Financial services firms are tackling cybersecurity risks seriously but smaller organisations still have a long way to go according to the corporate regulator raising greater awareness on the issue.
ASIC's Report 555 shows about three-in-four (74%) of the 101 firms surveyed have robust IT security processes and procedures, while 66% have cyber incident response plans in place.
The results are encouraging, particularly for large organisations with access to specialist skills and resource, and demonstrate a relatively high degree of cyber resilience compared to small and medium-sized enterprises (SMEs) - some of which are just beginning to develop this area, the report said.
There is opportunity for improvement for SMEs; as much as 40% reported shortcomings in monitoring and detection practices, ASIC said.
One firm said it had "no formal policy in this area" as the network is not a managed network where active monitoring could be implemented at the ISP layer, but is in place at the network level.
"This demonstrates an understanding of the area even though no formal policies are in place. The next step for this organisation - like many other SMEs - is to review and formalise these policies," the report said.
Among the large firms, 41% said a proper understanding of information flows across the organisation was a work in progress, while 45% are still grappling with understanding externally managed systems and data.
All firms indicated that these were priority areas for the next investment period.
ASIC Commissioner Cathie Armour said: "Cyber resilience is now widely regarded as one of the most significant concerns for the financial markets sector and the economy at large. Given the central role financial markets firms play in our economy, the cyber resilience of our regulated population is a key focus for ASIC."
"Cyber resilience is not just an IT issue but one that requires a whole-of-organisation response. The dynamic nature of cyber threats requires a comprehensive and long-term commitment to cyber resilience by all organisations operating in the Australian economy", Armour said.
The Australia Cyber Security Centre identified 47,000 cyber incidents affecting individuals and businesses in the past 12 months, representing a 15% increase on the year prior. More than half were online scams or fraud, up 22% year-on-year.