months BoardRoom made the following improvements to our Cyber Security settings:

• Prioritise the adoption of secure-by-design and secure-by-default products in procurement processes, and closely scrutinise the security controls of any new software, hardware, or Operational Technology before it is purchased (as well as the vendor’s approach to patching and ongoing security).
• Regularly test Cyber Security detection, incident response, business continuity and disaster recovery plans. This includes practicing cyber incident response plans (e.g. via table top exercises) and treating a cyber incident as a ‘when’ not ‘if’ scenario in risk and business continuity planning.
• Implement robust Cyber Security measures for remote work solutions and conduct regular audits. Verify adherence to policies ensuring secure system usage, legal compliance, and protection of sensitive data.
• Train staff on Cyber Security matters, including by ensuring individuals implement good cyber hygiene practices such as enabling multi-factor authentication (MFA), utilising strong and unique passphrases, staying vigilant against phishing and scams, and reporting potential cybercrime incidents promptly.
• Confirm that operational technology and IT systems are, or can be, effectively segmented to prevent attackers from moving laterally between networks and reduce the risk of service interruptions during cyber incidents.

In keeping with this approach, BoardRoom became a Network Partner of the Australian Cyber Security Centre; introduced 2FA across all our external portals; and secured accreditation under ISO 27001.

ISO 27001 – Information Security Management System (ISMS)

The process of achieving ISO 27001 certification involved rigorous evaluation that scrutinized every facet of our ISMS, platform, and technical architecture. The successful certification is a testament to the dedication and commitment of the BoardRoom team, who continuously strive to uphold the highest standards of data security.

ISO 27001 is an internationally recognised standard that sets out the requirements for an organisation’s ISMS. It establishes, implements, and maintains a robust approach to managing information security and provides specific measures for the protection of important data, such as financial information, intellectual property, and personal data of employees, clients, and our users.

Being ISO 27001 certified means we’ve been independently verified to have best-in-class cyber security measures. This certification ensures our adherence to a comprehensive set of standards governing data security and confidentiality, legal compliance, and operational reliability.

Financial Crime Compliance

AML/CTF compliance was a focus area for regulators in 2023 and as we await the 2nd consultation paper on the reforms in this area, we expect it will continues to be a focus area in 2024. BoardRoom has updated its systems and to get ahead of the expected regulatory reforms in this area including:

• The introduction of a premium transaction monitoring tool represents a substantial uplift to existing transaction monitoring capabilities and demonstrates BoardRoom’s continued commitment in this space. The tool includes an additional 9 new reports bringing a broader scope to our client’s transaction monitoring capabilities. We have integrated 10 new data points into each report, ensuring a more comprehensive analysis of our client’s investor transactions. Special attention to high-risk entities, Power of Attorney appointments, changes to address or bank details prior to a withdrawal or transfer as well as the aggregation of investment funds are among other critical areas.
• The rollout of a Premium AML Workflow tool to further enhance the customer verification process by ensuring documents are current, consistency of processing and greater due diligence data points.
• BoardRoom also transitioned our PEP/Sanction screening provider. The new provider supplies a comprehensive database of watchlists including adverse media and powerful search tools to further discount false positives. In addition to a robust platform, the provider is Australian based with an Australian service team. Assisting our external client team meet their compliance & audit obligations, the provider also provide an annual attestation confirming sanction, watchlists & blacklists are periodically updated.

2024

As we move into 2024, BoardRoom remains dedicated to adapting and enhancing our services in response to the dynamic compliance and cyber security environment. Our focus on cyber security advancements and compliance, along with our proactive approach in engaging with regulatory changes and implementing cutting-edge tools, demonstrate our commitment to safeguarding our clients’ interests. We are poised to navigate the complexities of the regulatory landscape, ensuring that our clients receive the most comprehensive and up-to-date support. BoardRoom’s continued investment in technology and training, along with our active participation in industry dialogues and consultations, positions us as a trusted partner in managing the evolving demands of compliance and cyber security safeguarding our client’s data. Our commitment is to provide our clients with not just compliance, but a strategic advantage in this ever-changing landscape.

We want to know what you think! We are always looking for ways to improve so that we can better serve our clients. We’ve developed a short 3 question survey and we’d love a chance to hear from you. Your Feedback is important to us.

Contact BoardRoom for more information: