Bills, Parliamentary reviews, industry consultations… the Australian cyber regulation maze is about to become even more complex

On 13 July, the Government published a discussion paper on potential reforms to make Australia more resilient to cyber security trends. The Government considers that the way to get there is to create stronger incentives for Australian businesses to invest in cyber security. Submissions on the discussion paper are being accepted until 27 August.

The paper considers:

• Governance standards (mandatory or voluntary) for large businesses;
• Minimum protection technical security controls for personal information, with may take the form of an enforceable security code under the Privacy Act 1988 (Cth);
• Mandatory baseline security features for smart devices replacing the voluntary Code of Practice for securing IoT devices released in September 2020 (which the Government found did not have a sufficient uptake) and based on International Standards (such as ESTI standards), following the approach to similar reforms in the United Kingdom;
• Transparency requirements, such as voluntary star rating and mandatory expiry date labels as well as voluntary or mandatory vulnerabilities disclosure policies;
• Cyber security health checks for small businesses; and
• New and clearer remedies under consumer and privacy legislation.

Australian cyber regulation: current and future states of play  

The consultation forms part of Au​stralia’s Cyber Security Strategy 2020.

It adds to several other reforms launched or contemplated by the Government in response to a growing cyber threat environment, including reforms concerning the security of critical infrastructure, potential regulations targeting ransomware payments and a reform of directors’ duties.

Such reforms appear needed in light of the current limitations of Australia’s current regulatory and enforcement frameworks for cyber-security, which provide insufficient clarity about cyber security expectations and have limited coverage beyond specific sectors.

Below is an overview of the existing Australian cyber regulation landscape and key changes on the horizon:

The Australian cyber regulation maze

There is currently no harmonised approach to the regulation of cyber risk in Australia. Organisations face a range of 'cyber regulations', with different standards, levels of enforcement and rigour, depending on their sector and the criticality and types of information assets they hold and use.

The future of Australia’s cyber regulation? Key reforms ahead

Emerging legal risk in an evolving cyber regulatory framework 

In the context of amplified cyber threats and an evolving regulatory landscape, companies must manage not only the direct operational costs associated with a cyber- attack, but the ongoing legal fallout should they fail to take sufficient measures against cyber risk. This is in light of:

• Increased regulatory intervention, as illustrated by the ongoing of ASIC proceedings against RI Advice Group for failing to have adequate cyber risk management systems following a number of alleged cyber incidents, in breach of sections 912(A)(1) and (5A) of the Corporations Act (see our note here), or privacy investigations and determinations by the OAIC against organisations that do not take reasonable steps to protect personal information they held from unauthorised access (in breach of the Australian Privacy Principle 11.1). 
• Class actions brought by customers, shareholders or other affected third parties. Recent overseas actions were brought against SaaS providers, entities responsible for energy and health and other critical infrastructures. In Australia, we are seeing the development of a data breach class action regime. This includes a number of class actions being considered in recent years by entrepreneurial plaintiff law firms, bolstered by the first successful settlement of a data breach class action in 2019 (see our note here). The rising number of cyber- attacks and incidents as well as the availability of litigation funding means these types of actions are a risk for which Australian companies must prepare.  

Next steps

As illustrated in the overview above, the road map for the implementation of the different cyber security reforms initiated or contemplated by the Australian Government remains uncertain.

Having regard to the very nature of cyber security, the successful roll out of the reforms should extend beyond involving only policy makers, technical experts and sector experts. There is a real opportunity for industry to shape the reforms.

In particular, participants to the consultations on the different reform processes will need to turn their mind to the following overarching questions:

• Risk of duplication with existing regimes and other reform processes;
• Need to balance clarity and flexibility required in an ever evolving technological landscape;
• Extra territorial application (for example the extent to which overseas manufacturers could be required to introduce specific security features before supplying their products to Australia);
• Compliance costs;
• Need for sufficient guardrails against the introduction of broad governmental powers.

Our global team of cyber risk and crisis management specialists would welcome the opportunity to speak with you about how best to engage with the different ongoing consultations and deploy an organisation-wide strategy for engaging with the ever-growing challenge of cyber threats and increasingly complex cyber regulatory framework.