ASIC cyber resilience survey shows improvements are needed around incident response management

Although many Australian financial services firms have managed to markedly bolster their cyber resilience, much remains to be done in areas such as incident response, according to the results of a survey published today by the Australian Securities and Investments Commission (ASIC).

Over the past 24 months, 101 firms across the financial markets sector completed a self-assessment survey on their cyber resilience. Survey participants were made up of a cross-section of businesses in Australia’s financial markets, including stockbrokers, investment banks, market licensees, post- trade infrastructure providers and credit ratings agencies.

The Cyber resilience scale against which the survey participants assessed themselves included several categories:

• Partial: Policies are non-existent or not formalised. Responses are ad hoc and sometimes reactive;
• Risk-informed: Policies are rarely updated and are not followed consistently;
• Repeatable: Policies are formally approved and regularly updated. Measures are in place to ensure they are followed;
• Adaptive: Policies are continually evolving based on changes to cyber security.

SMEs

ASIC notes that effective information risk management requires formal governance, policies and procedures. SMEs have found information risk management challenging with almost half reporting that they are currently at ‘partial’ or ‘risk-informed’ maturity. On the other hand, user access management is the strongest area for SMEs with 83% reporting current maturity as “repeatable” or “adaptive”.

Monitoring and detection are problematic as 40% of SMEs reported shortcomings in these areas.

Significant improvements are needed around incident response management, ASIC notes, as more than 40% of firms are currently at ‘partial’ or ‘risk-informed’ maturity. The common theme is a lack of formalised processes. SMEs acknowledge the importance of this area and are targeting a 35% improvement, which would leave less than 10% as ‘partial’ or ‘risk- informed’.

Large firms

All large firms understand their regulatory cyber security obligations and have information and cyber security policies in place which are communicated across the organisation and regularly reviewed and updated. The survey shows that 41% of firms indicated that a proper understanding of information flows across the organisation was a work in progress, however, 45% are still grappling with their understanding of externally managed systems and data. All firms indicated that these were priority areas for the next investment period.

User access control is well managed by large firms. For instance, user access to systems and data is permissions-based and physical access to assets is controlled.

Monitoring of unauthorised mobile software is still an issue despite efforts to reduce risks.

Data protection is enhanced, as there has been a shift in the way data protection technology is being applied. For example, there is growing use of data encryption for data that is stored and transmitted over networks. Of the total of large firms that took part in the survey, 62% indicated that they intend to improve their data protection arrangements in the next 12–18 months.

The problems with incident response management, however, are acute for large firms too. ASIC notes that substantial improvements are required around incident response management for these entities also. More than 40% of large firms are currently at ‘partial’ or ‘risk- informed’ maturity.