ASIC report: ASX, Chi-X Australia meet cyber resilience obligations

The Australian Securities and Investments Commission (ASIC) has earlier today released a “Cyber resilience assessment report: ASX Group and Chi-X Australia Pty Ltd”, with the document presenting the assessments of the cyber policies at Australia’s major domestic financial market infrastructure providers.

Overall, the assessment concluded that ASX Group and Chi-X have, up to this point in time, met their statutory obligations to have sufficient resources for the management of cyber resilience.

In carrying out the cyber resilience assessments of ASX Group and Chi-X, ASIC has chosen to use the US National Institute of Standards and Technology (NIST) Cybersecurity Framework for Critical Infrastructure (NIST Cybersecurity Framework). As part of the assessment, ASX Group and Chi-X had to complete a self-evaluation against the framework which was later validated by ASIC via a series of document reviews and detailed discussions.

When presenting the findings, the regulator included those of the different organisations that have worked with ASIC in responding to the NIST self-assessment process—being ASX Group, Chi-X and the wider range of financial organisations that undertook the NIST Cybersecurity Framework self-assessment.

Figure 1 (below) shows the level of sophistication and rigor of an organisation’s cybersecurity practices. The tiers range from least to most progressed (i.e. partial, risk informed, repeatable and adaptive).

nist_inside

  • ”Adaptive” means processes are operated and adjusted in ‘real time’ as and when events occur;
  • “repeatable” means organisation-wide cybersecurity processes are in place and are operated and updated on a regular basis;
  • “risk informed” means a cyber risk management policy has been approved by senior management (although not on an organisation-wide basis);
  • “partial” means cyber risk management profiles are not formalised, and are managed on an ad hoc basis.

ASIC found that 82% of cybersecurity practices were self-assessed as adaptive (30.9%) or repeatable (51.1%). Of the remaining 18%, risk informed accounted for 15.6% of cybersecurity practices, and only 2.4% were self-assessed as partial.

The following practices rated as ‘adaptive’ across the organisations:

  • established information security policies are periodically reviewed and updated;
  • cybersecurity roles are defined, communicated and understood at the senior management level;
  • legal and compliance obligations are understood and managed;
  • response and recovery plans are managed, communicated and tested on a periodic basis;
  • cyber events are communicated within the organisation to ensure ongoing awareness of threats.

Common challenges across the organisations included:

  • establishment of a baseline for data flows across organisational networks that could, in turn, enable the detection of any anomalous flow of information;
  • management of software across mobile devices to prevent installation of malicious code.

ASIC intends to use the information collected from this assessment to work closely with ASX Group and Chi-X to monitor future developments in this area—particularly the ongoing evolution of international and domestic regulatory settings and expectations.

You can view the full report by clicking here.

Read Also: