Financial firms were overly optimistic on cyber resilience
Working from home arrangements generated by COVID-19 have created challenges for the cyber resilience of Australian fianncial firms which, in any case, appeared to be overly optimistic about their preparedness, according to a new report from the Australian Securities and Investments Commission (ASIC).
The report, released this week, found that the overall cyber resilience of firms operating in Australia’s financial markets had remained steady, but fell short of what had been targeted.
“The overall cyber resilience of firms operating in Australia’s financial markets has remained steady, with a slight improvement of 1.4% overall,” the report said. “However, this falls short of the 14.9% improvement targeted by respondents for the period, and is also lower than the 15% improvement achieved between cycle 1 and cycle 2.
“This shortfall can be attributed to:
› overly ambitious targets
› escalation in the threat environment
› reprioritisation due to the pandemic.
The ASIC report said that small and medium-sized firms were continuing to close the gap on larger firms with an overall improvement of 3.5% while, in contrast, larger firms reported a slight drop in confidence of 2.2%.
“However, this comes off a strong base and can be attributed to large firms reassessing their response and recovery capabilities in light of:
› increased complexity of their business operating models
› a significant increase in threats to critical products and services reliant on third parties and supply chains.
“The greatest gaps between large firms and SMEs are in supply chain risk management, cyber intrusion monitoring and detection, and recovery planning. Concerningly, we see no material improvements in supply chain risk management between cycle 2 and
cycle 3, and the majority of firms identified this as an ongoing priority over the next period.
Cycle 3 saw credit rating agencies investing heavily in cyber resilience, triggered by the 2017 Equifax incident. While investment banks continue to set high targets for all NIST Framework categories.”