Financial firms fall behind on cyber-threat resilience

The Australian Securities and Investment Commission (ASIC) has found that firms operating in Australia’s financial markets have fallen short of targets for cyber-resilience improvements.

Compared to a targeted improvement of 14.9 per cent set in 2019, the overall ability of organisations to prepare for, respond to and recover from cyber-security events rose just 1.4 per cent in 2020 and 2021, according to ASIC.

In its third report on the cyber resilience of small and medium-sized entities as well as larger firms, ASIC attributed the shortfall to “overly ambitious targets, escalation in the cyber threat environment and disruptions caused by the pandemic”.

The corporate regulator noted that resources had been redirected towards secure remote working and responding to supply chain risks to ensure the delivery of products and services.

“Firms operating in Australia’s markets continue to be resilient against a rapidly changing cyber threat environment,” said ASIC commissioner Cathie Armour.

“The COVID-19 pandemic has increased opportunities for threat actors to target remote workers, and access remote infrastructure and supply chains critical to the delivery of products and services. However, the response from firms has been robust.”

Eighty-eight per cent of the firms surveyed by ASIC said they are ensuring users are trained and aware of cyber risks and 86 per cent have mature cyber-incident response plans in place.

Additionally, 90 per cent of firms have strengthened user and privileged access management in the past two years.

Compared to 2019, the main overall improvements to cyber resilience were recorded in the management of digital assets (7.2 per cent), business environment (6 per cent), staff awareness and training (4.7 per cent) and protective security controls (4.5 per cent).

Small and medium-sized entities recorded an overall improvement of 3.5 per cent, while the confidence of larger firms fell 2.2 per cent.

In its report, ASIC said it had not identified any material improvements to supply chain risk management since its previous report in 2019.

“While all organisations identified supply chain risk management as their top priority for the future, we encourage all firms to consider the application of the good practices identified in the report for managing these risks,” ASIC said.

“Failure to invest in supply chain risk management could lead to significant consumer harm that might warrant ASIC investigation and action.”

ASIC said it would continue to monitor, assess and measure improvements in cyber resilience and encouraged firms to consider and discuss the information in its report.

Jon Bragg

Jon Bragg is a journalist for Momentum Media's Investor Daily, nestegg and ifa. He enjoys writing about a wide variety of financial topics and issues and exploring the many implications they have on all aspects of life.