The corporate watchdog said overly ambitious targets, a rise in cyber threats, and COVID-19 disruptions were to blame for the cyber resiliency shortfall.
Firms in Australia’s financial market have continued to be resilient against cyber threats, with improvement rates in cyber resiliency remaining steady, the Australian Securities and Investment Commission (ASIC) reported on Monday.
This finding was published in the corporate regulator’s latest report [PDF], which compiled trends from self-assessment surveys completed by financial markets firms. The report, titled Cyber resilience of firms in Australia’s financial markets: 2020–21, is an update to a similar cyber resilience report published by ASIC two years ago.
In both 2020 and 2021, ASIC asked participants to reassess their cyber resilience against the National Institute of Standards in Technology (NIST) Cybersecurity Framework. The NIST Framework allows firms to assess cyber resilience against five functions: Identify, protect, detect, respond, and recover, using a maturity scale of where they are now and where they intend to be in 12-18 months.
In the new report, ASIC identified that cyber resiliency among firms operating within Australia’s financial market increased by 1.4% overall, but this fell short of the 14.9% improvement targeted for the period. It was also lower than the 15% improvement that was achieved between 2017 and 2019.
ASIC attributed the shortfall to a combination of reasons including overly ambitious targets, a rise in the cyber threat environment, and disruptions caused by the COVID-19 pandemic, which resulted in organisations directing resources towards enabling secure remote working and ensuring products and services could be delivered to customers as supply chains were burdened with growing cyber activists.
Overall, 2021 saw improvements in the management of digital assets, business environment, staff awareness and training, and protective security controls.
“Firms operating in Australia’s markets continue to be resilient against a rapidly changing cyber threat environment. The COVID-19 pandemic has increased opportunities for threat actors to target remote workers, and access remote infrastructure and supply chains critical to the delivery of products and services. However, the response from firms has been robust,” ASIC commissioner Cathie Armour said.
The report said 90% of firms strengthened user and privileged access management, 88% of firms ensured users were trained and aware of cyber risks, and 86% had mature cyber incident response plans in place.
Other key findings from the report included the gap between large firms and small to medium-sized enterprises (SMEs) continued to close, with an overall improvement of 3.5%. In contrast, larger firms reported a slight drop in confidence of 2.2%, ASIC said.
“This comes off a strong base and can be attributed to large firms reassessing their response and recovery capabilities in light of: Increased complexity of their business operating models [and] a significant increase in threats to critical products and services reliant on third parties and supply chains,” the corporate regulator said.
ASIC also highlighted the greatest gaps between larger firms and SMEs continued to be in supply chain risk management where 40% of SMEs indicated weak supply chain risk management practices, but a majority of firms identified that this would be an ongoing priority over the next period.
Investment in cyber resiliency by credit rating agencies increased during the period, ASIC said, triggered by the 2017 Equifax incident, while investment banks continued to set high targets for all NIST Framework categories.
The release of the reports follows ASIC recently putting forward a recommendation for market operators and participants to simulate outages and recovery strategies to improve resiliency. It was off the back of an investigation into the Australian Securities Exchange (ASX) software issues that arose when the refresh of its trade equity platform went live in November last year, causing the exchange to pause trade.