A new ASIC report places the overall responsibility for cyber resilience firmly on the board of directors.
Australia’s major financial market infrastructure providers have “sufficient resources” for managing cyber resilience, according to ASIC's new report, "Cyber resilience assessment report: ASX Group and Chi-X Australia Pty Ltd". While that is good news for those organisations, of broader interest is the emphasis that ASIC places on the responsibility for cyber resilience as an issue for an organisation's board of directors.
What is the report's purpose?
The purpose of the report is to:
- assess the extent to which the ASX Group and Chi-X have the resources to manage properly their cyber resilience;
- provide examples of good cyber resilience practices in the financial services industry; and
- encourage organisations to collaborate and share threats and good practices to increase cyber resilience across the entire financial system.
Assessment of ASX Group and Chi-X
The report represents ASIC’s first formal assessment of cyber resilience. It concludes that, up until now, the ASX Group and Chi-X have met their statutory obligations to have “sufficient resources” for the management of cyber resilience.
In reaching this conclusion, ASIC’s report used aggregated data from self-assessments undertaken against the NIST Cybersecurity Framework by ASX Group, Chi-X and a wider group of organisations in the financial services sector.
What works in boosting cyber resilience
ASIC identified the following practices as the most resilient or "adaptive" across the organisations:
- established information security policies are periodically reviewed and updated;
- cybersecurity roles are defined, communicated and understood at the senior management level;
- legal and compliance obligations are understood and managed;
- response and recovery plans are managed, communicated and tested on a periodic basis; and
- cyber events are communicated within the organisation to ensure ongoing awareness of threats.
…and what hinders it
Challenges across the organisations included:
- establishment of a baseline for data flows across organisation networks that could enable the detection of any potential cyber threats; and
- management of software across mobile devices to prevent installation of malicious code.
How can organisations adopt cyber resilience good practices?
The ASIC report encourages all organisations to recognise the growing threat of cyber security, and improve their cyber resilience preparedness. In particular, it encourages them to take up a number of cyber resilience good practices, including:
- ongoing board engagement with cyber strategy and board ownership of cyber resilience;
- governance practices that are responsive to a rapidly changing cyber risk environment;
- cyber risk management driven by routine threat assessments of both internal and third party sources such as cloud-based service providers;
- collaboration and information sharing with other financial institutions, security agencies and law enforcement; and
- creating an organisational culture of cyber awareness through training programs.
ASIC Cyber Guidance on the way
ASIC is also looking at issuing a guidance on cyber resilience, which would include these key concepts:
- the attention of the board and senior management is critical to a successful cyber resilience strategy;
- the ability to resume operations quickly and safely after malicious cyber activities is paramount;
- providers should make use of good-quality threat intelligence and rigorous testing;
- cyber resilience requires a process of continuous improvement; and
- cyber resilience cannot be achieved by a financial market provider alone, it is a collective effort of the whole ecosystem.
ASIC expects that the Cyber Guidance will be finalised in the second half of 2016.
Key questions for an organisation's board of directors
The ASIC report emphasises that managing cyber risk is a crucial part of the role of an organisation's board of directors and senior management. ASIC encourages board members to address the following key questions when reviewing their risk management frameworks:
- Are cyber risks an integral part of the organisation's risk management framework?
- How often is the cyber resilience program reviewed at the board level?
- What risk is posed by cyber threats to the organisation's business?
- Does the board need further expertise to understand the risk?
- How can cyber risk be monitored and what escalation triggers should be adopted?
- What is the people strategy around cybersecurity?
- What is in place to protect critical information assets?
- What needs to occur in the event of a breach?
Continuous improvement and board involvement needed to maintain cyber resilience - along with a good insurance policy
Although the overall results of the self-assessments indicated a high level of cyber resilience within the organisations, the report cautions that the weakest link is often the real measure of an organisation or industry’s cyber resilience. For this reason, ASIC suggests that organisations ensure good practices are in place for assessing cyber risk and driving continuous improvement.
The report reflects ASIC’s increasing interest in monitoring the cyber resilience of organisations in Australia’s financial sector, given their central role in the Australian economy. However, ASIC notes that the cyber resilience of its “regulated population” more broadly will be a key focus moving forward.
ASIC expects that an organisation’s cyber resilience framework must continuously evolve to cope with the dynamic nature of cyber threats. It is essential for an organisation to have a long-term and comprehensive commitment to cyber resilience to deal with the issue of cyber threats.
Of particular interest is the emphasis that ASIC places on the responsibility for cyber resilience as an issue for an organisation's board of directors. There seems to be an ongoing increase in the exposure to cyber risks. Therefore, this presents a growing risk of potential liability for directors and officers who will need to consider carefully this risk to their organisation when discharging their duties. The need for sound risk management is essential, including through the use of insurance where appropriate (both D&O and cyber risk insurance policies).