Cyber security regulation in Australia: What’s the current status?

Will Australia be getting a Cyber Security Act any time soon? The cyber security regulatory space in Australia is messy: in some cases organisations are covered by multiple security obligations while large parts of the Australian eco-system are not subject to any regulation at all.

There seems to be growing recognition that something needs to be done to lift the cyber resilience of Australian organisations – and a Cyber Security Act is one of the suggestions to help do this.

But what’s the background to introducing a Cyber Security Act in Australia and where are we up to in that process?

Cyber Security Strategy 2020

Australia’ Cyber Security Strategy 2020  supported increased legislation of security requirements for Australia’s critical infrastructure owners and operators. Shortly after that, in mid-September 2020, a discussion paper was released for a 5-week consultation period. Home Affairs received just under 200 submissions during the period. Following that short consultation period, significant new legislation was introduced.  We covered the new Security of Critical Infrastructure legislation in this post.

Australia’s Cyber Security Strategy 2020 also proposed the introduction of more general  cyber security regulation (beyond the critical infrastructure sector).  Increased general regulation was also one of the recommendations of the 2020 Cyber Security Strategy Industry Advisory Panel.

The consideration of new regulation of cyber security also complemented the Review of the Privacy Act 1988.

Strengthening Australia’s Cyber Security Regulations and Incentives 2021

In 2021 the Government issued a discussion paper: ‘Strengthening Australia’s Cyber Security Regulations and Incentives.’

The goal of the paper was to make Australia’s digital economy more resilient to cyber security threats, by creating stronger incentives for Australian businesses to invest in cyber security, including possible new regulation.

In response, some of the suggestions made for discussion included:

  • Governance standards for large businesses
  • Minimum standards for personal information
  • Clear legal remedies for consumers

There was extensive consultation on the issues raised. The government hosted 32 consultation events, including open forums, industry roundtables and bilateral discussions, and spoke to over 770 businesses, community groups and individuals on how to best strengthen the cyber security of Australia’s digital economy.

The Department received over 140 submissions in response to the discussion paper. 121 are public and have been published below

The submissions were varied in terms of support for regulation.  Many included a range of different suggestions e.g.:

  • Annual cyber compliance reporting to ASIC/ASX
  • Cyber security ombudsman
  • Personal liability for directors

Unfortunately, notwithstanding the extensive consultation and engagement, no recommendations were made following the end of the discussion paper.

Cyber Security Strategy 2023

Late in 2022, Australians were shaken by a series of major data breaches including  Optus, Medibank and Latitude Finance.

On 8 December 2022, the  new Minister for Home Affairs and Cyber Security, the Hon. Clare O’Neil MP, announced the development of the 2023-2030 Australian Cyber Security Strategy (the Strategy).

The Minister appointed an Expert Advisory Board, chaired by Andrew Penn AO, to advise on the development of the Strategy.  In February 2023, the Expert Advisory Board released a Discussion Paper seeking public views on how Government can achieve its vision under the Strategy. We covered the Discussion Paper 2023 here.

Once again, regulation of cyber security more generally was on the agenda. Some of the specific questions asked in the 2023 Discussion Paper included:

  • What are the factors preventing the adoption of cyber security best practice in Australia?
  • Do negative externalities and information asymmetries create a need for Government action on cyber security? Why or why not?
  • What are the strengths and limitations of Australia’s current regulatory framework for cyber security?
  • How could Australia’s current regulatory environment evolve to improve clarity, coverage and enforcement of cyber security requirements?
  • What is the best approach to strengthening corporate governance of cyber security risk?

Once again, there has been extensive consultation. The Department of Home Affairs received over 330 submissions in response to the discussion paper. In addition , the Department of Home Affairs hosted over 50 consultation events, including stakeholder round-tables, and spoke to over approximately 200 businesses, community groups and individuals regarding the Strategy.

Responses to Cyber Security Strategy 2023 Discussion Paper

Wading through the 219 public submission is quite a chore. Fortunately for us, Ivano Giovani and his team at UQ has done the hard work, sifting through the responses, extracting some high-level statistics and coming up with some interesting insights.  See his analysis here.  The following is based on that analysis.

Should Australia have a Cyber Security Act?

The submissions were 57% in support of its creation, 26% against, and 17% unsure.

Supporters put forward the need to standardise Australia’s compliance landscape with a unified regulatory framework; clarify roles for organizations, government, and individuals; and enhance incident coordination.

Opponents expressed concerns about introducing new obligations without streamlining existing ones, noting that current laws already address cyber security. They also highlighted the lengthy process of creating such an Act and the need to reform existing laws to prevent overlap.

Interestingly, individual responders were much more receptive to reforms, than organizations, which were generally less supportive and more cautious in their approach.

However, there is also evidence of huge support for regulation from cyber security practitioners.  The analysis notes that the Australian Information Security Association, basing its submission on a survey of its members and industry consultations (we could not find mention of the sample size), reports 88% support, 5% opposition, and 7% uncertainty regarding the Act.

What next?

Consultation closed on the Discussion Paper in April 2023 – over 6 months ago.

Since then, there have been some news on what to expect from the new Cyber Security Strategy.  It was announced at an Australian Financial Review Cyber Summit on September 18, that the strategy will involve six cyber shields constructed “around our nation,” all being part of a “cohesive, planned national response that builds to a more protected Australia.”  The first shield focuses on education. The second involves boosting the standards for cybersecurity in digital products, treating them on par with other products from a safety perspective. The third comprises sharing information about threats and blocking them, enabling the exchange of “threat intelligence … between government and business at real-time machine speed and ten threats blocked before they cause any harm to the Australian population”. The three other shields entail critical infrastructure protection, which places government at the forefront of “lifting up its own cyber defences to make sure we’re protecting our country”; creating a sovereign capability maintained “in a thriving cyber ecosystem where we have the skills we need” drawn from a class of “young people” who find cybersecurity “a really desirable profession”; and appreciating the truly global nature of the cyber challenge. “So undertaking coordinated global action and pushing for a more resilient region is an absolute no-brainer for us here.”

Unfortunately, nothing specific on cyber security regulation.

We are expecting a response to the Cyber Security Strategy Discussion before the end of the year. But, looking at what we’ve heard so far, probably no new Cyber Security Act for a little while yet… which will be a big disappointment for cyber security professionals but not so much for the business community.