Shaping Australia’s Cyber Security Strategy

On Monday, 27 February 2023, an Expert Advisory Board appointed by Australia’s first ever Minister for Cyber Security, the Honourable Claire O’Neil MP, released a discussion paper regarding the development of Australia’s Cyber Security Strategy for 2023-2030 ("Strategy").  The Strategy will be progressed in parallel with the Australian Government’s other digital and data related priorities, including the Attorney General Department’s review of the Privacy Act 1988 (Cth) and the ACCC’s Digital Platform Services Inquiry 2020-25.

Three core areas of policy which will be included in the Strategy are:

• enhancing and harmonising regulatory frameworks;
• strengthening Australia’s international strategy on cyber security;
• securing government systems.

Industry, and the wider community, now have until 15 April 2023 to provide feedback on what should be included in the Strategy.  The discussion paper includes several specific proposals which, if realised, would have a significant impact on business operations and management.  Such proposals include:

• whether obligations on company directors should specifically address cyber security risks and consequences;
• whether Australia should introduce a Cyber Security Act (with an aim to draw together existing (and, likely, future) cyber-specific legislative obligations and standards across industry and government) and what should be included in any such legislation;
• whether the definition of ‘critical infrastructure asset’ under the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act) should be broadened to include customer data and systems (our articles about the SOCI Act can be found here and here);
• in relation to the payment of ransoms and extortion demands by cyber criminals:
  • whether the Government should prohibit payment by victims of cybercrime and/or insurers and, if so, under what circumstances;
  • whether the Government should clarify its position regarding the payment of ransoms by companies and the circumstances in which this may constitute a breach of law (for example, currently this may be caught by terrorism financing legislation or the sanctions regime); and
  • whether a mandatory reporting regime should be implemented in respect of such payments;
• whether reporting and response requirements following a major cyber incident should be streamlined; and
• whether an explicit obligation of confidentiality upon the Australian Signals Directorate (ASD) Australian Cyber Security Centre (ACSC) would improve engagement with organisations that experience a cyber incident in order to allow information to be shared between the organisation and ASD/ACSC without the concern that such information would be shared with regulators.

The Department is also seeking feedback on broader policy questions, including how:

• Australia could establish itself as the most cyber secure nation in the world by 2030;
• to monitor the regulatory burden on businesses so as to make cyber security obligations clear and easy to follow, both from an operational perspective and for company directors (given the existing framework includes a range of implicit and overlapping obligations on entities), particularly for small and medium-sized enterprises;
• to increase support available to victims of cybercrime; and
• to improve information sharing with industry in relation to cyber threats, for example by sharing root cause findings from investigations of major cyber incidents. 

Key contacts:  Hamish Fraser, Julie Cheeseman, Thomas Jones, James Hoy, Belyndy Rowe, Matthew Bovaird and Emma Croft