Clifford Chance

The Australian Securities and Investments Commission (ASIC) and the Reserve Bank of Australia (RBA) have published the key findings from an independent review of ASX's trade outage.

On Monday 16 November 2020, the Australian Securities Exchange (ASX) was forced to suspend trading for the day due to a technical meltdown after a software upgrade of its trading system, provided by NASDAQ.

ASIC and the RBA raised significant concerns regarding the outage, including due to ASX's prominence as the key platform used for securities trading in Australia.

In response to the regulators' concerns, ASX commissioned an independent expert review into the software upgrade (known as the Trade Refresh project) to assess whether it met internationally recognised standards or frameworks and relevant securities industry practices. IBM Australia Limited (IBM) was appointed to undertake the review.

IBM found that ASX met or exceeded leading industry practices in 58 out of 75 of the capabilities assessed. This included:

• business case development and project change management
• the project was provided with and had access to sufficient financial, time, people and technological resources at all stages of delivery to meet its objectives
• communication with key stakeholders were approximately managed, and
• incident management actions taken by ASX were appropriate.

However, several key shortcomings were identified, including:

• factors that suggested the ASX Trade system was not ready to go-live considering ASX's near zero appetite for service disruption
• there were gaps in the rigour applied to the project delivery risk and issue management process expected for a project of this nature, and
• it was not reasonable to conclude that ASX's test plan was consistent with its risk appetite.

IBM made recommendations covering seven key categories: risk, governance, delivery, requirements, vendor management, testing and incident management.

In responding to IBM's findings, ASX has recognised the need to engage closely with the RBA and ASIC in order to address the recommendations and reiterated their "commitment to continually improve our resilience by implementing learnings from incidents and outages, and to ensure we maintain a contemporary technology base".

ASX has also undertaken a range of actions since November to help address issues arising from the outage, including a review of ASX's operating model. ASX has indicated that it will "develop a detailed response plan for execution over the next 12 to 18 months" with the "delivery of this program of work under the oversight of ASIC and the RBA".

Going forward, ASIC has noted that they will continue to engage with market operators, participants and institutional investors to understand the impact of the incident and identify any potential market adjustments in order to prevent or reduce the impact of future incidents.

ASIC is continuing its own investigation in relation to the outage to determine whether ASX met the conditions of its Australian Market Licence. ASX's risk controls in relation to technology progress is under particular scrutiny with a number of further upgrades in the pipeline, including replacing the CHESS clearing and settlement system with a distributed ledger.

The seriousness with which ASX's regulators have treated the meltdown serves as a clear indication of the need to have in place appropriate systems to manage significant operation incidents – whilst these are in some cases unavoidable, effective regulatory engagement and crisis management has the potential to significantly reduce the long term impact on the organisation.