ASIC’s Regulatory Guide 255 (RG255) provides important guidance to the industry regarding the way systems should be designed and deployed in Australia to protect against malicious cyber activity. Robo-advisers must have adequate professional indemnity (PI) insurance and compensation arrangements to cover the potential widespread loss of the aforementioned flawed algorithms.
In Australia, robo-advisers must have an appropriate Australian Financial Services (AFS) license or be a representative of an AFS licensee. All AFS licensees should have at least one person who understands the technology and algorithms used to provide digital advice. Digital financial advisers must also establish and maintain an adequate risk management system that rigorously and regularly tests the advice and actions of their automated systems.
Robo-advisers are expected to assess their cyber risks and cybersecurity using recognised frameworks, such as the National Institute of Standards and Technology’s Framework for improving critical infrastructure cybersecurity, or the Australian Signals Directorate’s Strategies to mitigate targeted cyber intrusions.
Sensitive Information Must Be Secure
Traditional financial sector enterprises and technology-fuelled fintech disruptors have a growing collection of sensitive financial and personal information which acts as a honeypot for cyber-intruders. This demands constant vigilance across the sector. The OAIC’s most recent quarterly report noted that the finance sector was second only to health service providers in terms of the number of notified data breaches.
The open banking era is looming. It will encourage the financial sector to share and transfer more data and as a result the attack perimeter of organisations will expand. Firms engaged in data sharing – for example for credit risk assessment – will also need to be assured of the provenance and accuracy of information provided by third parties.
The Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry has put practices in the industry under scrutiny. This is unlikely to abate in the near future. As a result, financial institutions have had their processes and procedures, including automation, benchmarked against best practice. This offers the industry a measure of comfort that all risks have been assessed thoroughly and risk transfer strategies implemented.