ASIC finds that supply chain security risk still looms over the financial sector – Finance – Security
Australian financial sector organizations have seen “no material improvement” in their mitigation of supply chain and third-party cybersecurity risks over the past two years, according to corporate watchdog ASIC.
The Australian Securities and Investments Commission (ASIC) released a new cyber resilience report on Monday, in which companies in the financial sector voluntarily self-assess themselves against the National Institute of Standards in Technology (NIST) cybersecurity framework. ) the United States.
The commission said goals set two years ago – before the pandemic had not been met, and attributed this to “overambitious goals, an escalation in the cyber threat environment” and disruption and disruption. reallocation of resources related to Covid.
Large space companies were more likely than their small to medium-sized counterparts to have effective practices in place.
ASIC said companies vary in the degree of trust they place in third-party vendors to have appropriate cybersecurity standards on their side.
“Some [firms] said they trusted their suppliers to manage cyber risks, or relied on attestations from some of their largest suppliers,” the commission said. [pdf]
“Many companies have launched third-party vendor management programs that are in their infancy and are investing in building their capabilities in this area over the next period.
“The most mature companies report that all critical service providers are subject to an annual independent audit.”
Similarly, a gap was identified in the number of financial services industry participants that contractually required providers to implement certain cybersecurity controls as part of the relationship.
“A few companies indicated that vendors were not required to implement security controls. Some indicated that cybersecurity requirements are not specifically built into vendor agreements, but have been assessed periodically,” ASIC said.
“Many reported that some contracts, but not all, had security requirements; these companies had plans in place to increase their coverage as contracts were due for renewal.
“The most mature companies have a minimum set of security requirements stipulated in contracts with all critical vendors.”
Mapping critical information and data flows was an area where more action had been taken.
“Companies are clearly aware of the need for visibility and effective risk management in this area,” ASIC said.
“They reported ongoing initiatives and further progress planned over the next period.”
The latest report [pdf], published in December 2019, found that “the trend of outsourcing non-core functions to third-party providers has created challenges in managing cybersecurity risks in the supply chain” of financial firms.