Resilient systems and practices

Cyber security

Governance and strategy

ASX’s Board and management recognise cyber risk as one of the Group’s most critical risks to be managed and mitigated.

The Chief Information Security Officer, who manages the cyber security function, reports to the Chief Information Officer and has independent and direct access to the Chair of the Board Technology Committee. In addition, cyber security is a standing agenda item for the Board Technology Committee whose meetings are attended by the senior cyber security management team.

The Cyber Security team has a Board-approved security strategy which covers a rolling four year period. It is reviewed and approved annually by the Board upon recommendation of the Technology Committee to ensure it remains commensurate with the overall risk environment. The strategy is based on the global National Institute of Standards Technology (NIST) Cyber Security Framework to ensure completeness.

A security roadmap is developed from the strategy, which is a schedule of activities that are required to implement the strategy. Roadmap items may change as the risk environment or priorities change; however, these changes will generally fall within the existing four year strategic window.

The table below provides an overview of some of the key roadmap activities from the FY25-28 cyber security strategy:

Activity	Description
Vulnerability management uplift	Refreshing vulnerability and patch management processes to align more closely with bestpractice guidance from leading frameworks e.g. ASD Essential 8
Enhancements to asset management processes	Refreshing hardware & software asset management capabilities to consolidate and expand cyber integration points
Australian Signals Directorate (ASD) Essential 8	Deliver ongoing alignment with our targeted maturity levels in the ASD Essential 8
Cloud compliance uplift	Alignment of cloud controls against industry standards and integrating automated compliance monitoring
NIST	Deliver ongoing alignment with the NIST Cyber Security Framework to our target maturity levels

Risk assessment and controls

The ASX cyber framework outlines the key considerations and the actions that ASX undertakes. This is complemented by policies, standards, procedures and guidelines for critical areas. These documents are periodically reviewed and updated based on changes to the business and technical requirements.

The Cyber Security team also performs regular risk assessments of the ASX environment. A risk assessment may be triggered through the annual strategy review process, a major project or upgrade implementation, the identification of an emerging risk or an issue or a request from other areas of ASX. A process for identifying and reporting emerging risks is also in place, and these are discussed at the various risk working group forums and escalated as required.

Employee training and awareness activities include:

cyber security incident scenario simulation
new starter cyber security ‘quick guide’ training
workshops on how to identify phishing emails
quarterly phishing simulations emails
induction training for new employees
monthly and quarterly security awareness prizes and awards
annual security awareness e-learning module mandatory training
security awareness emails and ‘town hall’ sessions.

Risk and compliance

ASX remained focused on strengthening risk management and continuing to build its risk and compliance culture.

ASX’s risk management strategy is founded on the Three Lines of Defence model, which provides a clear organisational structure and clarifies roles and responsibilities for managing risks and controls across the business:

Line 1 is risk management within the business divisions and functions. The identification, assessment, monitoring, reporting and escalation of risks begins in Line 1. Line 1 is responsible for managing ASX’s operations within the Board-approved risk appetite.
Line 2 is the independent risk management and compliance functions that develop risk and compliance frameworks and policies, and oversee and challenge risk management in the first line.
Line 3 is the independent internal audit function. ASX conducts an annual review of its Risk Appetite Statement to help make sure that its risk tolerance is appropriate for its role as a critical financial market infrastructure provider, to help understand and consider risk posture versus tolerance thresholds, and to identify and manage areas of greater risk to ensure that improvement is focused in the right areas.

FY24 outcomes

Over FY24 further dedicated Line 1 risk resources were onboarded to support effective execution of risk management, and further embed the Three Lines of Defence risk model.

There was also further consolidation and streamlining of risk profiles within lines of business, with a focus on control testing over FY24.

Our Line 1, 2 and 3 teams report to the ASX Limited and Clearing and Settlement boards and their committees. The Line 2 and 3 teams also report independently to the Board’s Audit and Risk Committee.

The Enterprise Risk and Enterprise Compliance teams continue to provide oversight, advice and guidance, challenge and training to individuals throughout the business responsible for risk ownership and championing risk and compliance management within their teams.

The accountability framework was further improved over FY24 and was modified to reflect some organisational changes that occurred particularly with respect to the management of technology at ASX. Accountability scenario tests were also undertaken to ensure senior executive understanding and to test for any gaps in the framework.

An annual all-employee risk and compliance culture survey provides insights across a range of dimensions, as well as for comparison and benchmarking purposes. The FY24 assessment score was a 3% improvement on FY23.

All risks are managed through the central enterprise risk management system. The key cyber risks identified include:

Malware
Data corruption
System encryption
Data exfiltration

Insider threat
Third party risk
System compromise

3%

improvement in annual all‑employee risk and compliance culture survey

Modern slavery

The primary component of our supply chain includes the manufacture, delivery, installation, support and maintenance of the technology required to operate our infrastructure and provide our services.

Our supply chain also includes the suppliers of various goods and services that contribute to our general operations – these include our property agents, insurance providers, external consultants, the companies that provide our kitchen supplies and stationery, the manufacturers of ASX uniforms and apparel, and our security providers.

During the FY24 reporting period, our global supply chain comprised approximately 640 direct suppliers having their base of operations located in a total of 15 countries, including Australia, Belgium, Czech Republic, Germany, France, England, Hong Kong, India, Ireland, Luxembourg, Malta, New Zealand, Singapore, Sweden, and the USA. ASX Group acknowledges that a number of direct suppliers to ASX Group may have manufacturing facilities in countries other than their base country of operation, including but not limited to Brazil, China and Mexico.

Approximately 20% of ASX Group’s total supplier spend during FY24 was attributed to 24 Tier 1 suppliers providing key goods and services to facilitate ASX Group’s operations. These suppliers cover a range of industry sectors, including financial services and technology goods and services, telecommunications and risk management. ASX Group’s operations require uninterrupted access to the infrastructure that services our business, therefore our core supplier relationships are often stable, long-term relationships, rather than short-term engagements.

ASX continued to raise awareness of modern slavery with all Enterprise Procurement and Partnerships (formerly Vendor Management) employees required to complete training on identifying, assessing and managing modern slavery risks.