Recent cyber attacks have exposed the personal data of millions of Australian customers – acting as a wake-up call for directors. With cyber attacks becoming more frequent and complex, does your organisation have the cyber resilience to protect against and recover from an attack? To help determine your organisation’s cyber capability, we invite you to complete the ASIC cyber pulse survey.
Creating a cyber resilient financial system requires close collaboration between industry, government and regulators.
Since 2016, ASIC has asked Australian financial market firms to complete regular self-assessment surveys about their cyber resilience. Now we want to hear from a broader cohort of ASIC-regulated entities.
The ASIC cyber pulse survey is designed to help your organisation assess its current cybersecurity and controls, governance arrangements and incident preparedness.
Cyber pulse survey
The voluntary, multiple-choice survey is suitable for ASIC-regulated entities of all sizes and sectors.
To help you understand your organisation’s cyber resilience, the survey asks whether you have:
identified key information assets and considered how to protect them
identified vulnerabilities and current threats and developed a plan to address them
implemented governance arrangements to oversee cyber risk, set risk appetite, and assess the appropriateness of controls.
On completion of the survey, you can opt in to receive an individual report which will provide insights into how you assess your organisation’s current cyber resilience capability compared to your industry peers. ASIC will also publish a report with key findings from the survey, which will provide sectoral insights, areas for action and the better practices identified.
The survey will take roughly 30 minutes to complete. All information collected is anonymous and de-identified, and cannot be used against you in regulatory or enforcement action.
How cyber-prepared are you?
Every organisation is vulnerable. Last year, the Australian Cyber Security Centre reported receiving one cybercrime report every seven minutes – which only accounts for the crimes that were reported. It shows that even robust cyber defence systems can be breached.
Despite Australia topping the Massachusetts Institute of Technology Cyber Defence Index 2022/23, it is crucial that improving cyber resilience remains at the forefront for every company director in Australia – regardless of the size of your organisation. The spate of recent high-profile attacks on Australian companies has marked us as an easy target.
We encourage directors to consider the following questions when determining the cyber resilience of your organisation:
is cyber risk included in your organisational risk management framework?
what is your response and recovery plan, and has it been tested?
is it clear how you would communicate with customers, regulators and the market when things go wrong?
ASIC’s cyber pulse survey – which covers governance, data security, incident management and recovery planning – will help you answer these questions and identify any gaps in your cyber risk management.
Every director’s duty
Cyber attacks can disrupt an organisation’s business operations and result in financial, legal, and reputational harm. But the impact of a cyber attack doesn’t always stop there. The digital interconnectedness of organisations means that the impact of a cyber attack can spread beyond the target rapidly, causing widespread harm to consumers, investors and the broader economy.
The challenge for your organisation is to ensure that the appropriate level of cyber risk management strategies are in place. That will depend on the size and nature of your business, and the identified threats and vulnerabilities. Failure to adequately address cyber security risk, or comply with relevant disclosure and reporting requirements may be a breach of directors’ duties.
To help strengthen your organisations’ cyber security, directors should familiarise themselves with the Cyber Security Governance Principles recently released by the AICD and Cyber Security Cooperative Research Centre. The principles provide useful guidance on overseeing and engaging with management on cyber security risk.