Earlier this year, we discussed the possibility of the Government implementing CPS 234 like obligations onto ASX listed companies and that all companies should be considering measures to protect themselves and their customers against cyber risk, irrespective of potential government regulation. The Department of Home Affairs has now released as part of its Australia’s Cyber Security Strategy (2020) a discussion paper, Strengthening Australia’s cyber security regulations and incentives (Paper), which discusses options for cybersecurity expectations and standards in corporate governance and in the dealing of information assets by large businesses.
Options for regulating cybersecurity
The Paper raises three options for how the Government could regulate companies in protecting themselves against cybersecurity attacks:
- Status quo – keeping the law as it is and leaving it to large companies to manage their own cyber risks as they see fit;
- Voluntary governance standards – implementing a voluntary standard which describes the recommended responsibilities for large companies and complements the current regulatory regime for cybersecurity. In developing voluntary standards, the Paper proposes a co-design process with industry to develop a realistic standard with industry buy-in, as well as aligning Australia’s standards with those implemented internationally; or
- Mandatory governance standards – implementing standards similar to those considered under option 2, however, making compliance mandatory and requiring adherence within a timeframe to be specified.
The Paper weighs the benefits, costs and net impacts of the different options:
The Paper takes a mainly unfavourable view to maintaining the status quo, stating that while this has limited cost implications for the Government and businesses, it also does not provide any particular benefits.
The Paper highlights that allowing companies discretion over their cybersecurity policies and protocols could lead to significant variance in how companies deal with cyber risks, may lead to companies losing sight of these risks as they are constantly changing, and a lack of consistent senior management oversight could result in these increasing risks being overlooked.
The Paper highlights that the benefit of a voluntary standard is the flexibility that this approach provides, by facilitating overall stronger management of cybersecurity risks without imposing a regulatory burden on both the companies in having to comply with and the regulators in policing compliance with the standard. The Paper highlights that the main risk associated with a voluntary standard is that industry may not actively adopt these recommendations into their internal cybersecurity procedures, which may negate the purpose of developing the standard. Further, the Paper raises the issue of a “tick-a-box compliance culture” that may develop in response to a voluntary standard, where companies may not actively be assessing their personal cybersecurity risks and be simply adopting the suggestions made by the Government.
There will also be costs associated with introducing standards, such as the cost to Government in developing the standard, and potential costs for the companies that implement these voluntary standards.
The most obvious benefit that a mandatory standard would provide is ensured compliance with minimum cybersecurity requirements by large businesses. The Paper suggests that these compliance benefits will flow down through the broader economy, providing protections to consumers and smaller businesses whose information is less likely to be compromised at a higher level.
However, the Paper emphasises the significant costs associated with implementing a mandatory standard, not only for the large number of companies who would have to quickly adhere to the standard, but also for the Government in establishing the standard and in creating a new regulator or further developing an existing regulator to oversee compliance with the standard. The Paper further suggests that awareness and education costs would arise and may potentially be passed down to consumers.
The Paper confirms that entities covered by other standards for cybersecurity compliance would not be required to comply with these mandatory standards (for example, APRA-regulated entities required to comply with CPS 234). This could cause significant confusion for business and poor interactions between standards, as some entities could theoretically be regulated under multiple programs. As highlighted in our previous article, APRA-regulated entities are required to ensure third party compliance with CPS 234 where an entity’s information assets are managed by a third party. Consequently, under a mandatory approach, service providers to APRA-regulated entities could find themselves having to comply with these mandatory standards while also contractually being required to comply with CPS 234.
What is the “right” solution?
The Paper appears to favour a voluntary standard over a mandatory one, setting out that although a mandatory standard would greatly improve Australia’s protection of its cyber assets, the costs of implementing a mandatory scheme would greatly outweigh the benefits and may add increased financial burden on both companies and the Government, with insufficient return on investment. The Paper suggests that the co-design process for a voluntary standard will provide greater industry buy-in, and concludes that a voluntary standard would produce a positive net impact on cybersecurity for Australian businesses.
As we discussed in our previous article, it is now well understood that cyber attacks and the exploitation of information security vulnerabilities of commercial and government entities are becoming increasingly commonplace, meaning the security risks for large companies are only increasing. Irrespective of any regulatory reform, as a matter of best practice, companies should be considering the cyber risks that they may face, potential mitigation measures and consider changes to internal policies and practices relating to information security pre-emptively, including investing in robust data protection and information security controls where necessary.
Provide your feedback
The Paper provides an opportunity for industry and stakeholders to provide their feedback on the proposed options together with any further recommendations. The Government is seeking responses to the following questions in relation to the introduction of cybersecurity measures for large businesses:
- What is the best approach to strengthening corporate governance of cybersecurity risk?
- What cybersecurity support, if any, should be provided to directors of small and medium companies?
- Are additional educational and awareness raising initiatives for senior business leaders required and what should these look like?
The Department of Home Affairs is seeking submissions in response to the above questions until 11:59pm on Friday 27 August 2021.
Authors: Tim Gole, Jen Bradley, and India Monaghan