In 2017 ASIC examined the cyber resilience of firms operating in Australia’s financial markets, with participants providing responses to the National Institute of Standards in Technology (NIST) Cyber ​​Security Framework.

While cybersecurity risk awareness and management improved, there was still room for improvement.

But in 2019 Australian financial firms are now more cyber resilient than ever before.

Firms rate themselves from "partial" ("policies and procedures are not formalized, responses are reactive") to "adaptive" ("policies and procedures evolve in response to changes in cybersecurity threats").

Large firms show a steady improvement since the last survey, with significant progress in staff awareness and training.

"The two areas that showed the greatest improvement (16 percent improvement over Cycle 1) included awareness and training programs (77 percent 'repeatable' or 'adaptive') and user access management (91 percent 'repeatable' or 'adaptive " ), the report says.

"However, given the importance of employees as the first line of defense against cybersecurity events, there is still room for improvement in user awareness and education."

However, there were some pitfalls.

"Due to the complexity of large firms and the range of services they offer, asset management (20 percent 'partially' or 'risk informed') and supply chain risk management (22 percent 'partially' or 'risk informed' ) have been identified as areas for improvement," the report said.

But the cyber resilience of Australian businesses still increased by 15 per cent between the first and second surveys.

"Organizations are alert to cybersecurity threats to their business and have focused resources and efforts on improving cybersecurity governance, risk management, and response and recovery capabilities," the report said.