Australian financial firms are urged to use U.S. protocols to ensure they are adequately prepared to defend against cyber attacks, in new report published by the country’s securities regulators.
The Australian Securities and Investments Commission (ASIC) issued a new report Thursday designed to help regulated financial firms improve their ability to “prepare, respond, adapt and recover from a cyber attack”; a capability that it refers to as ‘cyber resilience’.
“Cyber attacks are a major risk for ASIC’s regulated population and that means cyber resilience is an area of ASIC focus. The electronic linkages within the financial system mean the impact of a cyber attack can spread quickly — potentially affecting the integrity and efficiency of global markets, and trust and confidence in the financial system,” said ASIC chairman, Greg Medcraft.
“This report outlines some ‘health check prompts’ to help businesses review their cyber resilience—including flagging relevant legal and compliance requirements, particularly on risk management and disclosure,” he added. “We encourage businesses, particularly where their exposure to a cyber attack may have a significant impact on financial consumers and investors or market integrity, to consider using the United States’ NIST Cybersecurity Framework to manage their cyber risks or stocktake their risk management practices.”
The paper describes the U.S. NIST Cybersecurity Framework as a “voluntary, technology-neutral cyber risk management tool” for organizations that aims to help firms manage their cyber risk in a cost-effective way, based on their particular business requirements, risk tolerances, and resources. It says that the tool does not introduce new standards, or concepts but integrates existing standards on global security and IT governance that is risk-based and scalable.
“The NIST Cybersecurity Framework is being adopted by critical infrastructure providers in the United States, including those operating in financial services and markets. It is expected to become an effective global benchmark for financial markets,” it says; adding, “It is flexible enough to apply all businesses and not just those that support critical infrastructures.”
The ASIC report also encourages collaboration between the financial industry and the government to ensure that responses to cyber attacks can be coordinated, and that information on risks is shared. Medcraft said that the ASIC is also considering adding cyber resilience to its industry compliance efforts.
The regulator also notes that financial consumers and investors face their own cyber risks. And, it has updated its advice to investors to protect themselves online.