ASIC Report on Cyber Resilience of Firms in Australia's Financial Markets

Monday 4 December 2017 @ 10.09 a.m. | Legal Research

Last Thursday, 30 November 2017, ASIC released its report into Cyber resilience of firms in Australia’s financial markets (the “Report”). This report was the culmination of a 24 month survey of 101 firms across the financial markets sector. In undertaking this survey, the firms completed a self-assessment survey on the cyber resilience of their company.

The report begins by highlighting the importance of cyber resilience:

“Cyber resilience is vital to all organisations operating in the digital economy, and nowhere is this more important than the financial markets sector, where the trust between an organisation and its clients is essential to its future...

 The results of these surveys show that while firms are getting better at managing cyber risk, there's still work to do.”

Cyber Resilience Survey

Cyber resilience has been defined as “the ability to continuously deliver the intended outcome despite adverse cyber events”. The report therefore aims to:

  • raise awareness of cyber risks
  • highlight existing good practices and areas for improvement
  • monitor and assess the cyber preparedness of financial markets firms.

The survey was divided into 6 categories denoting the level of cyber resilience of the surveyed firms at the time of completing the survey and extending into their predicted target of cyber resilience in 12 months’ time. These categories are:

  • Information governance and risk management
  • User access management
  • Monitoring and detection
  • User education and awareness
  • Protective IT security policies and processes
  • Incident response

The results of the survey showed that, of the SMEs that participated in the survey almost half were only at the risk informed stage of most of the above categories, with many proposing to improve their information and skills over the next 12 months.

Some of the findings from the report include:

User education & awareness

User education and awareness is another area that requires work by SMEs. Currently, only 61% of SMEs are at 'repeatable' or 'adaptive' maturity in this area. While this number is far too low, it is encouraging to see a targeted improvement of 35% – which would leave only 4% of SMEs at 'partial' or 'risk-informed' maturity.

[…]

Incident response

Significant improvements are required around incident response management. More than 40% of firms are currently at 'partial' or 'risk-informed' maturity. The common theme is a lack of formalised processes.

[…]

Information governance & risk management

All large firms understand their regulatory cyber security obligations and have information and cyber security policies in place which are communicated across the organisation and periodically reviewed and updated.

Forty-one percent of firms indicated that a proper understanding of information flows across the organisation was a work in progress. Fortyfive percent are still grappling with their understanding of externally managed systems and data. All firms indicated that these were priority areas for the next investment period.

[…]

Monitoring and detection

Large firms generally demonstrate a high level of maturity around the monitoring of activities on networks. This includes detection and management of malicious software and anomalous user activity.

Monitoring of unauthorised mobile software is still an issue despite efforts to reduce risks. Areas of improvement include:

  • establishing baselines for expected information flows over networks to allow anomalies to be detected
  • aggregation of multiple information sources to improve threat detection and assessment.”

Large firms who participated in the survey indicated a higher level of awareness and implementation of policies and processes towards cyber resilience, however, much improvement was still noted to be implemented. The overall key insights from the report are noted as including the following:

  • There is a growing understanding that cyber risk is a strategic, enterprise-wide issue that is on all organisations’ radars and is attracting increasing investment.
  • The disparity between large firms and small-and-medium firms is reflective of their investment in cyber security, the period of time cyber security has been an investment priority, and the ability to acquire highly specialised skills.
  • Larger firms have demonstrated a relatively high degree of cyber resilience.
  • Small-and-medium firms are working towards developing their cyber resilience by investing in cyber security, but there is a long way to go.

ASIC and Governmental Responses

In response to this report, ASIC has released information pages on good practice guidance and key questions for boards to ask about their firm’s cyber resilience.

The good practice guide includes practices relating to board engagement; governance; cyber risk management; third party risk management; collaboration and information sharing; asset management; cyber awareness and training; protective measures and controls; detection systems and processes; response planning; and recovery planning.

In addition to these ASIC initiatives, in April 2016 the Federal Government initiated a Cyber Security Strategy which has been in consultation with over 190 organisations to increase national cyber security standards. This initiative is stated as being based on five key themes:

  • A national cyber partnership between government, researchers and business including regular meetings to strengthen leadership and tackle emerging issues.
  • Stronger cyber defences to better detect, deter and respond to threats and anticipate risks.
  • Global responsibility and influence to champion a secure, open and free internet while building capacity to crack down on cyber criminals and shut safe havens for cybercrime.
  • Growth and innovation to support the Australian cyber security sector to grow and prosper, and ensuring all Australian businesses can operate securely online.
  • A cyber smart nation to grow a highly skilled cyber security workforce and ensure all Australian are aware of the risks and benefits of being online.

TimeBase is an independent, privately owned Australian legal publisher specialising in the online delivery of accurate, comprehensive and innovative legislation research tools including LawOne and unique Point-in-Time Products. Nothing on this website should be construed as legal advice and does not substitute for the advice of competent legal counsel.

Sources:

Related Articles: