investor daily logo

ASIC announces cyber resilience survey

By Keith Ford
3 minute read

The corporate regulator has launched a survey to measure cyber resilience in Australia’s corporate and financial markets.

The Australian Securities and Investments Commission (ASIC) has called for responses to its cyber pulse survey, which it said will be one of the largest examinations of Australia’s cyber resilience ever conducted. It added the survey would measure entities’ current cyber security and controls, governance arrangements, and incident preparedness.

ASIC executive director, markets, Greg Yanco said: “Recent high-profile cyber attacks demonstrate the need for all businesses to have robust cyber capabilities. Cyber attacks are becoming more frequent and complex and are not limited to companies with large retail customer bases.

“Cyber attacks can disrupt an organisation’s business operations and result in financial, legal, and reputational harm. The interconnectedness of our financial system can mean the impact of cyber attacks can spread well beyond a single entity. This self-assessment will provide valuable insights to entities on their own cyber resilience measures compared to their industry peers.”

The regulator added participation in the survey is voluntary and all responses are anonymised, stressing it cannot be used in any regulatory or enforcement action.

ASIC also said it expects directors of public companies to “ensure their organisation’s risk management framework adequately addresses cyber security risk, and that controls are implemented to protect key assets and enhance cyber resilience”.

The survey has been designed with this in mind, ASIC said, aiming to help entities to assess their ability to govern and manage organisational-wide cyber risks, identify and protect information assets that support critical business services, and detect, respond to and recover from cyber security incidents.

ASIC will publish a report with key findings from the survey later this year and will provide sectoral insights, areas for action, and the better practices identified.

Respondents who choose to receive an individual report will get insights into their cyber resilience assessment compared with industry peers.

ASIC added the insights gained through the survey will “support the Department of Home Affairs to further target advice and assistance to the financial sector, support enhanced partnerships to continue the sector’s uplift in cyber security and resilience, and ensure compliance with regulatory requirements”.

The survey follows a string of high-profile cyber attacks over the last year, including the March breach of Latitude Financial.

“While Latitude took immediate action, the attacker was able to obtain Latitude employee login credentials before the incident was isolated,” the company said at the time.

“The attacker appears to have used the employee login credentials to steal personal information that was held by two other service providers.”

About 103,000 identification documents were stolen from one service provider, while approximately 225,000 customer records were stolen from another service provider.

ASIC, in conjunction with APRA, also recently urged superannuation trustee chief executives to consider establishing a cross industry forum to discuss trends and share learnings in relation to cyber risks and incidents.

According to the regulatory bodies, the super fund CEOs were aligned in their understanding that while privacy, commercial, and competition concerns remain vital, the establishment of a dedicated “safe space” for sharing experiences would prove immensely valuable.

“In our growing digital economy, the frequency, breadth and scale of cyber attacks is escalating rapidly. As a result of growing scam, fraud and cyber threats, it is crucial that all superannuation trustees have adequate measures in place now to prevent, detect, and respond to these threats,” ASIC and APRA reported.