The federal government has maintained momentum on lifting Australia’s cyber security practices with consultation on a broad suite of proposed reforms. The proposed reforms are seeking to implement key planks of the 2023-30 Australian Cyber Security Strategy and will establish for the first time standalone cyber security legislation in Australia.
Overview of the key proposals
The Department of Home Affairs consultation, launched in late December 2023, is seeking to implement nine key elements of the 2023-30 Australian Cyber Security Strategy that was released in October 2023. An AICD summary of the strategy can be found here.
The nine measures fall into two categories:
1. New cyber security legislation, covering:
a. Secure-by-design standards for consumer Internet of Things devices;
b. A no-fault ransomware reporting framework, where a business will report when both a ransom demand is made and separately if a ransom is paid;
c. Limited use obligation on the Australian Signals Directorate (ASD) and the National Cyber Security Coordinator for information provided by a business during a critical cyber incident; and
d. Establishing a Cyber Incident Review Board to undertake post-incident reviews of critical cyber incidents.
2. Amendments to the Security of Critical Infrastructure Act 2018 (SOCI Act), comprising:
a. Data storage systems that hold ‘business critical data’ to be included within the definition of ‘asset’ under the SOCI Act and the risks to business-critical data be specifically covered in risk management settings;
b. New ministerial consequence management powers following a critical incident, including directing an entity to replace documents of individuals or businesses impacted by the incident;
c. Clarify and simplify the protected information sharing provisions;
d. New Secretary of Home Affairs directions power related to deficiencies in an entity’s risk management program obligations; and
e. Consolidation of telecommunications security requirements under the SOCI Act.
AICD focus areas and request for feedback
The AICD has engaged extensively with the government on its strategy. We were pleased to see many issues raised by the AICD and other stakeholders considered in the strategy and reflected in this consultation.
The AICD’s continued engagement with the government on these reforms will be focused on ensuring they strike the right balance between lifting cyber resilience across the economy, without imposing new obligations in a costly or counterproductive manner.
In respect of the proposed ransomware reporting regime, our preliminary position is that it should be targeted at businesses that have the resources to meet the requirement, not duplicate existing reporting obligations and be accompanied by appropriate government support. For instance, requiring the reporting of a ‘ransom demand’, in addition to a ransom payment, may result in uncertainty about what constitutes a ‘demand’, add to existing reporting complexity and distract a business during the immediate period that is seeking to respond to the cyber incident.
We are supportive of a limited use obligation which would restrict how cyber incident information shared with the ASD and Cyber Coordinator can be used by other Commonwealth Government entities. We have heard there have been instances where some businesses have been reluctant to share details of a cyber attack with the ASD due to the risk it may be shared with Commonwealth regulators for the purposes of enforcement. For the obligation to be effective and provide sufficient comfort to industry, it needs to be clear on what information it would apply to, when it would commence and conclude, and how it will interact with other regulatory obligations.
The AICD is seeking input from members on the key proposals outlined above and how they may impact your organisations. We are particularly interested to hear from directors of SOCI entities about how their organisations are assessing the proposed amendments, including bringing ‘business critical data’ within scope of the Act and the expanded Ministerial directions powers.
Please provide any comments by Friday 16 February to firstname.lastname@example.org.
Upcoming AICD resource and virtual event
The AICD is committed to assisting members in governing cyber security risk and has been developing a new resource for members on how boards can govern during and following a critical cyber incident. The resource will expand on existing guidance in the AICD CSCRC Cyber Security Governance Principles and will assist boards and directors with overseeing the effective response and recovery from a cyber crisis.
In developing the publication, the AICD has again partnered with the CSCRC, supported by expert advice from leading law firm Ashurst.
The publication is due for release at the end of February and will be previewed at a virtual event on Friday 23 February (12pm – 1pm), complimentary for members. The event will feature a panel discussion with the partners on the project reflecting on how directors can govern through a critical cyber incident and emerge on the other side with a more cyber resilient organisation.
You can register for the event here.
New government guidance for directors
The Cyber and Infrastructure Security Centre (CISC), part of the Department of Home Affairs, has published the Overview of Cyber Security Obligations for Corporate Leaders (available here).
The publication is a valuable reference tool for directors in understanding existing cyber security regulatory requirements. CISC notes the publication should be read in conjunction with key international and domestic guidance, including the AICD CSCRC Cyber Security Governance Principles.
Already a member?
Login to view this content