Today ASIC released its latest report on the cyber resilience of firms operating in Australia’s financial markets. Report 716 Cyber resilience of firms in Australia’s financial markets: 2020–21 (REP 716) provides an update on organisations’ cyber resilience in the two years since the publication of Report 651 Cyber resilience of firms in Australia’s financial markets in November 2018-19.
ASIC Commissioner Cathie Armour said, ‘firms operating in Australia’s markets continue to be resilient against a rapidly changing cyber threat environment. The COVID-19 pandemic has increased opportunities for threat actors to target remote workers, and access remote infrastructure and supply chains critical to the delivery of products and services. However, the response from firms has been robust.’
Our findings indicate that while there has been a small, but steady, improvement in the cyber resilience of firms operating in Australia’s financial markets, the increase of 1.4% falls far short of the 14.9% improvement targeted for the period.
This shortfall is the combined result of overly ambitious targets, escalation in the cyber threat environment and disruptions caused by the pandemic – leading organisations to reassess the targets set in 2019 and redirect resources to:
enable secure remote working on a never-before-seen scale, and
ensure the delivery of products and services to customers as supply chains become increasingly burdened and threatened by cyber activists.
Other key findings from REP 716:
The gap between large firms and small-to-medium enterprises (SMEs) is continuing to close.
The cyber resilience of many SMEs has improved.
The confidence of larger firms in their own cyber resilience has fallen slightly because of increased complexity in their business operating models and heavy reliance on supply chain partners.
The level of cyber resilience for supply chain risks has remained relatively static since cycle 2 despite the increasing number of cyber threat actors, sources and types targeting firms third parties and supply chains.
While all organisations identified supply chain risk management as their top priority for the future, we encourage all firms to consider the application of the good practices identified in the report for managing these risks. Failure to invest in supply chain risk management could lead to significant consumer harm that might warrant ASIC investigation and action.
ASIC will continue to monitor, assess and measure improvements over time by:
engaging and collaborating with regulated firms, other regulators and Government
raising awareness of cyber risks in the financial markets sector and highlighting good practices and areas for improvement
assessing the cyber resilience of regulated firms and measuring their progress against their targets
engaging with firms that are failing to improve their cyber resilience.
ASIC encourages all financial markets firms to consider and discuss the information in this report as they develop or enhance their cyber resilience frameworks.