Embedding cyber resilience within company culture
Published by the Australian Financial Markets Association in the Policy and Markets Brief, April 2016.
Cyber resilience is widely regarded as one of the most significant concerns for the financial services industry. In the Australian Securities & Investments Commission's (ASIC's) Corporate Plan 2015-2016 to 2017-2018, we identified cyber resilience as a key priority, signalling increased regulatory scrutiny of this issue. Already, our cyber risk taskforce (financial markets) is operational and proactively collaborating with industry, regulators and the Government.
Cyber security is fundamentally important to all organisations that hold confidential information. Moreover, it is critical to maintaining trust between the organisation and their customers. Industry research shows that over 60% of customers would stop using a company’s products or services if a cyber-attack resulted in a known security breach. This would have a catastrophic impact on any business, even if the breach was temporary.
The dynamic nature of the cyber threat landscape means that a comprehensive and long-term commitment to cyber resilience must be embedded within organisations' culture. As we pointed out in Report 429: Cyber Resilience - Health Check (Report 429),the obligations on company directors and officers to discharge their duties with care and diligence extend to cyber security. However, many boards are still leaving it to their technology leaders to manage this threat.
Report 468: Cyber resilience assessment – ASX Group and Chi-X Australia Pty Ltd (Report 468) (a companion to Report 429), provides a point in time assessment of the ASX Group and Chi-X. In addition, it sets out the results of our assessment of the cyber resilience profile of a critically important segment of the financial market. Importantly, Report 468 lists a number of questions that we think board members should be asking their senior leadership teams. Examples include:
- Are cyber risks an integral part of the organisation’s risk management framework?
- How often is the cyber resilience program reviewed at the board level?
- Does the board need further expertise to understand the risk?
- What needs to occur in the event of a breach?
Asking these questions will engage the board in a richer dialogue about cyber resilience, and may contrast their organisation's approach relative to leading cyber security practices in the financial industry. These practices cover a number of critical areas, including the need for:
- Strategy and governance – board engagement on cyber risk strategy and execution while maintaining a highly responsive approach to new threats or elevated threats against an agreed risk appetite
- Collaboration and information sharing – actively engaging with industry peers, government agencies and law enforcement to constantly scan for changes in the threat landscape
- Cyber awareness and training – ensuring that employees and contractors are kept informed about this issue, to enable them to be an effective line of defence against cyber attacks, such as social engineering
- Proactive measures and controls - implementing the Australian Signals Directorate’s (ASD) ‘top four’ strategies to mitigate targeted cyber intrusions. These measures protect against a high percentage of cyber intrusions, and are reviewed annually by the ASD.
In time, we plan to extend the analysis undertaken in Report 468 beyond financial markets to other important segments of our regulated population.