Published by the Australian Financial Markets Association in聽AFMA Member News, November 2017.
Cyber resilience is vital to all organisations operating in the digital economy, and nowhere is this more important than the financial markets sector, where the trust between an organisation and its clients is essential.
The increasing incidence, complexity and reach of cyber crime can destroy your organisation鈥檚 value overnight 鈥� dragging your share price and reputation down with it. Cyber crime that affects financial services can also destabilise markets, by eroding investor trust and confidence in Australia鈥檚 financial system.
Over the past 24 months, 101 firms across the financial markets sector completed an assessment of their cyber resilience. Firms assessed themselves against six cyber resilience categories using a maturity scale of where they are now and where they intend to be in 12鈥�18 months' time. Some firms were also subject to an independent ob体育 assessment.
The results of these surveys show that while firms are getting better at managing cyber risk, there's still more to do.
Encouraging progress
Industry has recognised that cyber security is a significant issue and that investment in cyber security is a priority.
Firms are prioritising investment in cyber security based on their individual assessments of cyber risk. Over the next 12鈥�18 months we are expecting to see a significant increase in cyber security maturity across the financial markets sector.
Our findings indicate that large firms with access to specialist skills and resources have a relatively high degree of cyber security maturity compared to small and medium firms.
However, there is opportunity for improvement across the entire sector.
Areas for improvement
Several common areas of improvement were identified:
Information risk management: To make sure your organisation has adequate information security policies and procedures, you should:
- implement a risk strategy that can gauge the potential impact and consequences of a cyber attack on your business
- identify and prioritise the cyber risk management of data assets that are critical to your business, and
- stay on top of externally managed systems and data, and ensure your third parties fully understand their cyber security role as part of your organisation鈥檚 supply chain
User access management: Make sure that access to systems and data is adequately controlled by:
- applying the principle of 鈥榣east privilege鈥� (i.e. users should be given the least amount of access necessary to perform their business role ) for access to systems and data, and
- ensuring changes to access privileges are formally reviewed and approved by authorised personnel when user roles change.
Monitoring and detection: Improve monitoring and detection of cyber risks by:
- monitoring unauthorised access to data across all types of devices, including mobile, and
- understanding and establishing baselines for expected information flows over networks to identify any irregularities.
User education and awareness: Realise the value of your staff as a line of defence through:
- regular staff awareness communications as the types of threats and impacts change over time, and
- regular staff education, training and testing (e.g. testing for response to phishing emails).
聽 Protective security processes and procedures:Enhance your organisation鈥檚 data protection arrangements by:
- implementing formal controls for good cyber hygiene (e.g. the Australian Government's for mitigating cyber incidents), and
- engaging an independent external provider to conduct an annual review of your controls.
聽 Incident response: Ensure you have adequate incident response plans in place by:
- mapping response plans to the each priority risk and capturing these in a cyber response 鈥榩laybook鈥� that is tested and committed to 鈥榤uscle memory鈥�, and
- have a robust plan for internal and external stakeholder communication, including for staff, shareholders, regulators and government agencies.
What's next for ob体育?
For our part, over the next 12鈥�18 months, we will continue to:
- raise awareness of cyber risk across the financial markets sector
- assess and measure the level of cyber resilience in financial markets
- engage and collaborate with regulated firms
- have one-on-one conversations with firms that appear to be challenged
- review the progress made by firms against their target maturity levels.
.