On 13 July, the Government published a discussion paper on potential reforms to make Australia more resilient to cyber security trends. The Government considers that the way to get there is to create stronger incentives for Australian businesses to invest in cyber security. Submissions on the discussion paper are being accepted until 27 August.
The paper considers:
- Governance standards (mandatory or voluntary) for large businesses;
- Minimum protection technical security controls for personal information, with may take the form of an enforceable security code under the Privacy Act 1988 (Cth);
- Mandatory baseline security features for smart devices replacing the voluntary Code of Practice for securing IoT devices released in September 2020 (which the Government found did not have a sufficient uptake) and based on International Standards (such as ESTI standards), following the approach to similar reforms in the United Kingdom;
- Transparency requirements, such as voluntary star rating and mandatory expiry date labels as well as voluntary or mandatory vulnerabilities disclosure policies;
- Cyber security health checks for small businesses; and
- New and clearer remedies under consumer and privacy legislation.
Australian cyber regulation: current and future states of play
The consultation forms part of Australia’s Cyber Security Strategy 2020.
It adds to several other reforms launched or contemplated by the Government in response to a growing cyber threat environment, including reforms concerning the security of critical infrastructure, potential regulations targeting ransomware payments and a reform of directors’ duties.
Such reforms appear needed in light of the current limitations of Australia’s current regulatory and enforcement frameworks for cyber-security, which provide insufficient clarity about cyber security expectations and have limited coverage beyond specific sectors.
Below is an overview of the existing Australian cyber regulation landscape and key changes on the horizon:
The Australian cyber regulation maze
There is currently no harmonised approach to the regulation of cyber risk in Australia. Organisations face a range of 'cyber regulations', with different standards, levels of enforcement and rigour, depending on their sector and the criticality and types of information assets they hold and use.
The future of Australia’s cyber regulation? Key reforms ahead
|Security of critical infrastructure reforms||Enhanced cyber regulatory framework across expanded set of essential services, including incident reporting and positive security obligations (risk management plan or RMP), as well as government intervention powers (see our briefing for details).||Bill introduced in Parliament in December 2020 and immediately referred to the Parliamentary Joint Committee on Intelligence and Security (PJCIS) for review. In parallel, the Government has been consulting in industry on the co-design sector-specific rules for RMPs.|
|Mandatory reporting of ransomware payments||Public and private entities (other than small businesses) to report ransomware payments to ACSC (see our briefing for details).||Bill introduced before Parliament in June.|
|Banning ransomware insurance payouts||Prohibit insurance payouts for ransomware payments.||Discussed at June House Committee inquiry. Draft legislation yet to be introduced.|
|Company directors cyber liability||Company directors to be personally responsible for cyber attacks.||Initially contemplated as a reform option as part of the Australian cyber security strategy released in August 2020. Draft legislation yet to be released, and it is unclear which entities will be covered (only ASX listed or large Australian companies), whether the regime will be mandatory, or what will trigger liability (whether some form of misconduct or negligence will be required).|
|TSSR PJCIS Review||PJCIS review of the operation of the TSSR reforms, including consideration of the adequacy of information sharing arrangements, notification threshold, criteria and timing.||Submissions closed. PJCIS to issue recommendations.|
|2020 Cyber Strategy Other Reforms||Consultation on reforms and standards including on governance, obligations for manufacturers of smart devices and consumer and privacy remedies.||Consultation to end on 27 August 2021.|
|Privacy Act Reviews||Economy wide reforms of Australian privacy laws, including increased penalties, expanded scope, strengthened notification and consent requirements, reinforced rights for data subjects (see our briefing for details).||Almost 2 years after the Government announced it, the review has not yet started and it is unlikely that any reforms will introduced before early 2022.|
Emerging legal risk in an evolving cyber regulatory framework
In the context of amplified cyber threats and an evolving regulatory landscape, companies must manage not only the direct operational costs associated with a cyber- attack, but the ongoing legal fallout should they fail to take sufficient measures against cyber risk. This is in light of:
- Increased regulatory intervention, as illustrated by the ongoing of ASIC proceedings against RI Advice Group for failing to have adequate cyber risk management systems following a number of alleged cyber incidents, in breach of sections 912(A)(1) and (5A) of the Corporations Act (see our note here), or privacy investigations and determinations by the OAIC against organisations that do not take reasonable steps to protect personal information they held from unauthorised access (in breach of the Australian Privacy Principle 11.1).
- Class actions brought by customers, shareholders or other affected third parties. Recent overseas actions were brought against SaaS providers, entities responsible for energy and health and other critical infrastructures. In Australia, we are seeing the development of a data breach class action regime. This includes a number of class actions being considered in recent years by entrepreneurial plaintiff law firms, bolstered by the first successful settlement of a data breach class action in 2019 (see our note here). The rising number of cyber- attacks and incidents as well as the availability of litigation funding means these types of actions are a risk for which Australian companies must prepare.
As illustrated in the overview above, the road map for the implementation of the different cyber security reforms initiated or contemplated by the Australian Government remains uncertain.
Having regard to the very nature of cyber security, the successful roll out of the reforms should extend beyond involving only policy makers, technical experts and sector experts. There is a real opportunity for industry to shape the reforms.
In particular, participants to the consultations on the different reform processes will need to turn their mind to the following overarching questions:
- Risk of duplication with existing regimes and other reform processes;
- Need to balance clarity and flexibility required in an ever evolving technological landscape;
- Extra territorial application (for example the extent to which overseas manufacturers could be required to introduce specific security features before supplying their products to Australia);
- Compliance costs;
- Need for sufficient guardrails against the introduction of broad governmental powers.
Our global team of cyber risk and crisis management specialists would welcome the opportunity to speak with you about how best to engage with the different ongoing consultations and deploy an organisation-wide strategy for engaging with the ever-growing challenge of cyber threats and increasingly complex cyber regulatory framework.
The contents of this publication are for reference purposes only and may not be current as at the date of accessing this publication. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action based on this publication.
© Herbert Smith Freehills 2022