Are you confident your cybersecurity strategy meets your obligations as an Australian Financial Services License (AFSL) holder?

With the cost of the average cyber attack standing at $4 million and ASIC raising the bar on compliance and reporting, AFSL directors know,  ‘failure is not an option’!

Is your business keeping current with its changing risk profile given the larger, more subversive and pervasive nature of risks in 2019?

In 2018, cyber attackers became more sophisticated and malicious, with 93% of global organisations experiencing cyber attacks and 33% experiencing the attacks as a weekly reality. 50% of organisations admitted they felt unprepared for 2019, even though they already have cybersecurity solutions in place.

In 2019 organisations can expect increased attacks, such threats include targeting of applications, denial of service, social engineering, identity and credential theft, ransomware, phishing, whaling and interception of unencrypted communication.  Around 51% of companies will experience attacks for ransom, 27% - insider threats including negligence and 26% - attacks from the competition.

Small and mid size AFSL holders are an appealing target.

The risks are manifold for small and mid size AFSL firms. 

Mid size firms are associated with lower levels of protection and accordingly find themselves on the radar of attackers. Additionally, as firms increase their use of online services, their attack surface and risk of cyber crime also increases. And the risks are costly, research into global firms found the financial services sector suffer the biggest losses to cyber crime.

Lastly, it’s not just the remedial effort to rectify security incidents that an organization must deal with. The current regulation in Australia and abroad requiring the mandatory reporting to clients, suppliers and authorities of breaches of personal data means the cost of any incident is far reaching.

One of the greatest cyber risks is your own organisation’s under estimation of cyber threat 

An ASIC study has shown 66% of AFSL's believed they had cyber security plans in place and 75% believed they had well managed security processes and procedures.  According to   Calypsi's audits, organisations typically under estimate cyber threat, meaning the perception of being protected actually increases the risk. Your organisation’s risk profile needs to change at the same velocity attackers create new risks.  An IT partner that has access to risk intelligence specific to the financial service industry, is critical to make your organisation’s cybersecurity investment effective.

The pathway to cyber resilience, the cybersecurity maturity curve.

Implementing a programme of continual improvement to identify risks, provide adequate protection and respond and recover from incidents are critical components of cyber resilience. Cyber security must be incorporated into every decision and resilience is best achieved with your board and executive’s commitment to cybersecurity maturity.

To achieve cyber resilience, it is important to work with an IT provider with a proven track record in working with ASIC compliance to move the organisation’s IT from ‘risk informed’ to ‘repeatable’, where an organisation wide security is in place, progressing to become  ‘adaptive’, where processes are operated and adjusted ‘real time’ as and when events occur. 

This is achieved by working with your IT provider to create a specific and actionable pathway to cybersecurity maturity and a strong understanding of the practices of a cyber resilient organisation.

IT Maturity and cyber resilience

Best practices of an AFSL cyber resilient organisation

Strategy

• Cyber security is part of your organisation’s risk management framework
• Risks are understood from all perspectives: board level, enterprise wide, device, application, data, employee, contractor, vendor and broader ecosystem
• Risk profiles and risk appetites specific to the business are understood

Governance

• Responsive governance adjusts accordingly to cybersecurity events and intelligence
• ASIC compliance includes self reporting of cyber resilience and preparedness for possible audit of targeted areas of risk
• Awareness that shareholders may pursue law suits for any breach of data
• Directors responsibilities and liabilities are understood at board and senior executive level

People

• The board and executive embraces cybersecurity
• There is a cybersecurity aware culture throughout the company
• Employees are trained and vigilant about cybersecurity
• Employees understand their role in protecting data and what to do when they suspect an issue

Resources

• Risks are monitored 24/7 with a single view and in real time
• Protection is in place for critical information assets: hardware, software and data
• Cybersecurity vulnerability testing is in place
• External source of cyber risk intelligence advises of new threats
• A highly specific incident report plan is in place for the business
• Security Information and Event Management technologies detect abnormal movement of information 

Do you have any questions about AFSL cybersecurity? Would you like to talk to an expert?

Contact Us

Noel Lynam

Chief Executive Officer

Calypsi IT

[email protected]

Phone 1300 408 408

Sydney

Level 13, 333 George St

Sydney NSW

Melbourne

Suite 2, 521 Toorak Road

Melbourne, Victoria

References

?‘The Trust Factor’, Global Application and Network Security Report 2018-2019 Radware

?Cyber resilience of firm’s in Australia’s financial markets, ASIC Nov 2016

?Calypsi Audits 2008-2018