There are gaps in Australian financial institutions’ management of cyber security risk, with most companies operating on a reactive rather than proactive basis, a new survey has found. ASIC surveyed regulated entities to get an understanding of their ability to manage risks, protect information assets and respond to and recover from security incidents. The survey was completed by 697 respondents. Among the gaps identified: 44 per cent of respondents said they do not manage third-party or supply chain risk; 58 per cent have limited or no capability to protect confidential information adequately; 33 per cent do not have a cyber incident response plan; and 20 per cent have not adopted a cyber security standard. Small organisations scored lower ratings from ASIC than larger ones. Most small organisations were ranked in maturity tier 1: “Capabilities are reactive. Policies and procedures are not formalised.” The regulator said small businesses need to do more to educate staff about cyber risks, develop response plans, conduct regular security assessments, and implement more robust monitoring and logging solutions. Most larger organisations fell into maturity tier 2: “Capabilities exist but policies are procedures are rarely updated and not followed consistently.” ASIC said all organisations should aim to make their cyber security strategies more effective by conducting third-party risks assessments, establishing contractual obligations with third parties and ensuring all confidential information shared with third parties is protected. Organisations should introduce multi-factor authentication procedures and encryption protocols to protect confidential information from unauthorised access. They should conduct simulated cyber-attacks to evaluate the effectiveness of their responses. And they should enforce a data retention policy that specifies how long data should be held and when it should be destroyed.