The Australian and Securities Investments Commission (ASIC) has urged financial market firms to strengthen their defences to address the growing cyber threat after its latest report found improvements made in the last two years failed to meet expectations.

ASIC says its findings indicate cyber resilience increased at a “small but steady” 1.4%, well short of the 14.9% targeted for the period.

The corporate regulator says the shortfall is the combined result of overly ambitious targets, escalation in the cyber threat environment and disruptions caused by the pandemic, leading organisations to reassess the targets set in 2019 and redirect resources to deal with immediate pressing needs.

These include enabling secure remote working on a never-before-seen scale and ensuring the delivery of products and services to customers as supply chains become increasingly burdened and threatened by cyber activists.

“Firms operating in Australia’s markets continue to be resilient against a rapidly changing cyber threat environment,” Commissioner Cathie Armour said.

“The COVID-19 pandemic has increased opportunities for threat actors to target remote workers, and access remote infrastructure and supply chains critical to the delivery of products and services.

“However, the response from firms has been robust.”

ASIC’s cyber resilience report is based on a cross-section of organisations in the Australian financial markets, including stockbrokers, investment banks, market licensees, market infrastructure providers and credit ratings agencies.

Participants were asked to reassess their cyber resilience using the National Institute of Standards in Technology Cybersecurity Framework to measure their actual progress against their targets in previous cycles.

The report says there was still opportunity for improvement across the entire sector, adding the pandemic had a detrimental impact on planned improvements and investment was reprioritised to mitigate other emerging cyber risks.

According to the report, SMEs showed an overall increase of 6.4% across all cyber resilience functions, with the biggest change arising from a 12.4% improvement in understanding the business environment including critical services and products, suppliers and potential threat actors.

For large firms, confidence in their cyber resilience has fallen slightly because of increased complexity in their business operating models and heavy reliance on supply chain partners.

Click here for more from the report.