ASIC Viewpoint: Cyber resilience in Australia’s financial markets
Published by the Australian Financial Markets Association in AFMA Member News, November 2017.
Cyber resilience is vital to all organisations operating in the digital economy, and nowhere is this more important than the financial markets sector, where the trust between an organisation and its clients is essential.
The increasing incidence, complexity and reach of cyber crime can destroy your organisation’s value overnight – dragging your share price and reputation down with it. Cyber crime that affects financial services can also destabilise markets, by eroding investor trust and confidence in Australia’s financial system.
Over the past 24 months, 101 firms across the financial markets sector completed an assessment of their cyber resilience. Firms assessed themselves against six cyber resilience categories using a maturity scale of where they are now and where they intend to be in 12–18 months' time. Some firms were also subject to an independent ASIC assessment.
The results of these surveys show that while firms are getting better at managing cyber risk, there's still more to do.
Industry has recognised that cyber security is a significant issue and that investment in cyber security is a priority.
Firms are prioritising investment in cyber security based on their individual assessments of cyber risk. Over the next 12–18 months we are expecting to see a significant increase in cyber security maturity across the financial markets sector.
Our findings indicate that large firms with access to specialist skills and resources have a relatively high degree of cyber security maturity compared to small and medium firms.
However, there is opportunity for improvement across the entire sector.
Areas for improvement
Several common areas of improvement were identified:
Information risk management: To make sure your organisation has adequate information security policies and procedures, you should:
- implement a risk strategy that can gauge the potential impact and consequences of a cyber attack on your business
- identify and prioritise the cyber risk management of data assets that are critical to your business, and
- stay on top of externally managed systems and data, and ensure your third parties fully understand their cyber security role as part of your organisation’s supply chain
User access management: Make sure that access to systems and data is adequately controlled by:
- applying the principle of ‘least privilege’ (i.e. users should be given the least amount of access necessary to perform their business role ) for access to systems and data, and
- ensuring changes to access privileges are formally reviewed and approved by authorised personnel when user roles change.
Monitoring and detection: Improve monitoring and detection of cyber risks by:
- monitoring unauthorised access to data across all types of devices, including mobile, and
- understanding and establishing baselines for expected information flows over networks to identify any irregularities.
User education and awareness: Realise the value of your staff as a line of defence through:
- regular staff awareness communications as the types of threats and impacts change over time, and
- regular staff education, training and testing (e.g. testing for response to phishing emails).
Protective security processes and procedures:Enhance your organisation’s data protection arrangements by:
- implementing formal controls for good cyber hygiene (e.g. the Australian Government's Essential eight maturity modelfor mitigating cyber incidents), and
- engaging an independent external provider to conduct an annual review of your controls.
Incident response: Ensure you have adequate incident response plans in place by:
- mapping response plans to the each priority risk and capturing these in a cyber response ‘playbook’ that is tested and committed to ‘muscle memory’, and
- have a robust plan for internal and external stakeholder communication, including for staff, shareholders, regulators and government agencies.
What's next for ASIC?
For our part, over the next 12–18 months, we will continue to:
- raise awareness of cyber risk across the financial markets sector
- assess and measure the level of cyber resilience in financial markets
- engage and collaborate with regulated firms
- have one-on-one conversations with firms that appear to be challenged
- review the progress made by firms against their target maturity levels.