In addition to the Privacy Act review mentioned in chapter 4, which includes recommendations regarding security of personal information, in February 2023, the Albanese Government released a discussion paper considering various options for regulatory reform in respect of cybersecurity (Cybersecurity Discussion Paper).
Summary
An Expert Advisory Board appointed by Australia’s first ever Minister for Cyber Security, the Honourable Claire O’Neil MP, released the Cybersecurity Discussion Paper regarding the development of Australia’s Cyber Security Strategy for 2023-2030 (Strategy). The Strategy will be progressed in parallel with the Australian Government’s other digital and data related priorities, including the Attorney General Department’s review of the Privacy Act and the ACCC’s Digital Platform Services Inquiry 2020-25.
Three core areas of policy which will be included in the Strategy are:
Enhancing and harmonising regulatory frameworks;
Strengthening Australia’s international strategy on cyber security; and
Securing government systems.
The questions for consultation include:
Whether obligations on company directors should specifically address cyber security risks and consequences;
Whether Australia should introduce a Cyber Security Act (with an aim to draw together existing (and, likely, future) cyber-specific legislative obligations and standards across industry and government) and what should be included in any such legislation;
Whether the definition of ‘critical infrastructure asset’ under the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act) should be broadened to include customer data and systems (our articles about the SOCI Act can be found here and here);
In relation to the payment of ransoms and extortion demands by cyber criminals:
Whether the Government should prohibit payment by victims of cybercrime and/or insurers and, if so, under what circumstances;
Whether the Government should clarify its position regarding the payment of ransoms by companies and the circumstances in which this may constitute a breach of law (for example, currently this may be caught by terrorism financing legislation or the sanctions regime); and
Whether a mandatory reporting regime should be implemented in respect of such payments;
Whether reporting and response requirements following a major cyber incident should be streamlined; and
Whether an explicit obligation of confidentiality upon the Australian Signals Directorate (ASD) Australian Cyber Security Centre (ACSC) would improve engagement with organisations that experience a cyber incident in order to allow information to be shared between the organisation and ASD/ACSC without the concern that such information would be shared with regulators.
The Department is also seeking feedback on broader policy questions, including how:
Australia could establish itself as the most cyber secure nation in the world by 2030;
To monitor the regulatory burden on businesses so as to make cyber security obligations clear and easy to follow, both from an operational perspective and for company directors (given the existing framework includes a range of implicit and overlapping obligations on entities), particularly for small and medium-sized enterprises;
To increase support available to victims of cybercrime; and
To improve information sharing with industry in relation to cyber threats, for example by sharing root cause findings from investigations of major cyber incidents.
Next steps and relevance
Public consultation for the discussion paper closed on 15 April 2023. Over 330 submissions were received by the Department of Home Affairs on what should be included in the Strategy.