An ASIC report on the cyber resilience of over 100 firms operating across Australia's financial markets has shown a growing understanding of cyber risks, but there is still some progress to be made.
Report 555 Cyber resilience of firms in Australia’s financial markets collates and analyses the results of self-assessments from over 100 stockbrokers, investment banks, market operators, post-trade infrastructure providers and credit rating agencies.
ASIC Commissioner Cathie Armour said, 'Cyber resilience is now widely regarded as one of the most significant concerns for the financial markets sector and the economy at large. Given the central role financial markets firms play in our economy, the cyber resilience of our regulated population is a key focus for ASIC.
'While our report shows greater engagement by firms on the issue, there is disparity between firms and insufficient investment in cyber resilience measures.
'Cyber resilience is not just an IT issue but one that requires a whole-of-organisation response. The dynamic nature of cyber threats requires a comprehensive and long-term commitment to cyber resilience by all organisations operating in the Australian economy’, Ms Armour said.
Report 555 is designed to:
- raise awareness of cyber risks
- highlight existing good practices and areas for improvement
- monitor and assess the cyber preparedness of financial markets firms.
Key insights from the assessments include the following:
- There is a growing understanding that cyber risk is a strategic, enterprise-wide issue that is on all organisations’ radars and is attracting increasing investment.
- The disparity between large firms and small-and-medium firms is reflective of their investment in cyber security, the period of time cyber security has been an investment priority, and the ability to acquire highly specialised skills.
- Larger firms have demonstrated a relatively high degree of cyber resilience.
- Small-and-medium firms are working towards developing their cyber resilience by investing in cyber security, but there is a long way to go.
ASIC will continue to monitor, assess and measure improvements over time by:
- engaging and collaborating with regulated firms, other regulators and Government
- raising awareness of cyber risks in the financial markets sector and highlighting good practices and areas for improvement
- assessing the cyber resilience of regulated firms and measuring their progress against their targets.
ASIC encourages all financial markets firms to consider and discuss the information in this report as they develop or enhance their cyber resilience frameworks.
Report 555 builds on ASIC’s cyber resilience assessment of the ASX and Chi-X markets in Report 468 Cyber resilience assessment report: ASX Group Ltd and Chi-X Australia Pty Ltd, published in April 2016.
To help firms operating in Australia’s financial markets improve their cyber resilience, ASIC has published a number of resources on its website, including good practice guidance and key questions for boards to ask about their firm’s cyber resilience.