The practice of outsourcing services and products is crucial to most organisations operating in today’s economy, with 76% of leading global businesses outsourcing IT functions.
While financial services businesses can outsource their services to third-party suppliers, they cannot outsource the associated risks and liabilities.
Recently, ASIC released findings from Spotlight on cyber: Findings and insights from the cyber pulse survey (REP 776). Worryingly, 44% of participating organisations admitted to not managing third-party or supply chain risk.
ASIC has observed a growing number of cyber attacks on Australian organisations stemming from third-party attacks that exploit weaknesses in an organisations supply chain, giving them easy access to the organisation’s systems and networks.
AFS licensees from across Australia have told ASIC they consider cyber security the biggest risk to their business, listing it as a high priority item for board meetings and noting they run regular staff training at all levels of their business.
AFS licensees have moved to reinforce their internal cyber security after a series of high-profile incidents from late 2022. With many organisations acting to improve internal defences, their focus must now turn to mitigating third-party exposure – the new frontline in cyber risk management.
For example, the SolarWinds breach of 2020 exploited a vulnerability in SolarWinds’ platform, giving the threat actor access to 3,000 email accounts across 150 organisations, including government agencies and multinational corporations, according to ASIC. The breach cost each affected organisation an average of US$12 million.
The latest global systems failure when cybersecurity vendor CrowdStrike pushed an update to the Windows versions of its software that ended up causing computer systems worldwide to crash is also another example of third-party vendor risk.
To enhance the cyber resilience of Australia’s financial institutions against known threat actors, the Council of Financial Regulators (CFR) developed the cyber and operational intelligence-led exercises (CORIE) framework. CORIE uses threat intelligence to simulate adversary attacks and assess the cyber resilience of an organisation. Recent CORIE simulations have exposed vulnerabilities in third-party controls, including instances where third parties held administrator-level access to critical systems.
“The recent Latitude Financial cyber attack underscores the need for enhanced scrutiny of third parties with access to core systems,” ASIC said.
“While IT outsourcing is essential for many organisations, basic controls – like multifactor authentication (MFA) for external providers – could minimise breach risks.”
Another concerning trend demonstrated by CORIE simulations is the use of weak passwords. Even with complex password creation requirements, users can find ways to craft weak passwords like ‘Pa$$w0rd123!’.
MFA is one of the most effective techniques available to protect organisations from a cyber incident. Where MFA is not available, the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) recommends the use of passphrases. These measures should be implemented as part of a broader cultural shift throughout an organisation, driven by employee education, cyber awareness training and rigorous third-party risk assessment.
“To mitigate cyber risk, organisations must take an active approach to identifying, assessing, and monitoring third-party cyber risks,” ASIC said.
“We encourage organisations to start by asking three simple questions: How much access do third parties have to my systems? How is third-party access protected? Where is my data?”
Stay ahead of regulatory changes
FINSIA has recently launched its 2024 line-up for The Regulators.
Hear directly from the senior leaders of ASIC, APRA, AUSTRAC, the RBA, and RBNZ as they unveil their priorities and strategic outlooks for 2025.
This is also your opportunity to connect with the best and most senior representatives in financial services.
