ASIC has recently released Report 555 Cyber resilience of firms in Australia’s financial markets.  The report outlines the findings from the self-assessment survey of over 100 Australian financial firms in the past two years.  ASIC’s report identifies the trends of small-medium enterprises (SMEs) and large firms distinctively, with findings set out in the table below.  The report found that while firms are getting better at managing cyber risks, there is still some progress to be made. 

In producing the report, ASIC used certain survey terms to test the probity of cyber security policies.  These terms included ‘partial’ (when policies are non-existent or not formalised), ‘risk-informed’ (when policies are rarely updated and are not consistently followed), ‘repeatable’ (when policies are regularly updated and with compliance measures in place) and ‘adaptive’ (when policies are consistently evolving with the market). 

ASIC noted that while the report showed greater engagement by firms on cyber resilience, there was both a disparity between firms and insufficient investment in cyber resilience measures.  The report follows ASIC’s earlier Report 429: Cyber Resilience – Health Check, which outlined suggested ‘health check prompts’ for companies.