AICD submission on 2023-2030 Australian Cyber Security Strategy

The submission included AICD commissioned research by King & Wood Mallesons on comparable international jurisdictions' cyber security regulatory settings. This research is attached to the submission.

The AICD in the submission strongly supported Government and industry working together to ensure that Australia is a world leader in cyber security with citizens having confidence that our economy operates within a secure and trusted digital environment. A Government- industry partnership should focus on enhancing cyber resilience across the Australian economy with any new regulations being risk-based and developed with a strong appreciation of the potential compliance costs and impacts on innovation.

Our key points in the submission were:

• Australia’s existing corporations law and directors’ duties provide a comprehensive and clear legal framework that obliges directors to effectively oversee the management of cyber security risk and build cyber security resilience. The AICD does not support introducing new cyber-specific director duties. There is no shortage of existing legal obligations that create a strong incentive for appropriate cyber risk management and no comparable jurisdiction has imposed a cyber duty on directors.
• The AICD does not support further amendments to the SOCI Act in the short term. While, in-principle, we would not oppose an expanded definition of critical assets, our strong view is that the Government’s priority should be on raising awareness of the SOCI Act obligations and conveying best practice expectations rather than pursuing further amendments at this time.
• The AICD in-principle supports a standalone Cyber Security Act that consolidates and harmonises existing cyber regulatory obligations under one legislative framework.
• The AICD is not convinced that a strict legislative prohibition on the payment of ransoms and extortion demands by either victims or insurers is appropriate. Although we support the Government clarifying its position with respect to payment of ransoms and the circumstances in which this may constitute a breach of Australian law. We also consider there is a pivotal role for Government to play in providing enhanced guidance and support to entities in respect of ransomware and extortion demands.
• The AICD strongly supports explicit confidentiality obligations on the Australian Signals Directorate, and other key agencies as appropriate, in respect of information provided to it by organisations sharing cyber threat intelligence and notifying, and seeking assistance, in respect of a significant cyber incident.
• The AICD strongly supports the establishment of a single reporting portal for all cyber and data breach incidents. We also in-principle support all large businesses being required to notify ransomware and data extortion incidents.