ASIC reveals how Australian firms are coping with cyber threats

Despite more frequent cyberattacks since the beginning of the COVID-19 pandemic, firms in Australia have remained resilient against cyber threats, according to the latest Australian Securities and Investments Commission (ASIC) report.

In October 2021, specialty insurer Allianz Global Corporate & Specialty (AGCS) warned of a “digital pandemic” driven by ransomware, particularly a growing number of different attack patterns, criminal business model around “ransomware as a service” and cryptocurrencies, skyrocketing ransom demands, and rise of supply chain attacks. During the same month, the 2021 Thales Global Cloud Security Study found a rise in cyberattacks targeting cloud data.

However, ASIC’s latest Report 716: Cyber resilience of firms in Australia’s financial markets: 2020–21 (REP 716) claimed that firms operating in the Australian market have remained resilient against a rapidly changing cyber threat environment.

“The COVID-19 pandemic has increased opportunities for threat actors to target remote workers and access remote infrastructure and supply chains critical to the delivery of products and services. However, the response from firms has been robust,” said ASIC Commissioner Cathie Armour.

The report also found that:

• The gap between large firms and small-to-medium enterprises (SMEs) continues to close;
• The cyber resilience of many SMEs has improved;
• The confidence of larger firms in their cyber resilience has fallen slightly because of increased complexity in their business operating models and heavy reliance on supply chain partners; and
• The level of cyber resilience for supply chain risks has remained relatively static since cycle 2 despite the increasing number of cyber threat actors, sources, and types targeting firms, third parties, and supply chains.

Read more: ASIC offers insurance tips on handling claims in summer

Although the report found a small, but steady, improvement in the cyber resilience of firms operating in the Australian financial markets, it explained that the 1.4% increase fell far short of the 14.9% improvement targeted for the period.

Organisations identified supply chain risk management as their main priority in the future. Still, ASIC calls on all firms to consider applying the good practices identified in the report for managing these risks because failing to invest in supply chain risk management could lead to significant consumer harm that might warrant ASIC investigation and action. It also encourages all financial markets firms to consider and discuss the information in the report as they develop or enhance their cyber resilience frameworks.

ASIC has committed to further monitoring, assessing, and measuring firms’ improvements by:

• Engaging and collaborating with regulated firms, other regulators, and the government;
• Raising awareness of cyber risks in the financial markets sector and highlighting good practices and areas for improvement;
• Assessing the cyber resilience of regulated firms and measuring their progress against their target; and
• Engaging with firms that are failing to improve their cyber resilience.