Last Thursday, 30 November 2017, ASIC released its report into Cyber resilience of firms in Australia’s financial markets (the “Report”). This report was the culmination of a 24 month survey of 101 firms across the financial markets sector. In undertaking this survey, the firms completed a self-assessment survey on the cyber resilience of their company.
The report begins by highlighting the importance of cyber resilience:
“Cyber resilience is vital to all organisations operating in the digital economy, and nowhere is this more important than the financial markets sector, where the trust between an organisation and its clients is essential to its future...
The results of these surveys show that while firms are getting better at managing cyber risk, there's still work to do.”
Cyber resilience has been defined as “the ability to continuously deliver the intended outcome despite adverse cyber events”. The report therefore aims to:
The survey was divided into 6 categories denoting the level of cyber resilience of the surveyed firms at the time of completing the survey and extending into their predicted target of cyber resilience in 12 months’ time. These categories are:
The results of the survey showed that, of the SMEs that participated in the survey almost half were only at the risk informed stage of most of the above categories, with many proposing to improve their information and skills over the next 12 months.
Some of the findings from the report include:
“User education & awareness
User education and awareness is another area that requires work by SMEs. Currently, only 61% of SMEs are at 'repeatable' or 'adaptive' maturity in this area. While this number is far too low, it is encouraging to see a targeted improvement of 35% – which would leave only 4% of SMEs at 'partial' or 'risk-informed' maturity.
Significant improvements are required around incident response management. More than 40% of firms are currently at 'partial' or 'risk-informed' maturity. The common theme is a lack of formalised processes.
Information governance & risk management
All large firms understand their regulatory cyber security obligations and have information and cyber security policies in place which are communicated across the organisation and periodically reviewed and updated.
Forty-one percent of firms indicated that a proper understanding of information flows across the organisation was a work in progress. Fortyfive percent are still grappling with their understanding of externally managed systems and data. All firms indicated that these were priority areas for the next investment period.
Monitoring and detection
Large firms generally demonstrate a high level of maturity around the monitoring of activities on networks. This includes detection and management of malicious software and anomalous user activity.
Monitoring of unauthorised mobile software is still an issue despite efforts to reduce risks. Areas of improvement include:
Large firms who participated in the survey indicated a higher level of awareness and implementation of policies and processes towards cyber resilience, however, much improvement was still noted to be implemented. The overall key insights from the report are noted as including the following:
In response to this report, ASIC has released information pages on good practice guidance and key questions for boards to ask about their firm’s cyber resilience.
The good practice guide includes practices relating to board engagement; governance; cyber risk management; third party risk management; collaboration and information sharing; asset management; cyber awareness and training; protective measures and controls; detection systems and processes; response planning; and recovery planning.
In addition to these ASIC initiatives, in April 2016 the Federal Government initiated a Cyber Security Strategy which has been in consultation with over 190 organisations to increase national cyber security standards. This initiative is stated as being based on five key themes:
TimeBase is an independent, privately owned Australian legal publisher specialising in the online delivery of accurate, comprehensive and innovative legislation research tools including LawOne and unique Point-in-Time Products. Nothing on this website should be construed as legal advice and does not substitute for the advice of competent legal counsel.
Fredrik Björck, Martin Henkel, Janis Stirna, and Jelena Zdravkovic (2015). Cyber Resilience – Fundamentals for a Definition. Department of Computer and Systems Sciences, Stockholm University.
FREE legislation news, delivered daily.
Sign up now.#WeLoveLegislation Tweets
NEW information resources - great for training.