ASIC report Cyber resilience of firms in Australia’s financial markets: 2018–19 (REP 651) provides an update on organisations’ cyber resilience capabilities in the two years since the publication of (REP 555) Cyber resilience of firms in Australia’s financial markets in November 2017.
ASIC Commissioner Cathie Armour said, 'The cyber resilience of firms operating in Australia’s markets has improved since Report 555, with all firms recognising cyber risk as a strategic, organisation-wide issue that is attracting increasing investment.
‘However, while the cyber resilience of firms has improved, firms have struggled to meet the targets in Report 555. Continued investment and strong leadership from senior management is critical to ensuring a firm’s ability to meet these targets and maintain strong cyber resilience,’ she said.
Report 651 is designed to:
- Provide an update to REP 555 on the cyber resilience of firms operating in Australia’s financial markets
- Identify new and emerging trends, particularly any challenges that have emerged over the past two years.
Among the key insights from the assessments:
- The gap between large firms and small-to-medium enterprises (SMEs) identified in REP 555 is gradually closing, with the overall improvement in cyber resilience across the industry largely driven by SMEs
- Larger firms have continued to refine and improve their cyber resilience through targeted investment
- Supply chain risk management is now accepted as an industry-wide challenge that requires attention over the next period.
ASIC will continue to monitor, assess and measure improvements over time by:
- Engaging and collaborating with regulated firms, other regulators and Government
- Raising awareness of cyber risks in the financial markets sector and highlighting good practices and areas for improvement
- Assessing the cyber resilience of regulated firms and measuring their progress against their targets.
ASIC encourages all financial markets firms to consider and discuss the information in this report as they develop or enhance their cyber resilience frameworks.