Australia’s corporate regulator has warned of the use and management of third-party cyber security providers in the financial markets.
According to the Australian Securities and Investments Commission (ASIC), the practice of outsourcing cyber security to third-party vendors and partners has inadvertently led to a heightened threat risk to both large and small enterprises.
The regulator claimed supply chain risk management has become a significant challenge, especially for small-to-medium enterprises with half remaining either partially or fully risk-informed.
In the report, Cyber resilience of firms in Australia’s financial markets, ASIC said SMEs were driving improvements to cyber resilience but that outsourcing had “created difficulties” in the cyber management risks.
Although improvements in supply management are expected to be a focus over the next 18-to-24 months this is expected to be gradual.
Meanwhile, larger organisations have identified supply-chain management as an area of improvement due to their complexity and breadth of services they offer.
“Overall, robust procedures are in place,” ASIC’s report said. “Third parties are prioritised by the risk they pose to the business, and this is reflected in the frequency they are assessed.”
However, upon external examination by credit rating agencies, ASIC indicated there was still no formal approach to third-party risk assessment.
The report is a follow up to ASIC’s 2017 cyber resilience study, in which 101 firms across the financial markets sector completed a self-assessment survey on their cyber resilience.
Since then, according to ASIC, there has been an overall improvement, with an average increase of 15 per cent across all cyber resilience functions, which includes areas of training and protective processes.