ASIC Highlights Cybersecurity Gaps in Wealth Management Sector
A recent report from the Australian Securities and Investments Commission (ASIC) has revealed concerning gaps in cybersecurity preparedness among wealth management firms, especially in handling third-party providers. The "Spotlight on cyber" report, surveying nearly 700 entities, indicates that both small and large wealth managers need significant improvement to establish themselves as cyber resilient.
The survey included 120 financial advice practices, 64 funds managers, and 12 superannuation funds. While many of these organizations demonstrated strong governance, risk management, and information asset management capabilities, gaps were evident in crucial areas. Notably, about 29% of the participants fail to encrypt confidential information, and a similar proportion lacks controls to prevent unauthorized information transmission.
Larger organizations generally reported more advanced cyber capabilities. In contrast, smaller firms were found lacking in several areas, including supply chain risk management, data security, and managing the aftermath of security breaches. A striking 34% of smaller firms do not adhere to any cybersecurity standard, and 44% do not conduct adequate risk assessments on third-party vendors.
The report highlights a broader issue with 69% of participants having minimal or no capabilities in managing risks associated with supply chains and third parties. Over half of the surveyed entities do not conduct tests on their cybersecurity incident responses with critical suppliers.
ASIC emphasizes the importance of extending robust cybersecurity measures to third-party relationships, including vendors, suppliers, partners, contractors, or service providers with access to internal or confidential information. These third-party entities can potentially offer easy access for threat actors to an organization's systems and networks, creating supply chain vulnerabilities.
The preliminary findings released in September had already raised a red flag about 44% of participants neglecting third-party or supply chain risks. Recent cybersecurity breaches at Latitude Financial and Perpetual, stemming from weak controls over third-party vendors, underscore this concern.
ASIC chair Joe Longo has warned that the regulatory body will adopt a stricter approach towards cyber breaches, focusing on the accountability of boards and senior leaders for neglecting cybersecurity obligations. He stresses the need for an effective cyber security strategy and governance, and risk framework, to identify, manage, and mitigate cyber risks within the acceptable risk tolerance of an organization's leadership.