Cyber resilience is a business issue
Published by the Stockbrockers Association of Australia in the Stockbrokers Monthly, March 2016.
Rapidly expanding connectivity, technological innovation and sophisticated online criminal networks make cyber security a critical issue for the financial services industry and the economy at large.
Let's be clear about this: cyber resilience is not a tech problem – it's a business issue – your business issue. It starts with the acceptance that at some point your business will be attacked, and safeguarding your business, clients and our markets from considerable loss can only be achieved through a sustained focus on cyber resilience preparedness. The development of cyber resilience among our regulated population is a strategic priority for ASIC.
We encourage financial services organisations to consider, discuss, and implement resilience practices to help build a collective defence against cyber threats in Australia’s financial markets.
We have recently undertaken an assessment of ASX/Chi-X and will shortly publish a report (Report 468).
In the report, we set out examples of emerging good practices identified as part of our assessment of ASX and Chi-X, and findings from wider engagement with financial organisations.
We highlight below three areas of good cyber resilience from in the report that should be of interest to the stockbroking community:
The good practices we observed in relation to cybersecurity strategy and governance were characterised by board ownership, and responsive and agile governance models.
Cybersecurity governance should be aligned to other organisation-wide governance processes and procedures. This means that documented strategies, principles and procedures are in line with the overall governance framework.
In a rapidly changing cyber risk landscape, the policies and procedures of today are not necessarily valid tomorrow and effective cybersecurity governance must be agile. The governance of your cybersecurity should be informed by events and incidents, and respond to these in real time. This is not a policy to put on the annual review list.
2. Risk Management
Effective cyber risk management requires a clear understanding of the biggest threats and risks to your organisation. What assets are most critical to your business? What information are hackers most likely to target? What technologies, third party suppliers and processes present the most risk?
Cyber risk management is complex, and as a result is increasingly becoming intelligence-led. It is not unusual for cyber risk strategies today to incorporate models of automation, technology and information sharing with industry peers, law enforcement and government agencies. Intelligence sharing between organisations within the financial services sector should also increase, and occur on a non-competitive basis.
We observed some organisations taking the step of establishing specialist functional groups called a 'fusion centre' to monitor and address risks in real time.
3. Cyber awareness and training
As cybercrime increases in frequency and sophistication, it is clear that IT defences alone are no longer sufficient to protect a business from attack.
Effective cyber resilience requires a strong culture of risk aversion and awareness. It must be driven from the board and reflected in organisation-wide programs for staff education that include continual development and random testing.
Through active vigilance and knowledge development, staff provide a critical line of defence against cyber-attacks by preventing incidents arising from forms of social engineering such as phishing attacks.
One good example of staff testing observed included the distribution of malware to a staff member or selected group via email to test their response. Any failure to respond to the test risk can then be supported by further training and education.
More detailed information about emerging cyber resilience practices and recognising and managing cyber risk at board level is available in ASIC Report 468 Cyber resilience assessment report: ASX Group and Chi-X Australia Pty Ltd.