ASIC has released Report 555: Cyber resilience of firms in Australia's financial markets, the result of interviews with 101 firms over the past 24 months about their approach to cyber security.
The report surveyed stockbrokers, investment banks, market licensees, post-trade infrastructure providers and credit ratings agencies. ASIC spoke to 29 large firms and 72 small and medium-sized enterprises (SMEs).
ASIC found that 74 per cent of organisations have "well-managed IT security processes and procedures", and 66 per cent of companies surveyed reported they have cyber incident response plans in place.
While large organisations tend to demonstrate a relatively high degree of cyber resilience, some SMEs are "just beginning to develop their cyber resilience", said ASIC.
Almost 40 per cent of financial services SMEs reported shortcomings in their monitoring and detection practices, said ASIC.
"However, they are targeting a 32 per cent improvement in the next 12-18 months, which would leave only 7 per cent with low maturity levels," said the report.
"While there is opportunity for improvement across the entire sector, this is particularly true for SMEs."
ASIC commissioner Cathie Armour said cyber resilience is widely regarded as "one of the most significant concerns for the financial markets sector and the economy at large".
"Given the central role financial markets firms play in our economy, the cyber resilience of our regulated population is a key focus for ASIC," Ms Armour said.
"While our report shows greater engagement by firms on the issue, there is disparity between firms and insufficient investment in cyber resilience measures."
Cyber resilience requires a "whole-of-organisation" response rather than a quick IT fix, she said.
"The dynamic nature of cyber threats requires a comprehensive and long-term commitment to cyber resilience by all organisations operating in the Australian economy," Ms Armour said.
