Financial cyber resilience improving: ASIC

But in 2019, Australian financial firms are now more cyber resilient than ever. 

Firms assigned themselves ratings from “partial” (“policies and procedures are not formalised, responses are reactive”) to “adaptive” (“policies and procedures evolve in response to changes in cyber security threats”). 

Large firms showed steady improvement from the last time the survey was conducted, with substantial progress in the areas of staff awareness and training. 

“The two areas that showed the most improvement (16 per cent improvement on cycle 1) include awareness and training programs (77 per cent ‘repeatable’ or ‘adaptive’) and user access management (91 per cent ‘repeatable’ or ‘adaptive’),” the report read.

“However, given the importance of employees as a line of defence against cyber security events, there is still room for improvement in user awareness and training.”

However, there were some pitfalls. 

“Due to the complexity of large firms and the breadth of services they offer, asset management (20 per cent ‘partial’ or ‘risk informed’) and supply chain risk management (22 per cent ‘partial’ or ‘risk informed’) have been identified as areas of improvement,” the report stated. 

But the cyber resilience of Australian firms has still increased 15 per cent between the first and second surveys. 

“Organisations are alert to cyber security threats to their business and have focused their resources and efforts on improving their cyber security governance, risk management, and response and recovery capabilities,” the report read.

[Related: ASIC approves banking code changes]