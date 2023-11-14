Credit: Photo 131794642 / Asic © Ricky Kresslein | Dreamstime.com

More than half of Australian Securities and Investments Commission (ASIC)-regulated organisations (58 per cent) have limited to no capability to digitally protect confidential information according to a new report.

ASIC’s Spotlight on cyber: Findings and insights from the cyber pulse survey 2023 report surveyed 697 participants and found a severe lack of cyber security protections in businesses across a range of financial-related industries. This casts a wide net to partners to tackle the opportunity to offer critical services.

These participants included the deposit-taking, payments and credit; investment management; superannuation; market infrastructure; market intermediaries and insurance sectors.

Additionally, 44 per cent don’t manage third-party or supply chain risks, 69 per cent said they had minimal to no capability to manage these risks at all and 58 per cent don’t test cyber security incident responses with critical suppliers.

“For all organisations, cyber security and cyber resilience must be a top priority,” said ASIC Chair Joe Longo. “ASIC expects this to include oversight of cyber security risk throughout the organisation’s supply chain – it was alarming that 44 per cent of participants are not managing third-party or supply chain risks. Third-party relationships provide threat actors with easy access to an organisation’s systems and networks.”

Nearly one in three participants also failed to perform vulnerability scans of assets, with a “substantial proportion” showing limited capabilities in monitoring unauthorised connections, devices and software, baselining normal network activity, performing vulnerability scans and patching information assets.

For those that suffered from cyber security incidents, nearly one in five admitted to not investigating them when they occurred and 13 per cent didn’t try to understand the root cause of an incident. A large portion of businesses even admitted they aren’t proactive when it comes to cyber security response plans, with 33 per cent not having a plan and 35 not testing their plan.

While 52 per cent of participants said they had strong capabilities in recovery planning after an incident, one in three said they don’t have strategies to deal with the repercussions of an incident.

“There is a need to go beyond security alone and build up resilience – meaning the ability to respond to and recover from an incident. It’s not enough to have plans in place. They must be tested regularly – alongside ongoing reassessment of cyber security risks,” Longo added.

The financial services regulator has taken security seriously in the past, with it releasing a report in June that claimed the registry system behind the Australian Securities Exchange (ASX), CHESS, will not be sufficient to meet the scalability and flexibility features available from more modern architecture and design despite the exchange looking to support the current system until 2032.