Smaller financial firms lagging in cyber resilience
Organisations operating across Australia's financial markets are getting better at managing cyber risk, but there's still some work to be done, especially at the smaller end of town.
That’s the message from a new report from the Australian Securities and Investments Commission (ASIC) that examines the cyber resilience of over 100 stockbrokers, investment banks, market operators, post-trade infrastructure providers and credit rating agencies.
‘Given the central role financial markets firms play in our economy, the cyber resilience of our regulated population is a key focus for ASIC,’ observes ASIC Commissioner Cathie Armour.
'While our report shows greater engagement by firms on the issue, there is disparity between firms and insufficient investment in cyber resilience measures.’
The report found that large organisations with access to specialist skills and resources demonstrate a relatively high degree of cyber resilience compared to small and medium-sized enterprises (SMEs) — some of which are just beginning to develop their cyber resilience.
‘While there is opportunity for improvement across the entire sector, this is particularly true for SMEs,’ it states.
For example, significant improvements are required around SMEs’ incident response management. ‘The common theme is a lack of formalised processes,’ says ASIC.
Encouragingly, SMEs had relatively strong protective IT security policies and processes in place, with over 80 per cent reporting that the security of servers, networks and security testing was well managed. Nonetheless, ASIC says they need to lift their game around mobile security and removable media.
According to ASIC, the disparity between large companies and SMEs is a reflection of their investment in cyber security, the amount of time cyber security has been an investment priority and their ability to acquire highly specialised skills.
Report 555 Cyber resilience of firms in Australia’s financial markets builds on ASIC’s cyber resilience assessment of the ASX and Chi-X markets in an earlier report published in April 2016.
ASIC says it will continue to monitor, assess and measure improvements over time by:
- engaging and collaborating with regulated companies, other regulators and government
- raising awareness of cyber risks in the financial markets sector and highlighting good practices and areas for improvement
- assessing the cyber resilience of regulated companies and measuring their progress against their targets.
To help companies operating in Australia’s financial markets improve their cyber resilience, ASIC has published a number of resources on its website, including good practice guidance and key questions for boards to ask about their company’s cyber resilience.