Cyber security: governance proposals

As large companies such as Westpac, Commonwealth Bank and fruit and vegetable processor SPC announce workplace vaccination programs and the government encourages big business to get involved in vaccine rollouts for staff, questions remain about the grey areas of workplace vaccination policies. We look at developments in the space as the picture unfolds.

Overview of consultation

The consultation forms part of the Cyber Security Strategy 2020 and responds to recommendations of the 2020 Cyber Security Strategy Industry Advisory Panel, chaired by Telstra CEO, Andy Penn.

The focus of the consultation is on what action can be taken to strengthen corporate governance of cyber security risks for large businesses not already covered by sector-specific cyber security regulation.

The Government proposes a new voluntary governance standard for larger businesses that would describe responsibilities including the role of board, but not new ‘technical controls’. Home Affairs plans to ‘co-create’ the voluntary standard with industry, if advanced, and cites the ASX Corporate Governance Principles as a potential model for ‘if not/why not’ adoption. Positively, the paper does not recommend a mandatory model or new ‘cyber specific’ director duties, which had been flagged in earlier debate. The AICD engaged early with Home Affairs and Treasury on these specific issues and we understand our feedback has helped inform the approach.

Current regulatory framework to address cyber risks

Existing directors’ duties

The consultation paper considers the role of directors’ duties, noting it is widely accepted that cyber security risks are an increasingly important set of risks captured by existing directors’ duties. However, it goes on to state that Australian laws were not originally intended to address cyber security, commenting that:

• directors’ duties focus on protecting the interests of shareholders, rather than customers, who are likely to bear some of the costs of a cyber security incident; and
• current laws do not provide sufficient clarity about cyber security expectations, claiming that the broad scope and principles-based nature of obligations like directors’ duties under the Corporations Act are limited in incentivising the update of uniform cyber security standards

The AICD considers that existing general directors’ duties adequately cover care and diligence obligations on cyber risk. The AICD opposes the imposition of new forms of director liability whenever there is an emerging issue to be addressed.

Industry-specific regulation

APRA-regulated entities are subject to standards that deal specifically with operational risks, including cyber security (e.g. APRA’s Prudential Standard CPS 234 Information Security).

In addition, operators of assets in four critical infrastructure sectors (electricity, gas, water and ports are now subject to the Security of Critical Infrastructure Act 2018 (Cth) (the SOCI Act). The SOCI Act provides the Minister of Home Affairs with the ability to direct an owner or operator of critical infrastructure to do, or not do, specified things to mitigate against a national security risk.

The Government has also introduced a Bill, the Security Legislation Amendment (Critical Infrastructure) Bill (the SOCI Bill), which proposes, among other things, to: broaden the application of the SOCI Act to 11 sectors of critical infrastructure, including communications, data storage and process, financial services and food and grocery stores; and include a ‘positive security obligation’ for critical infrastructure, which involves mandatory cyber incident reporting and risk a management program. [1]

Consultation Options for reform

The consultation considers two reform options to strengthen cyber risk governance: 

A mandatory standard would involve a similar standard to Option 1; however, large businesses would be required to achieve compliance within a specific timeframe. While the consultation argues that this option would achieve improvements to large businesses’ cyber security governance in a timely manner, the paper accepts that a mandatory standard may be too costly and onerous given the current state of cyber security governance.

Definition of ‘large business’

The consultation does not define what ‘large businesses’ might be captured by a governance standard. The Government is interested in feedback on this given the range of definitions and thresholds that could be used, including those around proprietary companies and other definitions of large, small, and medium businesses.

We welcome member views on the definition of ‘large business’ (e.g. should it rely on existing definitions of large businesses, or should a new monetary threshold be agreed such as the $100m consolidated revenue threshold for modern slavery reporting).

AICD preliminary position

Strengthening Australia’s cyber security regulations and incentives is a high priority for the Government and for the community, and there is bipartisan support for increased regulatory focus.

In principle, the AICD sees merit in a voluntary governance standard that is developed with industry recognizing that many organisations are grappling with managing the complexity of cyber risk.

The AICD has also identified cyber risk as an important area for member support. A new AICD course for experienced directors, Cyber For Directors, has launched with strong interest amongst members, and cyber security is regularly featured in member content and the AICD’s new Digital Directors podcast.

The AICD is seeking views from company directors on these issues to inform our response to the consultation.

[1] The Government is currently working with industry bodies, existing regulators, state and territory governments, and critical infrastructure entities to co-design specific rules to underpin the positive security obligation.