ASIC finds supply chain security risk still weighing on finance sector

Australian finance sector organisations saw "no material improvement" in their mitigation of supply chain and third-party cyber security risks over the past two years, according to corporate watchdog ASIC.

The Australian Securities and Investments Commission (ASIC) released a new cyber resilience report on Monday, where finance sector firms voluntarily self-assess against the US National Institute of Standards in Technology (NIST) cyber security framework.

The commission said that targets set two years ago - before the pandemic had not been achieved, and attributed that to “overly ambitious targets, escalation in the cyber threat environment” and Covid-related disruption and reallocation of resources.

Large firms in the space were more likely than their small-to-medium counterparts to have effective practices in place.

ASIC said that firms varied in the amount of trust they put in third-party suppliers to have appropriate cyber security standards on their end.

“Some [firms] declared confidence in their suppliers to manage cyber risks, or relied on attestations from some of their larger suppliers,” the commission said. [pdf]

“Many firms have initiated third-party supplier management programs that are in their infancy, and are investing in building up their capability in this area over the next period. 

“The more mature firms report that all critical service providers are subject to an independent annual audit.”

Likewise, there was a gap identified in the number of financial services industry participants that contractually required suppliers to implement certain cyber security controls as part of the relationship.

“A few firms reported that suppliers were not required to implement any security controls. Some reported that cyber security requirements are not specifically incorporated into supplier arrangements, but were assessed periodically,” ASIC said.

“Many reported that some, but not all, contracts incorporated security requirements; these firms had plans in place to increase their coverage as contracts came up for renewal. 

“The more mature firms have a minimum set of security requirements stipulated within contracts with all critical suppliers.”

The mapping of critical information and data flows was an area where more action had been taken. 

“Firms are clearly aware of the need for visibility and effective risk management in this area,” ASIC said.

“They reported initiatives that are underway and further progress planned over the next period.”

The last report [pdf], released in December 2019, found that "the trend towards outsourcing of non-core functions to thirdparty providers had created difficulties in the management of cyber security risks in the supply chain" of financial firms.