Written by Sarah Sloan, Head of Government Affairs and Public Policy, ANZ.
The dust is yet to settle following the unfortunate Optus data breach, and the nation’s Minister for Cyber Security, Claire O’Neil, has already flagged plans for reform.
The Government’s continued commitment to improving Australia’s cyber security resilience and data security is laudable and should be welcomed. When a major data breach occurs, it is reasonable for governments and citizens to ask whether our current laws are adequate and fit for purpose.
Last week, the Government announced that banks and other financial institutions would be informed of data breaches when they occur to help identify and prevent fraudulent activity. These measures could be a major and much-needed boost to enhancing consumer protections in the face of future data breaches, so long it is underpinned by cyber security and privacy principles.
As with all policy, however, the devil is in the detail.
As noted by ABC News, Minister O’Neil herself has suggested that current data and cyber security requirements need to be fit for purpose. And to make them fit for purpose, it’s essential that the relevant industry stakeholders are in a position to help shape them – or at least contribute to the conversation, so all aspects are considered.
The decision to bring the country’s financial services industry into the breach notification loop may be an appropriate first step to elevating data security across the board. Australia’s banks have done a reliably good job of sharing information about cyber security threats and best practices between each other.
But any obligations placed on banks or other institutions need to be reasonable and proportionate. Moreover, the scope of any potential regime may need to be expanded to include other companies, as well as state and federal government authorities – such as those that issue driver’s licences or Medicare cards.
Today, Australia’s expectations with respect to data governance and data breaches sit firmly within the Privacy Act, so any review into the adequacy of our laws in the wake of this recent breach, must logically start there. The Privacy Act remains the most appropriate instrument to address the public’s concerns around the management and retention of their personally identifiable information.
The Government has already flagged amendments to the Privacy Act – saying it may look to increase the penalties associated with data breaches and broaden our privacy obligations to better align with international best practice. While this may be the impetus for cultural change across Australia, the Government may also wish to look at incentives for adherence to good practices.
However, precisely what constitutes reasonable and proportionate regulation can only be ascertained through consultation with the industries it may affect.
So it’s important that the Government takes a holistic and considered approach to any policies and regulatory changes it deems necessary by talking and listening to trusted industry stakeholders.
When it comes to cyber security, I think we can all agree on the importance of up-to-date and best practice standards, policies and laws to keep pace with evolving threats.
In April this year, the former Government, with support of the then opposition, passed significant and far-reaching reforms aimed at increasing the cyber security posture and resilience across our critical infrastructure. These new obligations are still coming into legal effect and continue to be implemented by industry in partnership with the Government. While the cyber threat landscape moves quickly, it is important that policy makers understand how regulatory obligations operationalise when considering additional layers of responsibility. We should not move the regulatory goalposts on industry now.
The more industry can work together and with the Government, the greater the chances are of keeping pace with the evolving threat landscape. Such public-private consultation and industry collaboration also support the evolution of the technology that is playing an increasingly important role in providing visibility of, and defending businesses and individuals from cyber attacks in real-time.
As we’ve seen over recent years, cyber attacks can affect anyone, and it is in the interest of all of us to be part of the solution. A hit on one of us is a hit on all of us. On this front, industry has just as much a part to play as the Government, both in the implementation of appropriate technology and the development of new policies and regulations.
This is why the effective collaboration between Government at all levels and the private sector to tackle the rise in cyber attacks has never been more of a priority. And perhaps nowhere does such collaboration make more of an impact than when it comes to creating new policies aimed at protecting businesses and their customers from harm.
The federal Government is already doing some good work in the area of public-private collaboration on cyber defence. This can be seen in initiatives such as the Australian Cyber Security Centre (ACSC) Partner Program, which gives organisations and individuals the opportunity to engage with the nation’s cyber agency and fellow partners to draw upon collective understanding, experience, skills, and capability to lift cyber resilience across Australia. This program could be further utilised to develop new guidance materials and security advisories on important security concepts such as attack surface management and zero trust.
As the above initiatives demonstrate, we’re heading on the right path. Now, we need to further deepen collaboration to the decision-making processes behind the development of new policies and laws to help protect Australia people and businesses against future cyber attacks and data breaches.
After all, cyber security is very much a team sport. By working together, the whole is made more powerful than the sum of its parts. But if the wrong players are left on the bench, it could lead to a lost game. And cyber security is definitely a game we don’t want to lose.
