Financial market

ASIC says cyber-resilience of financial markets remained stable but fell short of target

Firms in the Australian financial market have continued to resist cyber threats, with rates of improvement in cyber resilience remaining stable, the Australian Securities and Investment Commission (ASIC) reported on Monday.

This result was published in the last report [PDF], which compiled the trends from self-report surveys conducted by financial market companies. The report, titled Cyber ​​Resilience of Businesses in Australian Financial Markets: 2020-2021, is an update of a similar report on cyber resilience published by ASIC two years ago.

In 2020 and 2021, ASIC asked participants to reassess their cyber resilience against the National Institute of Standards in Technology (NIST) cybersecurity framework. The NIST framework enables organizations to assess cyber resilience against five functions: Identify, Protect, Detect, Respond and Recover, using a maturity scale indicating where they are now and where they intend to be. be in 12 to 18 months.

In the new report, ASIC identified that the cyber resilience of companies operating in the Australian financial market increased by 1.4% overall, but this was lower than the 14.9% improvement targeted for the period. It is also lower than the 15% improvement achieved between 2017 and 2019.

ASIC attributed the shortfall to a combination of reasons, including over-ambitious goals, an increased environment for cyberthreats, and disruption from the COVID-19 pandemic, which caused organizations to dedicate resources. to establishing secure remote working and ensuring that products and services could be delivered to customers as supply chains were cluttered with increasing numbers of cyber activists.


Improved cyber resilience readiness between cycles (by function).

Image: ASIC

Overall, 2021 saw improvements in digital asset management, the business environment, staff awareness and training, and protective security controls.

“Companies operating in Australian markets continue to resist a rapidly changing cyber threat environment. The COVID-19 pandemic has increased the opportunities for threat actors to target remote workers and access remote infrastructure and supply chains critical to the delivery of products and services. However, the response from businesses has been strong, ”said ASIC Commissioner Cathie Armor.

The report states that 90% of companies have strengthened user and privileged access management, 88% of companies ensured that users are educated and aware of cyber risks, and 86% have response plans in place. to mature cyber incidents.

Among the report’s other key findings, the gap between large enterprises and small and medium-sized enterprises (SMEs) continued to narrow, with an overall improvement of 3.5%. In contrast, large companies reported a slight drop in confidence of 2.2%, ASIC said.

“This comes from a solid foundation and can be attributed to the fact that large companies are reassessing their response and recovery capabilities in light of: the increased complexity of their business operating models [and] a significant increase in threats to critical products and services dependent on third parties and supply chains, ”the business regulator said.

ASIC also highlighted that the biggest gaps between large companies and SMEs remained in supply chain risk management, where 40% of SMEs reported supply chain risk management practices. low supply, but a majority of companies identified this would be an ongoing priority over the next period.

Investment in cyber resilience by credit rating agencies increased over the period, said ASIC, sparked by the Equifax incident in 2017, while investment banks continued to set high goals for all categories of the NIST framework.

The release of the reports follows ASIC’s recent recommendation for market participants and participants to simulate failures and recovery strategies to improve resiliency. This was as a result of an investigation into the Australian Securities Exchange (ASX) software issues that arose when updating its trading stock platform in November of last year, this which forced the stock exchange to suspend trading.