Awareness and management of cybersecurity risk is improving in Australia's financial market, said the Australian Securities and Investments Commission (ASIC), but there is still room for improvement across the entire sector.
The remarks were made in a new report [PDF] from the corporate regulator that compiles trends from self-assessment surveys completed by financial markets firms.
Report 651 from ASIC, Cyber resilience of firms in Australia's financial markets: 2018–19 is an update to 2017's Report 555, Cyber resilience of firms in Australia's financial markets.
In both 2017 and 2018, ASIC asked participants to assess their cyber resilience against the National Institute of Standards in Technology (NIST) Cybersecurity Framework.
The NIST Framework allows firms to assess cyber resilience against five functions: Identify, protect, detect, respond, and recover, using a maturity scale of where they are now and where they intend to be in 12-18 months.
"The cyber resilience of firms operating in Australia's markets has improved since Report 555, with an average increase of 15% across all cyber resilience functions between cycle one and two," ASIC wrote.
"Organisations are alert to cybersecurity threats to their business and have focused their resources and efforts on improving their cybersecurity governance, risk management, and response and recovery capabilities."
ASIC said while the cyber resilience of firms has improved, many have found it challenging to meet the targets they set in cycle one, attributing this to setting overly ambitious targets, a continually changing threat environment, limited organisational capability, and limited access to specialised skills and resources.
The report said cybersecurity governance, risk strategies, and management "trended up" in large firms, with 90% flagged as repeatable or adaptive.
Asset management and supply chain risk management have been isolated as areas of improvement by many large firms.
ASIC said user access management is "tightly managed" with 91% of firms, indicating a repeatable or adaptive rating. Large firms are also extending the limits of monitoring and detection capabilities, ASIC said, with 60% flagged as repeatable and 20–25% as adaptive.
"Many have invested in security operation centres that have skilled teams proactively monitoring threats against their organisations," ASIC added.
The corporate watchdog said it can see considerable improvements to response planning and mitigation action planning, as well as improvements to ensure events, when they occur, are "contained, do not propagate, and are neutralised as quickly as possible"
Meanwhile, the report said small to medium-sized enterprises (SMEs) have made good progress since cycle one, but further improvement is required. 80% of SMEs assessed themselves as repeatable or better in cybersecurity risk governance.
ASIC said SMEs have driven significant improvement in detection capabilities, with continuous monitoring experiencing a 25% improvement.
Over 80% of SMEs now report their cybersecurity maturity as repeatable or adaptive, which ASIC said was a "big improvement" on cycle one.