Cloud icon

Cyber Security obligations: a top priority for company leadership

The Australian Government published the 2023-2030 Australian Cyber Security Strategy on November 22, 2023. In response to rising cyber threats, officials constructed this framework to make Australia a worldwide cybersecurity leader over the next seven years.

Why it matters: The Annual CyberThreat Report from the Australian Signals Directorate showed 94,000 reports were made in the 2022-2023 financial year. That amounts to one incident every six minutes.

The Government’s Cyber and Infrastructure Security Centre designed its 2023-2030 plan to mitigate these rising threats and protect Australia’s citizens and businesses.

In order to achieve these objectives, officials have implemented a set of obligations on corporate leaders to ensure they uphold their end of the bargain.

In short, these new policies aren’t messing around, and corporate leaders must take them seriously.

The Privacy Act dictates that the Information Commissioner can investigate organisations based on complaints and breaches. The Commissioner can also apply to the court for civil penalties or injunctions, accept enforceable undertakings and make determinations.

Corporations that fail to uphold privacy standards or interfere with privacy can face severe penalties, the maximum of which has increased to a punitive fine of AUD 50,000,000, and other severe financial consequences.

Additionally, depending on the severity of the infraction, there’s a potential for criminal charges.

While ensuring cyber security measures are in place to protect from breaches sounds straightforward, some complex hurdles remain. Namely, cyber security exists in its own sphere. Unless you’re a corporate leader specialising in cyber security, you’re likely not a cyber security expert who can handle these issues singlehandedly. So, these obligations will add to your already packed workload.

On the bright side, the obligations outlined by The Cyber and Infrastructure Security Centre provide corporate leaders with an actionable playbook for making the right moves.

Don’t brush these obligations aside: We cannot stress the importance of taking these obligations seriously. Yes—we’ve pointed out the penalties, but some might view them as empty threats. Don’t mistake yourself. The government is serious about preventing cyber security breaches that put the public at risk and will be more than happy to dole out severe penalties when they can prove negligence.

.

If you want a more thorough overview of company leadership’s cyber security obligations, click here. However, we’ll provide a brief summation that glances over some key points below:

(Disclaimer: We’re only summarising a few cybersecurity obligations required of a corporate leader in Australia. Use the link above for a more comprehensive review of the government-published handbook that thoroughly outlines expectations.

Also, each obligation applies to specific types of businesses and won’t necessarily apply to yours. The handbook outlines this for you, making it easy to see what’s expected and what isn’t. It’ll be hard enough to keep up with these obligations, and you don’t want to add any more work for yourself.)

  • The obligations are divided into three subsections or themes:
  • Preparedness for a cyber incident.
  •  Reporting to regulators before, during, and after an incident
  •  Responding to the consequences of a breach.
  • Preparedness obligations:
    • These include leaders taking the appropriate steps to ensure beefed-up security for the personal information they hold. They should also consider whether they require personal information.
    • Another preparedness obligation is ensuring that you have the tools for the job—the cyber security measures you take and the tech you use must align with the personal information your company possesses.
    • Other obligations for this subsection include updated risk management programs, incident response plans, participation in cyber security exercises, and adhering to certification frameworks.
  • Reporting obligations:
    • When a data breach is likely to result in severe harm, notify the Office of the Australian Information Commissioner (OAIC) and impacted individuals.
    • Another reporting obligation is to inform the Australian Signals Directorate about a cyber breach to enhance the government’s visibility.
    • Additionally, many corporate leaders must inform the Australian Securities and Investments Commission of reportable events and provide ongoing reports to the Register of Critical Infrastructure Assets.
  • Response obligations:
    • These obligations begin with vulnerability assessments. You might receive a notice from the Secretary of the Department of Home Affairs that your company will undergo such an assessment during a specific period to identify risks and gaps in your system and iron them out.
    • Systems of National Significance might also receive notice from the Department of Home Affairs to provide system information to improve situational awareness and illustrate threats in real-time.

The quicker leaders adopt and embrace these obligations, the better. Doing so will help avoid severe financial and punitive consequences, keep customers safe and businesses in good standing, and ensure Australia enters 2030 as a worldwide cyber security leader.

Cloud Voice & Data