To strengthen the understanding of Australia’s current cyber security regulatory obligations and to inform future policy development, the AICD commissioned King & Wood Mallesons (KWM) to research cyber security regulatory settings in Australia and comparator jurisdictions (the UK, Canada, European Union and the USA).
The research sought to capture the array of cyber security regulatory requirements across the five jurisdictions. This scope included economy wide obligations on businesses, industry and critical asset specific requirements, reporting and notification obligations and pending reforms. The research also examined cyber security governance and accountability obligations on directors.
The KWM research finds that Australia is broadly in line with comparator jurisdictions in its overall cyber security regulatory settings, whilst Australian obligations on critical asset owners and systems of national significance are some of the strictest globally.
Notable findings from the research include:
- There are no specific cyber security duties imposed on directors in any of the jurisdictions. In each jurisdiction directors have general duties of care, skill and diligence to their organisations. In Australia, these general duties are set out in section 180 of the Corporations Act 2001 and as a result directors should be capable of satisfying themselves that cyber security risks are adequately addressed and that organisations are cyber resilient.
- There is an increasing trend for class action activity against directors for cyber security breaches, particularly in the USA. In the USA actions have been brought on the basis that the board has failed to exercise appropriate oversight of a company’s cyber security. There is far less precedent in Australia for actions against directors in relation to cyber security governance, however this may change with the Privacy Act Review’s recommendations on a direct right of action and a statutory tort for privacy (see AICD’s submission to the Privacy Act Review Final Report for further detail, available here).
- Critical infrastructure is a dominating focus of current and pending cyber regulatory reforms across all jurisdictions. In general, stronger critical infrastructure and sector-specific cyber security obligations are being introduced to address supply chain and national security risks posed by cyber security threats.
- In all jurisdictions there are a range of mechanisms and frameworks to facilitate intelligence sharing and support in relation to cyber security threats and incidents although these mechanisms are still largely voluntary. There is a there is a focus in all jurisdictions on enhancing the speed and scale of cyber intelligence sharing and cyber threat blocking.
The AICD drew on the KWM research in its submission to the Department of Home Affairs on the development of the 2023-2030 Australian Cyber Security Strategy. The AICD submission is available here.
Already a member?
Login to view this content