Australia: Strengthening Australia's cybersecurity regulations
The Australian Government, through the Department of Home Affairs is, at the time of publication, undergoing a review of cybersecurity in Australia1. Following the critical infrastructure reform2 and ongoing review of the Privacy Act 1988 (No. 119, 1988) (as amended) ('the Privacy Act')3, the Government is considering stronger regulations to promote cybersecurity. It has issued a discussion paper for consultation. Katherine Sainty, Director of Sainty Law, discusses the stronger cybersecurity regulations being considered, including governance standards for large businesses.
There were nearly 60,000 cyber crimes reported during 2019-20. There is no question that cybersecurity incidents are increasing, and more and more businesses are at risk. In the private sector, cybersecurity incidents cost up to $29 billion in Australia. In response to this issue, the Government has proposed new policies covering a range of areas including labelling and new standards for smart devices, new legal remedies for consumers, and governance standards for large businesses.
Governance standards for large businesses
Currently there is no requirement for Australian businesses to take active steps to prevent cybersecurity incidents. As it is difficult to estimate the cost of a cyber incident, some companies rationalise that the investment in cybersecurity will likely cost more than the potential loss to business. Additionally, the effect of a cyber incident may not be felt as strongly by certain businesses, with the 'cyber security risk being passed down the supply chain' to end users.
However, cyber attacks pose a real threat and can result in substantive damage including:
- loss of revenue from business interruption;
- business recovery costs;
- lost shareholder value; and
- reputational damage.
The Corporations Act 2001 (Cth) requires directors to act in good faith, in the best interest of their company, and for a proper purpose. However, 'only 7% of directors in ASX 100 companies said they clearly understood the cyber security environment their company operates in.' Currently, it is up to large businesses to implement cybersecurity protections at their discretion, resulting in significant variance, depending on how seriously each business views cyber threats.
Voluntary governance standards
One suggestion is to implement a voluntary governance standard for larger businesses. By inviting businesses to be involved in the creation of these standards, it will more likely result in a standard that is realistic and has industry buy-in. These standards will also communicate the public's expectations that cybersecurity risks be better managed by larger businesses.
The Government has also recognised that by creating a voluntary standard, this could be used to assess whether a director has complied with their director's duties. Courts may consider the standard to determine whether failure to respond to cybersecurity threats amounts to a breach of directors' duties. Therefore, recognising cybersecurity as an aspect of acting in the best interest of the company will likely incentivise more directors to prioritise implementing cybersecurity protections.
Voluntary or mandatory?
Another option is to make the governance standards mandatory, and have all larger businesses adopt them within a certain timeframe. One benefit would be less variation in how businesses manage cybersecurity risks which would help reduce the number of cybersecurity incidents Australia-wide.
However, the Government's stance is clearly against making the standards mandatory, as it feels there is no regulatory body with the expertise or resources to enforce the standards. Additionally, the cost for businesses to change their practices to comply with the mandatory standards would be high. A voluntary governance standard would be a positive initial step in helping to push for better cyber security management.
The Government should consider directing resources to assist businesses to adopt voluntary governance standards. This could take the form of funding the Australian Cyber Security Centre ('ACSC') to develop and disseminate these standards and possibly to provide support and resources to businesses to assist in improving their cybersecurity risk management. If the standards were made mandatory, the Government would need to invest resources in the ACSC or ASIC, or another body to enable the enforcement of these standards.
The Government is currently seeking feedback on their proposed policies.
Katherine Sainty Director
Sainty Law, Sydney
1. Available at: https://www.homeaffairs.gov.au/reports-and-pubs/files/strengthening-australia-cyber-security-regulations-discussion-paper.pdf
2. See: https://www.homeaffairs.gov.au/about-us/our-portfolios/cyber-security/strategy/australia%E2%80%99s-cyber-security-strategy-2020
3. See: https://www.ag.gov.au/integrity/consultations/review-privacy-act-1988