AICD submission on cyber security legislative reforms

Thursday, 07 March 2024

On 6 March 2024 the AICD provided a submission to the Department of Home Affairs on proposed cyber security focused legislative reforms.

Our submission provided support, or in-principle support, for almost all of the key reforms that were the subject to consultation. AICD members recognise that targeted and low-cost regulatory obligations are appropriate in certain areas, such as ransomware threat intelligence. However, this should be balanced by measures that promote trust between industry and Government, notably through comprehensive protections on how information provided to Government during a critical cyber security incident is used and shared.

Our key points on the central proposed reforms were:

  • in-principle support for a ransomware reporting regime applying to large businesses that avoids duplication with existing reporting and notification obligations, only collects necessary operational information and is based on genuine ‘no fault, no liability’ principles;
  • support for a legislated obligation on the Australian Signals Directorate and the National Cyber Security Coordinator in respect information provided by an organisation during the response and recovery phases of a significant cyber security incident. We recommended this obligation is expanded beyond ‘use’ to the ‘use, sharing and awareness’ of information and separately the cyber security purposes are tightened to provide sufficient comfort to organisations in the rigour of the obligation; 
  • in-principle support for the establishment of a Cyber Incident Review Board in a low cost and agile manner that avoids additional regulatory burden and costs on organisations impacted by a critical cyber incident;
  • in-principle support for the proposed approach to clarifying the application of ‘business critical data’ and data storage systems falling within the scope of the Security of Critical Infrastructure Act 2018 (SOCI Act); and 
  • did not support the proposed Ministerial ‘consequence management’ directions powers under the SOCI Act. There is not a strong policy case for the new powers, including that the existing Ministerial directions powers in the SOCI Act are deficient. In addition, the powers would be inconsistent with the intent of the SOCI Act, unfettered and cover the highly subjective and unclear concept of ‘consequence management’.

Latest news

This is of of your complimentary pieces of content

This is exclusive content.

You have reached your limit for guest contents. The content you are trying to access is exclusive for AICD members. Please become a member for unlimited access.