The AICD is supportive of measures to strengthen cyber security and resilience, including governance and accountability practices across Australian businesses. The AICD’s view is that a partnership between government and industry has the best opportunity to result in significant improvements in cyber resilience across organisations of all sizes.

The AICD submission focuses on the proposal for cyber security governance standards for large businesses. The AICD does not support the introduction of a mandatory cyber security governance standard. Existing directors’ duties include an obligation to act with due care and diligence and this obligation appropriately covers emerging risks, such as cyber security. A mandatory standard would be a costly additional regulatory burden that may do little to improve cyber resilience but rather add to the existing complex patchwork of requirements that face large businesses in Australia.

The AICD supports in-principle a voluntary standard co-designed with industry that focuses on conveying fit-for-purpose guidance in a non-prescriptive manner. For a voluntary standard to drive genuine benefits, it should be principles based and preserve organisational flexibility to respond dynamically to the evolving nature of cyber security risk. Importantly, the standard should avoid overlap, replication or conflict with existing obligations and requirements.
You can find a copy of the AICD’s submission here.