The Australian Securities and Investments Commission (ASIC) has urged organisations to strengthen cyber security capabilities after its report found “significant gaps” in safeguards across businesses. 

ASIC says the report, which includes responses to its inaugural cyber pulse self-assessment survey, highlights notable deficiencies in critical cyber management, as the regulator acknowledges that many businesses are operating under a reactive rather than proactive model.  

The survey found that 33% of respondents do not have a cyber incident response plan, while 58% admit having limited to no capability to protect confidential information appropriately.  

“For all organisations, cyber security and cyber resilience must be a top priority,” ASIC Chair Joe Longo said.  

“ASIC expects this to include oversight of cyber security risk throughout the organisation’s supply chain – it was alarming that 44% of participants are not managing third-party or supply chain risks.  

“Third-party relationships provide threat actors with easy access to an organisation’s systems and networks.”  

ASIC notes “encouraging” signs with organisations’ reporting mature developments in identity and access management, governance and risk management, and information assets management areas. 

But Mr Longo says corporations’ cyber plans need to “go beyond security alone and build up resilience” to help respond to and recover from cyber incidents.   

“It’s not enough to have plans in place,” Mr Longo said, “They must be tested regularly – alongside ongoing reassessment of cyber security risks. 

“An effective cyber security strategy, and governance and risk framework, should help identify, manage, and mitigate cyber risks to a level that is within the risk tolerance of senior leadership and boards.”  

The Australian Cyber Security Centre estimates that Australia lost more than $42 billion in 2021 due to cyber crimes, with hostile actors continuing to target vulnerable businesses.