ASIC cyber resilience survey shows improvements are needed around incident response management

Maria Nikolova

Incident response management remains a problematic area for large firms and SMEs in Australia’s financial markets, according to a new survey.

How secure is your brokerage against cyber attacks?

Although many Australian financial services firms have managed to markedly bolster their cyber resilience, much remains to be done in areas such as incident response, according to the results of a survey published today by the Australian Securities and Investments Commission (ASIC).

Over the past 24 months, 101 firms across the financial markets sector completed a self-assessment survey on their cyber resilience. Survey participants were made up of a cross-section of businesses in Australia’s financial markets, including stockbrokers, investment banks, market licensees, post- trade infrastructure providers and credit ratings agencies.

The Cyber resilience scale against which the survey participants assessed themselves included several categories:

  • Partial: Policies are non-existent or not formalised. Responses are ad hoc and sometimes reactive;
  • Risk-informed: Policies are rarely updated and are not followed consistently;
  • Repeatable: Policies are formally approved and regularly updated. Measures are in place to ensure they are followed;
  • Adaptive: Policies are continually evolving based on changes to cyber security.


ASIC notes that effective information risk management requires formal governance, policies and procedures. SMEs have found information risk management challenging with almost half reporting that they are currently at ‘partial’ or ‘risk-informed’ maturity. On the other hand, user access management is the strongest area for SMEs with 83% reporting current maturity as “repeatable” or “adaptive”.

Monitoring and detection are problematic as 40% of SMEs reported shortcomings in these areas.

Significant improvements are needed around incident response management, ASIC notes, as more than 40% of firms are currently at ‘partial’ or ‘risk-informed’ maturity. The common theme is a lack of formalised processes. SMEs acknowledge the importance of this area and are targeting a 35% improvement, which would leave less than 10% as ‘partial’ or ‘risk- informed’.

Large firms

All large firms understand their regulatory cyber security obligations and have information and cyber security policies in place which are communicated across the organisation and regularly reviewed and updated. The survey shows that 41% of firms indicated that a proper understanding of information flows across the organisation was a work in progress, however, 45% are still grappling with their understanding of externally managed systems and data. All firms indicated that these were priority areas for the next investment period.

User access control is well managed by large firms. For instance, user access to systems and data is permissions-based and physical access to assets is controlled.

Monitoring of unauthorised mobile software is still an issue despite efforts to reduce risks.

Data protection is enhanced, as there has been a shift in the way data protection technology is being applied. For example, there is growing use of data encryption for data that is stored and transmitted over networks. Of the total of large firms that took part in the survey, 62% indicated that they intend to improve their data protection arrangements in the next 12–18 months.

The problems with incident response management, however, are acute for large firms too. ASIC notes that substantial improvements are required around incident response management for these entities also. More than 40% of large firms are currently at ‘partial’ or ‘risk- informed’ maturity.

Read this next

Inside View

Crypto Liquidity Providers: No Transaction, No Party!

One of the most integral parts of trading cryptocurrencies is ensuring seamless transactions; however, this is not always easy when you first start using cryptocurrency exchanges.

Digital Assets

Niftables launches white label NFT platform for content creators and brands

Niftables is the go-to platform for brands and creators looking to realize their NFT vision — whether they’re an individual or the biggest entertainment company in the world.

Retail FX

ACY Securities sponsors Table Tennis NSW as CFD broker bets in Australia’s youngest

ACY Securities has partnered with Table Tennis New South Wales (TTNSW) for a two-year sponsorship agreement intended to highlight the Chatswood-based multi-asset CFD broker’s brand in Australia, with a focus on the southeastern state.

Executive Moves

Peter Hetherington appointed CEO of,, and

With his extensive experience driving strategy and growth for leading wealth and brokerage firms in highly regulated markets, Peter is the ideal CEO to lead the Group on its next chapter of growth and success.”

Digital Assets

Crypto platform Elwood raises $70m from Goldman Sachs, Dawn, Barclays, BlockFi, Flow, Galaxy, more

Elwood Technologies has closed a $70 million Series A funding round co-led by Europe’s largest B2B investor Dawn Capital and global investment bank, Goldman Sachs.

Industry News

Wilshire to launch Climate Change 1.5℃ Target Index with Nikkei and Hang Seng

Wilshire has announced a collective launch with Nikkei and Hang Seng to bring to market the first in a series of indexes empowering investors to transition their investments towards a low-carbon and climate resilient economy.

Industry News

Anne Boden’s Starling Bank bets big on UEFA Women’s EURO 2022 tournament

Starling Bank has launched a campaign ahead of the UEFA Women’s EURO 2022 tournament as part of its national sponsorship, the biggest ever for the bank.

Industry News

Older adults flock to financial apps as Revolut reports 215% more UK users aged 55-74 since pandemic

Data has also shown that older adults are back to travelling as the 55-64 UK age group has seen a tenfold increase in the amount spent in foreign countries over the past two years, and the 64-75 age group isn’t far behind with an 840% increase.

Industry News

Ripple replies to SEC’s last attempt and “shoves it down their throats pretty hard”

“The SEC really messed that up. How can Hinman receive legal advice from SEC lawyers for a personal opinion?”, attorney Hogan commented.