Australia’s business and employer groups have rejected proposals that would see them face tougher rules and more responsibility for cyber incidents, but are open to a new Cyber Security Act if it consolidates existing regulations.
The groups argue existing obligations on directors already recognise cyber risks, while new prescriptive cyber regulations like an enforceable code for businesses would create a compliance burden.
The call against additional regulation comes despite Australia’s most high profile cyber incidents occurring in the private sector in the last year.
The massive data breaches at Optus and Medibank upsized the Albanese government’s cyber reform plans from a reshaping to an overhaul. The goal now is to make Australia the most cyber secure country in the world.
An expert advisory board led by former Telstra boss Andy Penn launched the consultation process in February with its discussion paper that floats significant changes that could make up a “package of regulatory reform”.
It flags a new Cyber Security Act, expanded critical infrastructure laws, specific cyber obligations for company directors and the outlawing of ransomware payments as potential new reforms.
The Australian Institute of Company Directors said additional cyber-specific director duties are not needed because the existing framework “obliges directors to effectively oversee the management of cybersecurity risk and build cybersecurity resilience”.
It said introducing them would make Australia an outlier among comparable countries.
“Similarly, we do not consider there is a convincing case for the development of mandatory cybersecurity standards given the existing patchwork of cyber-related regulatory regimes in Australia,” the AICD said.
“Policy outcomes should be aimed at streamlining cyber-related obligations, not adding complexity.”
The Ai group, representing Australian employers, also opposed new director obligations for cyber because they “would not create additional incentives for cyber capability uplift, while potentially exposing directors to liability in cyber incident situations where the company is a victim of a crime”.
Business group the Australian Chamber of Commerce and Industry (ACCI) also rejected new cyber obligations for company directors or new enforceable codes, calling for the principles based regulatory approach to be retained. It also recommended the government consider loosening some of the information security requirements attached to government contracts to lessen a compliance burden.
It pointed to the Department of Employment and Workplace Relations compliance program requiring the full scope of the Information Security Manual – an assessment of more than 900 controls, according to the ACCI.
“At this scale, it is not enhancing cybersecurity, it is compliance, and in most cases the well-meaning program is diverting limited resources away from cybersecurity uplift initiatives and into compliance,” the ACCI submission said.
Both business groups also shot down a proposed expansion of the Security of Critical Infrastructure (SOCI) Act to cover customer data and ‘systems’ – a change that would effectively place more cybersecurity obligations on many more businesses.
The ACCI said its members reported needing more time to embed the recently introduced requirements into everyday operations, and recommended an evaluation of the SOCI regime before any expansion to data and systems.
Company directors similarly warned against another expansion to the SOCI regime.
“We have received feedback from industry advisors that there are significant gaps and a lack of an understanding of the SOCI obligations amongst entities caught under the recent expansion, for example privately owned businesses in the transport sector,” the AICD said.
“Ensuring the SOCI Act is understood and being complied with by the regulated population should be the current priority rather than pursuing further legislative change.”
The AICD and the ACCI differed about a potential prohibition on ransomware payments.
The ACCI wants the government to clarify its current position before seeking input on a change, but said its members are “inclined to support a prohibition on the payment of ransoms” provided practical issues are addressed through industry consultation.
Directors meanwhile are “not convinced” a strict legislative prohibition on ransomware payments is appropriate.
“To avoid unintended outcomes, there is benefit in preserving a degree of flexibility so that entities, with the support of experts, determine the appropriateness of payment in the specific circumstances,” the AICD said.
Do you know more? Contact James Riley via Email.