In August last year the Australian government released Australia's Cyber Security Strategy 2020, the successor to the 2016 Cyber Security Strategy.
The 2020 Strategy acknowledges the increasing global reliance on technology and the corresponding need for improved cyber security awareness, strategies and infrastructure. It promised the investment of $1.67 billion over 10 years toward creating a more secure online world.
One key component of the 2020 Strategy targets Australian businesses. On 13 July 2021 the Department of Home Affairs published a discussion paper entitled Strengthening Australia’s cyber security regulations and incentives (Consultation) which describes a range of regulatory proposals that would require (and, in some cases, incentivise) Australian businesses to invest in cybersecurity.
The Consultation identifies three key avenues for possible reform. These are:
- Setting clear minimum expectations for businesses regarding cyber risk management responsibility;
- Increasing transparency to businesses and consumers of the security risks associated with particular technologies; and
- Protecting consumer rights by establishing clear legal remedies for consumers for cyber security incidents
Key regulatory proposals considered in the Consultation Paper are summarised below:
1. Governance standards
Many large businesses are aware that they need to improve their cyber security risk readiness and infrastructure. Cyber security incidents affecting larger businesses may have significant implications for national economic development, resilience and security. Currently, critical infrastructure owners covered by the Security of Critical Infrastructure Act 2018 and financial institutions covered by APRA’s prudential standard CPS 234 respectively have cyber security obligations.
However, the Consultation proposes that additional cyber security governance standards should apply to a wider range of businesses. These standards could be voluntary or mandatory, noting that mandatory standards could be costly and onerous, particularly in a post-pandemic economic environment. Feedback from stakeholders will likely contribute to the final approach.
2. Minimum standards for personal information
Many Australian businesses are threatened by unsophisticated cyber security attacks because, generally speaking, they have not implemented baseline cyber security precautions. These could be avoided by simple processes and controls such as data encryption, strong passwords, multi-factor authentication and timely application of critical patches. The Consultation is considering whether a technical standard could accelerate adoption of these precautions.
Notwithstanding this, the Consultation is considering whether a technical standard or 'code' under the Privacy Act could drive adoption of improved cyber security practices. This could be mandatory, or compliance could be tied to regulatory incentives. The Consultation proposes that any such standard or code would:
- be targeted at specific kinds of technology, sectors or kinds of data
- focus on high-impact lower-cost cyber security controls
- specify minimum requirements only, in a similar way to the Australian Taxation Office’s Digital Service Provider Operational Framework
However, any standard or code adopted under the Privacy Act would be limited in its application to 'personal information' (although in practice improvements in cyber security might ‘trickle down’ to other types of data), and would only apply to entities who are covered by the Privacy Act (generally organisations with an annual turnover of more than $3 million). The Consultation is seeking feedback on stakeholder views and possible barriers to adoption of this proposal.
3. Standards and labelling requirements for smart devices
'Smart devices' (or IoT devices) are products that connect to the internet. The Consultation acknowledges that, as the development and uptake of smart devices has outpaced the adoption of good cyber security practices, cyberattacks target the known gaps to exploit private and valuable information stored online. It suggests that this may be explained in part by the market forces which favour rapid innovation and novel capability in smart devices over privacy and security. (We discussed issues relating to IoT and operational technology in our recent Perspectives on Cyber Risk Report 2021).
The Consultation is seeking feedback on a mandatory product standard for smart devices which contains, among other things, mandatory baseline cyber security requirements, such as specified in ETSI EN 303 645. Implementation of such a standard would likely require new legislation.
In addition, the Consultation is seeking feedback on stakeholder views and possible barriers to adoption of a cyber security labelling scheme for smart devices including a voluntary cyber security 'star rating' proposal and a mandatory cyber security expiry date label.
4. Responsible disclosure policies
According to the Consultation:
"Responsible vulnerability disclosure is a process where security researchers find and report vulnerabilities to software developers, businesses or agreed third parties, including Government".
Responsible disclosure is intended to allow software owners to develop patch systems or software before a vulnerability is discovered and exploited in a cyberattack. The Australian Government already encourages disclosure by federal agencies, as well as security researchers, customers and the public to the Australian Cyber Security Centre. However, adoption of responsible disclosure policies among Australian businesses remains low.
The Consultation is seeking stakeholder feedback on voluntary and regulatory proposals to increase responsible disclosure. Voluntary mechanisms would include guidance or toolkits whereas a regulatory approach could take the form of a mandatory technical standard. The Consultation outcomes will likely affect the final approach.
5. Small business 'Health Checks'
Smaller businesses are much less likely than large businesses to have risk management processes in place or employ dedicated cyber security teams. An area where the Consultation has identified that the Government may be able to provide additional cybersecurity support to small businesses is supply chain risk management.
Supply chain risks arise because entities are connected to the IT systems of other organisations or provide services to other organisations. This means that where a disruption occurs to such other organisations, it can directly or indirectly affect connected entities. The Consultation is seeking feedback on a voluntary cyber security check program which would be administered by the Government at low or no cost. It acknowledges that success would likely rest on the strength of incentives for small businesses to participate and is seeking feedback on what would be appropriate in this regard.
6. Legal remedies for consumers.
Given that there are limited legal options for consumers to seek remedies or compensation for cyber security incidents, the Consultation describes planned reforms to the Australian Consumer Law which are being led by the Federal Treasury as well as proposed reforms to the Privacy Act being administered by the Attorney-General's Department. Notwithstanding these, the Consultation is seeking feedback on how regulation can be strengthened to better protect consumers from cyber security threats and whether additional action is required.
The Department of Home Affairs is accepting submissions on the discussion paper until 11:59 PM on Friday 27 August 2021 via their submission form and is running a number of consultation events for each of the States and Territories. Further details of these are available via the Department's website.
Contact our team for more information or for assistance with preparing your submission.