The voluntary, multiple-choice survey will help you to understand your organisation’s cyber resilience by asking whether you have:

• identified key information assets and considered how to protect them
• identified vulnerabilities and current threats and developed a plan to address them
• implemented governance arrangements to oversee cyber risk, set risk appetite and assess the appropriateness of controls.

Completing the survey will help you identify gaps in your cyber risk management and enable ASIC to better understand the issues affecting regulated organisations. 

As well as issuing individual reports to participating organisation, ASIC will publish a public report with key findings from the survey. The public report will provide sectoral insights, areas for action and the better practices identified.

All responses will be anonymous to ASIC. Identifying information collected for the purpose of saving the survey and returning an entity’s individual report will not be shared with ASIC. 

Improving your cyber resilience

In today’s data-driven world, every organisation is vulnerable. According to the Australian Cyber Security Centre (ACSC), cyber security incidents cost the Australian economy $42 billion in 2021 – with the average downtime for an organisation after a ransomware attack sitting around 22 days. 

However, the impact of a cyber incident isn't always neatly contained to the target. The digital interconnectedness of organisations can cause the affects of a cyber incident to quickly spread throughout the economy, potentially causing wide-spread harm to consumers and investors. As we can see, improving cyber resilience is at the forefront for every organisation in Australia — regardless of size or sector.

When considering the cyber resilience of your organisation, we encourage you to consider the following questions:

• is cyber risk included in your organisational risk management framework?
  
• what is your response and recovery plan, and has it been tested?
• how will you communicate with customers, regulators and the market when things go wrong? 

Keeping the market and regulators informed

Creating a cyber resilient financial system requires close collaboration between industry, government and regulators. While some listed companies have used trading halts and market announcements to keep the market informed, we also encourage you to report cyber incidents to ASIC and the ACSC. This will enable us to consider any broader threats to Australian financial markets and systems. 

For their part, ASX has encouraged companies to refer to existing ASX guidance, implement a tested disclosure plan and work closely with ASX listings advisers in the event of a cyber incident. Having your response plans prepared and tested will put you in the best position to protect your customers and organisation – allowing you to engage experts, inform regulators and guide communications in a timely and considered manner in the event of an attack.

ASIC encourages companies to foster a culture of cyber awareness. The Australian Cyber Security Centre’s website and ASIC’s cyber resilience webpage contain useful resources to help organisations improve their cyber security and resilience. 

For more information on the ASIC cyber pulse survey, visit asic.gov.au/cyberpulse.