Cyber resilience of firms in Australia’s financial markets: 2020–21

This report provides an update to Report 651 Cyber resilience of firms in Australia’s financial markets: 2018–19 (REP 651). It identifies key trends from self-assessment surveys completed by financial markets firms, and highlights existing good practices and areas for improvement.

Cyber resilience is vital to all organisations operating in the digital economy. This is important for the financial markets sector, where the trust between an organisation and its clients is essential to its future.

In 2017 and 2019, we reported on the cyber resilience of firms operating in Australia’s financial markets: see Report 555 Cyber resilience of firms in Australia’s financial markets (REP 555) (cycle 1) and Report 651 Cyber resilience of firms in Australia’s financial markets: 2018–19 (REP 651) (cycle 2).

To allow ASIC to evaluate firms’ cyber resilience, participants were asked to self-assess their firm’s resilience against the National Institute of Standards in Technology (NIST) Cybersecurity Framework.

Participants were made up of a cross-section of organisations in Australia’s financial markets, including stockbrokers, investment banks, market licensees, market infrastructure providers and credit ratings agencies.

In 2020 and 2021 (cycle 3), we asked participants to reassess their cyber resilience using the NIST Framework to measure their actual progress against their targets in previous cycles.

Results indicated that, while management of cybersecurity risk was steadily improving overall, there was still opportunity for improvement across the entire sector. The COVID-19 pandemic had a detrimental impact on planned improvements and investment was reprioritised to mitigate other emerging cyber risks.