ASIC registers improvement in cyber resilience of Australian financial firms
The Australian Securities and Investments Commission (ASIC) today released its latest report on the cyber resilience of firms operating in Australia’s financial markets.
The report covers the so-called “cycle 3”, meaning 2020 and 2021. It provides an update on organisations’ cyber resilience in the two years since the publication of Report 651 Cyber resilience of firms in Australia’s financial markets in November 2018-19.
To allow ASIC to evaluate firms’ cyber resilience, participants were asked to self-assess their firm’s resilience against the National Institute of Standards in Technology (NIST) Cybersecurity Framework.
Participants were made up of a cross-section of organisations in Australia’s financial markets, including stockbrokers, investment banks, market licensees, market infrastructure providers and credit ratings agencies.
Results indicated that, while management of cybersecurity risk was steadily improving overall, there was still opportunity for improvement across the entire sector. The COVID-19 pandemic had a detrimental impact on planned improvements and investment was reprioritised to mitigate other emerging cyber risks.
Cyber resilience is an organisation’s capacity to prepare for, respond to and recover from cybersecurity events. The overall cyber resilience of firms operating in Australia’s financial markets has remained steady, with a slight improvement of 1.4% overall. However, this falls short of the 14.9% improvement targeted by respondents for the period, and is also lower than the 15% improvement achieved between cycle 1 and cycle 2.
This shortfall can be attributed to:
- overly ambitious targets
- escalation in the threat environment
- reprioritisation due to the pandemic.
The pandemic has caused firms to reassess priorities and divert resources to firm up the resilience of critical business activity to enable secure remote working at scale to ensure continuity of business operations and focus on supply chain risks to ensure the delivery of products and services to customers.
Overall, cycle 3 saw improvements in the management of digital assets (7.2%), business environment (6.0%), staff awareness and training (4.7%), and protective security controls (4.5%).
The report finds that:
- 90% of firms have strengthened user and privileged access management.
- 88% of firms are ensuring users are trained and aware of cyber risks—an important line of defence.
- 86% of firms have mature cyber incident response plans in place.
Small and medium-sized entities (SMEs) are continuing to close the gap on larger firms with an overall improvement of 3.5%. In contrast, larger firms reported a slight drop in confidence of 2.2%. However, this comes off a strong base and can be attributed to large firms reassessing their response and recovery capabilities in light of increased complexity of their business operating models and a significant increase in threats to critical products and services reliant on third parties and supply chains.
The greatest gaps between large firms and SMEs are in supply chain risk management, cyber intrusion monitoring and detection, and recovery planning. Concerningly, ASIC sees no material improvements in supply chain risk management between cycle 2 and cycle 3, and the majority of firms identified this as an ongoing priority over the next period.
Cycle 3 saw credit rating agencies investing heavily in cyber resilience, triggered by the 2017 Equifax incident. While investment banks continue to set high targets for all NIST Framework categories.
ASIC Commissioner Cathie Armour commented:
“Firms operating in Australia’s markets continue to be resilient against a rapidly changing cyber threat environment. The COVID-19 pandemic has increased opportunities for threat actors to target remote workers, and access remote infrastructure and supply chains critical to the delivery of products and services. However, the response from firms has been robust.’