ASIC today published Report 429 Cyber resilience: Health Check (REP 429) to help its regulated population improve cyber resilience.
Cyber resilience is an organisation’s ability to prepare, respond, adapt and recover from a cyber attack.
Report 429 highlights the importance of cyber resilience to ASIC’s regulated population, to support investor and financial consumer trust and confidence and ensure markets are fair, orderly and transparent.
ASIC Chairman Greg Medcraft said, 'Cyber attacks are a major risk for ASIC's regulated population and that means cyber resilience is an area of ASIC focus.
'The electronic linkages within the financial system mean the impact of a cyber attack can spread quickly—potentially affecting the integrity and efficiency of global markets, and trust and confidence in the financial system.
'This report outlines some "health check prompts" to help businesses review their cyber resilience—including flagging relevant legal and compliance requirements, particularly on risk management and disclosure.
'We encourage businesses, particularly where their exposure to a cyber attack may have a significant impact on financial consumers and investors or market integrity, to consider using the United States' NIST Cybersecurity Framework to manage their cyber risks or stocktake their risk management practices.
'We will consider incorporating cyber resilience in our surveillance programs, across our regulated population.'
ASIC's report also encourages collaboration with industry and the Government to ensure cyber attack responses can be co-ordinated and information on risks shared.
Financial consumers and investors also face a range of cyber risks.
'We have updated ASIC’s MoneySmart website to help financial consumers and investors protect themselves and their money from cyber risks when transacting online,' Mr Medcraft said.
Background
A cyber attack is the deliberate exploitation of computer systems, technology-dependent enterprises and networks.
Cyber resilience is an organisation’s ability to prepare and respond to a cyber attack; and continue operation during, or quickly adapt and recover from, a cyber attack.
For our purposes, cyber resilience is the intended outcome of cyber risk management and cybersecurity measures.
Customarily, organisations have focused on protection against cyber attacks. However, a resilience-based approach to cyber attacks is vital for organisations to better adapt to change, reduce exposure to risk, and learn from incidents when they occur.
The United States National Institute for Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity (NIST Cybersecurity Framework) is a voluntary, technology-neutral cyber risk management tool for organisations. It uses a common language to manage cyber risk in a cost-effective way based on business requirements, risk tolerances, and resources.
ASIC's MoneySmart website has the following tips for financial consumers and investors:
- use strong passwords
- use anti-virus programs
- watch out for unusual emails
- think before you act online
- protect your personal information
- know what your kids are doing online.