The Regulator: Staying Safe in Cyberspace

Tuesday, 27 February 2018

Cathie Armour photo
Cathie Armour
Commissioner, Australian Securities & Investment Comission

    Australian directors are making encouraging progress on cyber resilience, but there is much more to do, writes ASIC Commissioner Cathie Armour.

    The increasing incidence, complexity and reach of cybercrime can destroy an organisation’s value overnight. To protect themselves from the risks of cybercrime, directors have been considering the cyber resilience of their organisations. The results of ASIC’s recent assessment of cyber resilience in the financial markets sector provides useful insights into how directors can further improve their cyber security.

    Over the past 24 months, 101 firms across the financial markets sector completed an assessment of their cyber security maturity for ASIC (Cyber resilience of firms in Australia’s financial markets). Firms assessed themselves against six categories, using a maturity scale of where they are now and where they intend to be in 12 to 18 months’ time. Some were also subject to an independent ASIC assessment. The results of these assessments show that while firms are getting better at managing cyber risk, there’s still more to do.

    Over the next 12 to 18 months, we expect a significant increase in cyber-security maturity across the financial markets sector.

    Industry has recognised that cyber security is a significant issue and that investment in cyber security is a priority. Firms are prioritising investment in cyber security based on their individual assessments of cyber risk. Over the next 12 to 18 months, we expect a significant increase in cyber-security maturity across the financial markets sector.

    Our findings indicate that large firms with access to specialist skills and resources have a relatively high degree of cyber-security maturity compared to small and medium firms. However, there is opportunity for improvement across the entire sector.

    Areas for improvement

    1. Information risk management

      Make sure your organisation has adequate information security policies and procedures by:

      • implementing a risk strategy to gauge potential impact and consequences of a cyber attack on your business
      • identifying and prioritising the cyber risk management of data assets critical to your business
      • staying on top of externally managed systems and data, and ensuring third parties fully understand their cyber-security role as part of your supply chain.

    2. User access management

      Make sure that access to systems and data is adequately controlled by:

      • applying the principle of “least privilege” — users should be given the least amount of access necessary to perform their business role — for access to systems and data
      • ensuring changes to access privileges are formally reviewed and approved by authorised personnel when user roles change.

    3. User education and awareness

      Realise the value of your staff as a line of defence through regular:

      • staff awareness communications as the types of threats and impacts change over time
      • staff education, training and testing — for example, testing for response to phishing emails.

    4. Protective security processes and procedures

      Enhance your organisation’s data-protection arrangements by:

      • implementing formal controls for good cyber hygiene. For example, the Australian Defence Department’s Essential eight maturity model
      • engaging an independent external provider to conduct an annual review of your controls.

    5. Monitoring and detection

      Improve monitoring and detection of cyber risks by:

      • monitoring unauthorised access to data across all types of devices, including mobile
      • understanding and establishing baselines for expected information flows over networks to identify irregularities.

    6. Incident response

      Ensure you have adequate incident response plans in place by:

      • mapping response plans to each priority risk and capturing these in a cyber response “playbook” tested and committed to “muscle memory”
      • implementing plans for internal and external stakeholder communication, including staff, shareholders, regulators and government agencies.

    Latest news

    This is of of your complimentary pieces of content

    This is exclusive content.

    You have reached your limit for guest contents. The content you are trying to access is exclusive for AICD members. Please become a member for unlimited access.