The Australian Securities Exchange (ASX) has vowed to “prioritise remediation of ageing [technology] assets” in response to a recent report from the Reserve Bank of Australia (RBA) which expressed concern that the securities exchange is thus far failing to effectively manage technology systems renewal.

The RBA, as part of its annual Assessment of ASX Clearing and Settlement Facilities report, labelled the securities exchange’s current approach to managing its ageing assets as “insufficient to fully ensure resilient, secure and operationally reliable systems”.

“ASX’s renewal of its technology is not keeping up with the ageing of its systems,” the RBA wrote.

While noting that the securities exchange has “recently developed programs to address some of the problems of ageing assets in ASX Clear and ASX Clear (Futures), both critical clearing systems, this renewal program did not extend to “funded and prioritised remediations for all critical systems”.

“The Bank [RBA] considers ASX’s current approach to managing ageing assets to be insufficient to fully ensure resilient, secure and operationally reliable systems. The Bank expects ASX to take steps to ensure that this ongoing risk is better managed in future.”

As part of the ASX’s regular system operational risk assessments (SORA) (which were completed during the RBA’s own assessment period), the RBA noted that the ASX did consistently flag both software currency and hardware age as “areas of concern”.

“When software reaches end-of-life, vendor support, updates and security patches may cease to be available, raising security and operational concerns. Aged hardware can also lead to problems with system processing and capacity. Maintaining appropriate controls for such systems is resource intensive.”

As one of the ASX’s chief regulators, the Reserve has called for the securities exchange to develop, by the end of this year, a comprehensive roadmap for the remediation of currently identified ageing assets.

The RBA said this roadmap must:

• include timelines and dependencies for remediation (e.g., key milestones such as business case and funding approval)
• clearly specify the prioritisation of system remediation
• include details of the key risks for assets that will reach the end of their support period or end-of-life before remediation or replacement
• include the implementation of short-term controls to mitigate these risks

“The Bank expects ASX to take steps to ensure that this ongoing risk is better managed in future,” the report read.

In response to the RBA’s call, the ASX in a statement said its recently appointed and “dedicated” chief information officer, Tim Whiteley, is currently leading the development of a comprehensive roadmap for remediating ageing assets.

“We are committed to continuing to uplift our processes and ASX has put in place a new technology governance framework design, including new system risk assessment processes that identify remediation work to address areas such as software currency, ageing hardware and system controls.

“These findings will be applied enterprise-wide and incorporated into our technology modernisation roadmap.”

The ASX’s technology renewal program falls under the RBA’s ‘operational risk’ assessment, which the Reserve rate as partly observed.

“The Bank holds increasing concerns over ASX’s ability to manage operational risk,” the RBA said.

The regulator added that it expects the ASX “to promptly take action to remediate its ageing assets to enable the longevity, safety and performance optimisation of assets that support critical financial market infrastructure”.

The RBA noted that ‘Operational risk’ will be subject to a special topic in next year’s Clearing and Settlement systems assessment.