Medcraft warns on cyber black swan

James Riley
Editorial Director

Cyber security will likely trigger corporate Australia’s next big black swan event according to outgoing ASIC chairman, Greg Medcraft.

It’s a key risk that the Australian Securities and Investment Commission has monitored during 2017.

“I think cyber security is quite patchy in terms of consistency and unfortunately despite the many warnings we make, many companies are very underprepared for an attack and unfortunately until some companies get attacked they are not engaged enough,” said Medcraft.

“Unfortunately I think cyber is going to be our next big black swan.”

Greg Medcraft: ASIC is transitioning from policeman to intelligence agent

The Australian Cyber Security Centre’s recently released 2017 Threat Report identified 47,000 cyber incidents affecting local enterprise – up 15 per cent on the previous year. It also pointed to a rising trend for cyber-attacks to come in through the back door via supply chain or outsourcing partners which may not be as well protected as larger organisations.

In April ASIC released the results of a cyber health check of Australia’s largest listed companies which found that although some progress had been made – more work was needed.

“I think we are on the start of a journey – but there is a long way to go,” said Medcraft.

“It’s not something you just stop – the parties on the other side whether they are state players or organised crime or whatever – they are constantly innovating, so equally you have got to be constantly innovating, constantly staying on top of it in terms of cyber readiness.”

Besides the warning to corporate Australia about the very real risks of cyber security Medcraft has sage advice for his newly announced successor James Shipton; ASIC is transitioning from policeman to intelligence agent, and it’s all down to data.

Medcraft leaves the Australian Securities and Investment Commission on November 12 as an already very different animal than when he joined as commissioner in 2009.

A tsunami of FinTech and RegTech disruptors, the advent of blockchain technology, an emerging algorithmic economy, increased focus on cyber resilience, and vast pools of deep data are transforming commerce, global economies, and the regulators that watch over them.

Speaking to shortly before he steps down Medcraft said that although ASIC itself was not likely to be disrupted by technology, after all; “Clearly having rule of law is essential for a fair and efficient financial system, so becoming irrelevant or non-essential is probably not a real risk for ASIC,” it would be transformed.

“In the future ASIC will look a lot more like an intelligence agency than policing in the future,” and that will come about because of the way that corporations and ASIC interact.

“The way of the future is not going to be data portals, the way of the future will be regulatory nodes – where the company provides the data we need on the node and we simply collect it on the node.”

Instead of ASIC issuing requests for information to companies, it will trawl its data collection to identify potential problems ahead of time, allowing early intervention.

Medcraft also expects there will be more international data sharing.

“We may in the not too distant future exchange information globally with our fellow regulators,” noting that mutual recognition agreements had already been signed with various jurisdictions around the world to allow interoperability.

The organisation released its data strategy in September which outlines how it plans to become more data driven over the coming three years.

“We are already investing pretty heavily in what we call the One ASIC strategy which is using data to have analysis to better connect the dots – investing in e-investigations, e-surveillance and e-discovery in the court system now,” he says.

“Things like IBM I2 that allows us to connect the dots between people, places or entities, or the (Crimson) Hexagon social media machine learning app that allows us to go in and drill down ten years for an individual’s social media interactions and potentially connect people up that have been emailing one another.

“At the moment we do risk based surveillance but in surveillance sometimes it’s good to do random surveillance – you sometimes discover what you didn’t know.”

On Medcraft’s watch ASIC has further boosted its tech-chops through the Innovation Hub which he sees as essential to the nation’s ongoing prosperity.

“Our role and role in society is basically to allow markets to fund the economy and in turn fund economic growth and contribute to the well-being of all Australians. We do that by promoting investor and consumer trust and confidence and making sure that markets are fair and efficient.”

Besides overseeing the market and providing registry services for companies, Medcraft said one of ASIC’s challenges is creating an environment that encourages innovation without putting at risk the trust of investors and consumers.

Medcraft added that requires ASIC to be flexible and adaptable, and avoid any temptation to make a judgment about a new technology or process too early,

“You have to make sure that when you approach new technology you are technology neutral – neutral in terms of the analogue versus the digital world.”

When it comes to the use of algorithms and machine learning, Medcraft said ASIC will remain neutral but added; “Someone has to take responsibility for the algorithm, the methodology underpinning the algorithm needs to be clearly explained to a human being, and thirdly if the algorithm is a credit rating tool for example, if for some reason because of the algorithm or underlying data the person is unfairly disadvantaged, there needs to be a dispute settlement process and ability to compensate.”

He is also optimistic about the speed, efficiencies and disintermediation promised by blockchain or distributed ledger technology.

Medcraft said ASIC is looking to run a blockchain pilot itself and working with the ASX which hopes to introduce a blockchain solution for settlement late this or early next year. But again he noted that a human being ultimately has to be able to be held accountable for the impact of the technology.

The other major change that Medcraft’s successor will oversee is a transition to a different funding model as new laws mean that the very companies that ASIC polices will in the future have to pay for its services – the first invoices go out in January 2019.

Earlier this month ASIC noted that industry levies would pay for $246 million of its $387 million funding in 2017-18.

While Government is ultimately responsible for determining ASIC’s funding Medcraft said that the levies would send a useful price signal to corporate Australia about the importance the nation place on its role.

As to his next gig Medcraft is still playing his cards close to his chest. Speculation has mounted that he might take up a regulatory role in Paris. “Some of the rumours are pretty accurate – je ne sais pas. Ciao”

Do you know more? Contact James Riley via Email.

Leave a Comment

Related stories