Australian financial-services companies fall short of cybersecurity goals

Cybersecurity practices in Australia’s financial sector have improved marginally but are still falling far short of expectations, according to the latest in a series of ASIC audits that is tracking the maturity of cybersecurity controls in the critical industry sector.

Many companies had “overly ambitious targets” for improving their cybersecurity posture when ASIC conducted its last audit, the organisation concluded in its “Cyber Resilience of Firms in Australia’s Financial Markets: 2020-21” review, noting that the overall 1.4% improvement in reported cybersecurity resilience was well short of the 14.9% target those organisations had set for themselves in the previous review.

The national financial regulator also flagged the impact of an overall escalation in the threat environment during 2021, as well as the “reprioritisation” caused by the ongoing COVID-19 pandemic that had “caused firms to reassess priorities and divert resources to firm up the resilience of critical business activity” around secure remote working and supply-chain risks.

Interestingly, small and medium-sized businesses reported an overall 3.5% improvement in their cybersecurity resilience, leading ASIC to conclude that they are “continuing to close the gap on larger firms”, which actually saw confidence drop by 2.2%.

Participants reported overall improvements in areas including the management of digital assets, business environment, staff awareness and training, and protective security controls—with 90% reporting stronger user and privileged access management, and 86% saying they have a mature cybersecurity incident response plan in place.

Suppluy-chain risk management continues to struggle

But there were still some persisting vulnerabilities, with 40% of small businesses suggesting they were struggling to enforce strong supply-chain risk management practices. One respondent noted that suppliers are still not contractually obligated to meet information-security objectives, while another reported that they were not conducting any security testing of suppliers—and that “due to size and complexity of the business there are no plans to perform at present.”

Such shortcomings are persisting despite ongoing attempts to educate companies in every market about the importance of taking a more consistent approach to cybersecurity across key supply chains, which has continued to open many companies to compromise even in companies that are aware of the risks.

“Concerningly, we see no material improvements in supply-chain risk management between [2019] and [2021],” ASIC noted, “and the majority of firms identified this as an ongoing priority over the next period.”

Tracking cybersecurity resilience maturity

The exposure of Australia’s financial services firms to cybercriminal attacks has been an ongoing concern, with the industry added to the government’s list of critical-infrastructure sectors and the Reserve Bank of Australia recently warning that it was “inevitable” that an Australian bank would be hit with a potentially destabilising cyberattack.

This increased risk was a key finding in a recently released threat report from security firm Trellix, which noted that financial-sector firms were the targets of 22% of ransomware and 37% of observed advanced persistent threat (APT) attacks—the most-targeted sector, followed by utilities, retail, and government.

The number of publicly reported financial-sector cybersecurity incidents increased by 21% in third quarter of 2021, Trellix observed, compared to the previous quarter. Within the context of this surging threat profile, the ability of financial-sector firms to manage a cyberattack is more important than ever—and their success in codifying procedures a key indicator of cybersecurity resilience.

Evaluations in the ASIC report were based on companies’ self-reported compliance with the NIST Framework, a broad framework that evaluates cybersecurity resilience against five functions: identify, protect, detect, respond, and recover. Each function is rated as being either partial, risk-informed, repeatable, or adaptive—each of these stages representing increasing maturity of the function in question.

Australian financial-services companies showed steady improvement across the board in terms of the proportion of companies that had reached the adaptive stage, although the majority of companies were still in the repeatable stage across all five functions.

Adaptive-stage leaders pointed to the presence of factors such as clear lines of reporting and responsibility, regularly updated incident playbooks covering specific scenarios, and the ability to engage multiple response teams as needed during and after any security incident.

Significantly, the share of companies that rated themselves as risk-informed—in which policies and procedures are rarely updated and not followed consistently—actually increased in the protect, detect, respond, and recover functions.

“Very basic protections are in place to protect against data leaks; however, we recognise the need to enhance measures across the entire enterprise,” reported one firm that evaluated its protect scale as risk-informed.

Such results suggest the impact of the COVID-19 pandemic had pushed many companies to a more reactive posture than they might otherwise have liked—with a reduction in recover-stage maturity potentially linked to the unending attacks by ransomware gangs over the past two years.