Cyber consultation paper flags mandatory compliance standard
The Department of Home Affairs has released a cyber security paper for consultation, seeking feedback on a range of proposed options to strengthen the economy’s defence against ransomware and other digital threats.
A portion of the paper deals with governance standards for the business community, which at present is left to manage cyber threat as it sees fit.
The paper flagged two options for consideration if the status quo was to be scrapped.
The first would involve the development of a voluntary cyber security governance standard, laying out the responsibilities of large businesses and processes for managing cyber security risk, supporting the role of company boards overseeing the threat.
But this would not require specific technical controls to be implemented and will complement existing regulatory requirements.
The second option involves a standard similar to the first proposal but large businesses would be required to achieve compliance within a specific timeframe. Entities covered by existing regulation, such as responsible entities for critical infrastructure, would not be covered by this policy.
The paper says the second option means larger businesses will improve their cyber security governance in a timely manner, resulting in better management of cyber threats.
But it says the costs associated with mandating governance would be high as a large number of businesses would be required to comply.
If implemented, the government would have to allow a significant amount of time for businesses to shift their governance structures and ensure they are able to comply with the mandatory standards.
The paper says regulatory costs may be passed on to consumers.
“On balance, a mandatory standard may be too costly and onerous given the current state of cyber security governance, and in the midst of an economic recovery, compared to the benefits it would provide,” the paper said.
The paper says cyber security incidents cost the Australian economy $29 billion annually or 1.9% of gross domestic product.
Citing the Australian Cyber Security Centre, the paper says the threat is increasing in scale, frequency and sophistication.
“If no action is taken, the costs and consequences of cyber security incidents are likely to rise over time as more economic activity moves online and the number of connected devices grows,” the paper said. “COVID-19 is just one factor driving this trend.”
Law firm Clyde and Co says there is currently significant political pressure on the government to take action in respect of cyber risk and its impact on the Australian economy.
It says it is unlikely that the government will opt for the status quo at the conclusion of the consultation period.
The law firm says the discussion paper highlights that cyber security must be a fundamental part of all organisations’ risk management practices.
“Boards will face increasing scrutiny to maintain effective data governance practices to mitigate against cyber incidents, including data breaches,” Clyde and Co said.
“Whether standards are voluntary or mandatory, if an organisation suffers a cyber incident and are not able to demonstrate that they have adequate policies and procedure in place, directors may be exposed to claim.”
Closing date for submissions is August 27.
Click here for the discussion paper and here for the submission form.