ASIC Moves to Streamline Market Resilience Rules as Focus Sharpens on Operational Risk

Key Takeaways

• Simplified Resilience Guidance: ASIC has updated its resilience guidance to reduce duplication, shorten regulatory text, and improve structure across three core regulatory guides.
• Flexibility for Critical Business Services: Market participants and operators may rely on existing resilience frameworks, including service provider business continuity and outsourcing arrangements, where appropriate.
• Redundancy Expectations Clarified: ASIC confirmed that full redundancy arrangements are not required for every critical business service in all circumstances.
• Clearer Major Event Reporting: Updated thresholds provide greater certainty around when operational incidents must be reported to ASIC.
• Outdated References Removed: The revised guidance removes references to superseded APRA standards and incorporates class waivers issued in August 2025.

Deep Dive

Australia’s corporate watchdog has rolled out a new round of updates aimed at simplifying how market participants and operators comply with technological and operational resilience requirements, as regulators continue to sharpen their focus on infrastructure risk across securities and futures markets.

The Australian Securities and Investments Commission said the changes are designed to make its guidance clearer, shorter, and easier to navigate, while maintaining expectations around resilience that underpin market integrity and financial stability.

The updates mark the third phase of ASIC’s review of guidance tied to its market resilience framework under the ASIC Market Integrity Rules for securities and futures markets. They apply to Regulatory Guide 265 and Regulatory Guide 266, which cover market participants, as well as Regulatory Guide 172, which applies to domestic and overseas market operators.

ASIC said resilient market participants and operators remain “essential to the integrity of our securities and futures markets and to the efficient functioning of the economy,” particularly as operational disruptions, cyber incidents, and third-party dependencies continue to rise.

What Has Changed in the Guidance

At a practical level, ASIC’s revisions aim to reduce duplication across its regulatory guides and remove outdated references, while giving firms greater clarity on how resilience expectations can be met in real-world operating environments.

Among the key changes, ASIC has formally incorporated guidance on identifying critical business services that was previously shared with industry in a September 2024 letter. The regulator has also confirmed that firms may, where appropriate, rely on existing resilience frameworks when meeting their obligations, including service providers’ business continuity plans and redundancy arrangements in outsourcing scenarios.

Importantly, ASIC clarified that full redundancy arrangements may not be required for every critical business service in all circumstances, offering greater flexibility where alternative controls are proportionate to the risk. The updated guidance also sharpens the thresholds for identifying and reporting major operational events to ASIC and removes references to APRA standards and guidance that are no longer in force.

The revisions also embed class waivers granted in August 2025, which provide limited relief from certain outsourcing requirements where energy or communications services are classified as critical business services.

Resilience Under Sustained Regulatory Scrutiny

ASIC framed the changes as part of its broader commitment to strengthening operational, digital, and data resilience, which it has identified as a strategic priority for 2025–26.

That focus is playing out alongside ASIC’s ongoing inquiry into the ASX group, led by an independent panel examining governance, capability, and risk management frameworks. ASIC has said it expects the panel’s findings and recommendations to be published by March 2026.

While that inquiry continues, ASIC stressed that ASX must maintain the safe and efficient operation of its infrastructure, including progress toward Release 1 of the CHESS replacement project, currently targeted for mid-2026. ASIC’s expert technical review of CHESS, announced in March 2025, is continuing in parallel with the broader inquiry, alongside further work on financial market infrastructure reforms and updated guidance expected in 2026.

A Phased Approach to Reform

The latest updates build on earlier steps taken by ASIC to clarify how the resilience rules should be applied. Minor drafting corrections were made in May 2024 to address confusion around identifying critical business services and the meaning of “immediately” when notifying ASIC of major events.

That was followed by a thematic review and industry letter in 2023 and 2024 highlighting observed weaknesses in firms’ resilience arrangements. ASIC said the third phase reflects further engagement with market participants and industry bodies and is intended to strike a better balance between regulatory clarity and operational flexibility as firms embed resilience into day-to-day risk management practices.

The resilience rules themselves have been in force since March 2023, forming a core pillar of ASIC’s expectations around how market participants and operators prepare for, respond to, and recover from major operational disruptions.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.