The Department of Home Affairs is reviewing cybersecurity in Australia. Following the critical infrastructure reforms and ongoing review of the Privacy Act 1988 (Cth), the Government is now considering stronger regulations to promote cybersecurity. It has issued a Discussion Paper for consultation.
There were nearly 60,000 cybercrimes reported during 2019-20. Cyber security incidents are on the rise, putting business at risk. Industry experts estimate cyber incidents cost Australian businesses up to $29 billion annually. In response to this issue, the Government has proposed new policies covering a range of areas including labelling and new standards for smart devices, new legal remedies for consumers, and governance standards for large businesses.
Governance standards for large businesses
There is currently no legislative requirement for Australian businesses to take action to prevent cyber security incidents. As it is difficult to estimate the cost of a cyber incident some companies are choosing to run the risk that the potential loss from a cybercrime will be less than the cost of investing in cybersecurity and doing nothing.
However, cyber attacks pose a real threat and can result in substantive damage including:
- Loss of revenue from business interruption;
- Business recovery costs;
- Lost shareholder value; and
- Reputational damage.
The Corporations Act 2001 (Cth) requires Directors to act in good faith, in the best interest of their company, and for a proper purpose. However, “only 7% of directors in ASX 100 companies said they clearly understood the cyber security environment their company operates in”. Currently it is up to large businesses to implement cyber security protections at their discretion, resulting in significant variance, depending on how seriously each business views cyber threats.
Voluntary governance standards
One suggestion is to implement a voluntary governance standard for larger businesses. By inviting businesses to be involved in the creation of these standards, it will more likely result in a standard that is realistic and has industry buy-in. These standards will also communicate the public’s expectations that cyber security risks be better managed by larger businesses.
The Government has also recognised that creating a voluntary standard could be used to assess whether a director has complied with their director’s duties. Courts may consider the standard to determine whether failure to respond to cybersecurity threats amounts to a breach of directors’ duties. Therefore, recognising cybersecurity as an aspect of acting in the best interest of the company will likely incentivise more directors to prioritise implementing cyber security protections.
Voluntary or Mandatory?
Another option is to make the governance standards mandatory, and have all larger businesses adopt them within a certain timeframe. One benefit would be less variation in how businesses manage cybersecurity risks which would help reduce the number of cyber incidents Australia wide.
However, the Government’s stance is clearly against making the standards mandatory, as it feels there is no regulatory body with the expertise or resources to enforce the standards. Additionally the cost for businesses to change their practices to comply with the mandatory standards would be high. A voluntary governance standard would be a positive initial step in helping to push for better cybersecurity management.
Our Takeaway
The Government should consider directing resources to assist businesses to adopt voluntary governance standards. This could take the form of funding the Australian Cyber Security Centre (ACSC) to develop and disseminate these standards and possibly to provide support and resources to businesses to assist in improving their cybersecurity risk management. If the standards were made mandatory, the Government would need to invest resources in the ACSC, ASIC or another body to enable the enforcement of these standards.
You can view the submissions made to the Department of Home Affairs here.
For more information, get in touch with us today.
This article was originally published on OneTrust and is available here.
