Shaping Australia’s Cyber Security Strategy

Written By

julie cheeseman Module
Julie Cheeseman

Partner
Australia

I am a partner in our Sydney office, where I specialise in media and technology disputes and advice.

jessica laverty module
Jessica Laverty

Senior Associate
Australia

I am a senior associate in our Dispute Resolution Group in Sydney. My practice focuses on assisting clients to resolve commercial disputes, particularly for those clients in the technology sector.

emma croft Module
Emma Croft

Senior Associate
Australia

I am a senior associate in our Dispute Resolution Group in Sydney, specialising in media and technology disputes, commercial litigation and privacy and cybersecurity advisory work.

The Australian Government has set its sights on becoming the most cyber secure nation in the world by 2030 and now wants to start a fresh conversation with industry, and the wider community, to work towards this ambitious aspiration.

On Monday, 27 February 2023, an Expert Advisory Board appointed by Australia’s first ever Minister for Cyber Security, the Honourable Claire O’Neil MP, released a discussion paper regarding the development of Australia’s Cyber Security Strategy for 2023-2030 ("Strategy").  The Strategy will be progressed in parallel with the Australian Government’s other digital and data related priorities, including the Attorney General Department’s review of the Privacy Act 1988 (Cth) and the ACCC’s Digital Platform Services Inquiry 2020-25.

Three core areas of policy which will be included in the Strategy are:

  • enhancing and harmonising regulatory frameworks;
  • strengthening Australia’s international strategy on cyber security;
  • securing government systems.

Industry, and the wider community, now have until 15 April 2023 to provide feedback on what should be included in the Strategy.  The discussion paper includes several specific proposals which, if realised, would have a significant impact on business operations and management.  Such proposals include:

  • whether obligations on company directors should specifically address cyber security risks and consequences;
  • whether Australia should introduce a Cyber Security Act (with an aim to draw together existing (and, likely, future) cyber-specific legislative obligations and standards across industry and government) and what should be included in any such legislation;
  • whether the definition of ‘critical infrastructure asset’ under the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act) should be broadened to include customer data and systems (our articles about the SOCI Act can be found here and here);
  • in relation to the payment of ransoms and extortion demands by cyber criminals:
    • whether the Government should prohibit payment by victims of cybercrime and/or insurers and, if so, under what circumstances;
    • whether the Government should clarify its position regarding the payment of ransoms by companies and the circumstances in which this may constitute a breach of law (for example, currently this may be caught by terrorism financing legislation or the sanctions regime); and
    • whether a mandatory reporting regime should be implemented in respect of such payments;
  • whether reporting and response requirements following a major cyber incident should be streamlined; and
  • whether an explicit obligation of confidentiality upon the Australian Signals Directorate (ASD) Australian Cyber Security Centre (ACSC) would improve engagement with organisations that experience a cyber incident in order to allow information to be shared between the organisation and ASD/ACSC without the concern that such information would be shared with regulators.

The Department is also seeking feedback on broader policy questions, including how:

  • Australia could establish itself as the most cyber secure nation in the world by 2030;
  • to monitor the regulatory burden on businesses so as to make cyber security obligations clear and easy to follow, both from an operational perspective and for company directors (given the existing framework includes a range of implicit and overlapping obligations on entities), particularly for small and medium-sized enterprises;
  • to increase support available to victims of cybercrime; and
  • to improve information sharing with industry in relation to cyber threats, for example by sharing root cause findings from investigations of major cyber incidents. 

Key contacts:  Hamish Fraser, Julie Cheeseman, Thomas Jones, James Hoy, Belyndy Rowe, Matthew Bovaird and Emma Croft

Latest insights

More Insights
green space

A sneak peek into the draft NESRS: What sustainability reporting standards may non-EU parent companies expect?

Dec 24 2024

Read More
Curiosity line teal background

China Cybersecurity and Data Protection: Monthly Update - December 2024 Issue

17 minutes Dec 23 2024

Read More
featured image

EDPB weighs in on key questions on personal data in AI models

1 minute Dec 20 2024

Read More