ASIC has released its first assessment report on the cyber resilience of ASX and Chi-X. In addition, we have taken this opportunity to highlight emerging good practices being implemented by a wider sample of organisations within the financial sector.
The report concludes that ASX and Chi-X have, up to this point in time, met their statutory obligations to have sufficient resources for the management of cyber resilience.
Cyber resilience is now widely regarded as one of the most significant concerns for the financial services industry and the economy at large. The cyber resilience of our regulated population is, therefore, a key focus for ASIC. Given the central role that financial market infrastructure providers play in our economy, their cyber resilience is of particular importance.
ASIC Commissioner Cathie Armour said ‘because of the dynamic nature of the cyber threat landscape, a comprehensive and long-term commitment to cyber resilience is essential to assist all organisations and the Australian economy to manage this threat’.
ASIC encourages all financial services providers to consider and discuss the information in this report as they develop or enhance their cyber resilience frameworks. We also strongly encourage organisations to share threat intelligence and collaborate with industry peers to improve cyber resilience practices across the financial services industry.
To assist, ASIC has included in this report aggregated data from self-assessments undertaken by a sample of other important financial organisations. This provides a point-in-time snapshot of the current state of cyber resilience of this wider group. In general, we identified some consistent and encouraging practices in the organisations we assessed; however, a consistent industry-wide approach is required to address developing cyber threats. We will continue to work with government and other regulators to support industry to achieve this.
The report calls on the wider financial services sector to recognise the growing threat to cyber security, and to refine systems and processes to prevent and address critical issues.
Key areas identified in the report for organisations to focus on include comprehensive and ongoing board engagement and responsive governance practices that are clearly aligned with an organisation's wider strategy.
The report calls for senior management of organisations to closely manage cyber risk from both internal and third-party sources, establish robust collaboration and information-sharing networks to access the best defensive intelligence and technology, and implement thorough cyber awareness training programs.
Background
In March 2015, ASIC released Report 429 Cyber resilience: Health check (REP 429) to highlight the escalating threat of cyber incidents against financial services providers in Australia, and to increase awareness of cybersecurity.
Under the Corporations Act 2001, ASIC may assess how well a licensed financial market infrastructure provider is complying with any or all of its obligations. Where this previously involved an annual assessment of a wide set of prescribed obligations, ASIC can now more effectively target specific high-risk areas such as cyber security – reducing unnecessary regulatory burden on the financial market infrastructure providers being assessed.
In carrying out the assessments ASIC applied the US National Institute of Standards and Technology Cybersecurity Framework for Critical Infrastructure (PDF 930KB).