In 2017, ASIC surveyed the cyber resilience of firms operating in Australia’s financial markets, with participants providing answers to the National Institute of Standards in Technology (NIST) Cybersecurity Framework.
While awareness and management of cyber security risk were improving, there was still room for improvements.
But in 2019, Australian financial firms are now more cyber resilient than ever.
Firms assigned themselves ratings from “partial” (“policies and procedures are not formalised, responses are reactive”) to “adaptive” (“policies and procedures evolve in response to changes in cyber security threats”).
Large firms showed steady improvement from the last time the survey was conducted, with substantial progress in the areas of staff awareness and training.
“The two areas that showed the most improvement (16 per cent improvement on cycle 1) include awareness and training programs (77 per cent ‘repeatable’ or ‘adaptive’) and user access management (91 per cent ‘repeatable’ or ‘adaptive’),” the report reads.
“However, given the importance of employees as a line of defence against cyber security events, there is still room for improvement in user awareness and training.”
However, there were some pitfalls.
“Due to the complexity of large firms and the breadth of services they offer, asset management (20 per cent ‘partial’ or ‘risk informed’) and supply chain risk management (22 per cent ‘partial’ or ‘risk informed’) have been identified as areas of improvement,” the report reads.
But the cyber resilience of Australian firms has still increased 15 per cent between the first and second surveys.
“Organisations are alert to cyber security threats to their business and have focused their resources and efforts on improving their cyber security governance, risk management, and response and recovery capabilities,” the report reads.