The Australian Government, through the Department of Home Affairs, is currently undergoing a review of cybersecurity in Australia. Following the critical infrastructure reforms and ongoing review of the Privacy Act 1988 (Cth), the government is now considering stronger regulations to promote cybersecurity. It has issued a Discussion Paper for consultation.
There were nearly 60,000 cybercrimes reported during 2019-20. There is no question that cybersecurity incidents are increasing, and more and more businesses are at risk. In the private sector, cybersecurity incidents cost up to $29 billion in Australia. In response to this issue, the government has proposed new policies covering a range of areas including labeling and new standards for smart devices, new legal remedies for consumers, and governance standards for large businesses. This latter topic is the focus of this article.
Governance standards for large businesses
Currently there is no requirement for Australian businesses to take active steps to prevent cybersecurity incidents. As it is difficult to estimate the cost of a cyber incident, some companies rationalise that the investment in cybersecurity will likely cost more than the potential loss to business. Additionally, the effect of a cyber incident may not be felt as strongly by certain businesses, with the cybersecurity risk being passed down the supply chain to end-users.
However, cyber attacks pose a real threat and can result in substantive damage including:
- Loss of revenue from business interruption;
- Business recovery costs;
- Lost shareholder value; and
- Reputational damage.
The Corporations Act 2001 (Cth) requires Directors to act in good faith, in the best interest of their company, and for a proper purpose. However, “only 7% of directors in ASX 100 companies said they clearly understood the cyber security environment their company operates in”. Currently it is up to large businesses to implement cyber security protections at their discretion, resulting in significant variance, depending on how seriously each business views cyber threats.
Voluntary governance standards
One suggestion is to implement a voluntary governance standard for larger businesses. By inviting businesses to be involved in the creation of these standards, it will more likely result in a standard that is realistic and has industry buy-in. These standards will also communicate the public’s expectations that cyber security risks be better managed by larger businesses.
The government has also recognised that creating a voluntary standard could be used to assess whether a director has complied with their director’s duties. Courts may consider the standard to determine whether failure to respond to cybersecurity threats amounts to a breach of directors’ duties. Therefore, recognising cybersecurity as an aspect of acting in the best interest of the company will likely incentivise more directors to prioritise implementing cyber security protections.
Voluntary or Mandatory?
Another option is to make the governance standards mandatory, and have all larger businesses adopt them within a certain timeframe. One benefit would be less variation in how businesses manage cybersecurity risks which would help reduce the number of cyber incidents Australia wide.
However, the government’s stance is clearly against making the standards mandatory, as it feels there is no regulatory body with the expertise or resources to enforce the standards. Additionally the cost for businesses to change their practices to comply with the mandatory standards would be high. A voluntary governance standard would be a positive initial step in helping to push for better cybersecurity management.
The government should consider directing resources to assist businesses to adopt voluntary governance standards. This could take the form of funding the Australian Cyber Security Centre (ACSC) to develop and disseminate these standards and possibly to provide support and resources to businesses to assist in improving their cybersecurity risk management. If the standards were made mandatory, the government would need to invest resources in the ACSC, ASIC or another body to enable the enforcement of these standards.
You can view the submissions made to the Department of Home Affairs here
For more information, get in touch with us today.
This article was originally published on OneTrust and is available here