Expect significant regulatory change and guidance from government that reinforces recent comments from regulators about the need for Boards to be held accountable for managing cyber risk.
What you need to know
- Australia's 2023-2030 Australian Cyber Security Strategy was released by Home Affairs Minister Clare O'Neil on 22 November 2023, supported by an Action Plan detailing key initiatives over the next two years, several of which have already launched.
- It is a bold political commitment to take immediate, impactful action that will help Australia manage persistent cyber threats of today while building a more cyber-secure ecosystem over time. This involves an equally bold regulatory reform agenda, with consultation on early reforms expected before Christmas.
- The Strategy reinforces recent comments from regulators that Boards and leadership teams need to be held accountable for managing cyber risk, and the importance of being prepared to respond to significant cyber incidents. It is clear that cyber response and readiness is a regulatory priority.
- With 60 specific actions scheduled for the initial two years of the Strategy, expect significant regulatory change and guidance from Government, aligned with once in a generation privacy regulation updates coming in 2024.
What you need to do
- Don’t take the foot off the cyber pedal – Get your cyber security house in order – particularly larger businesses. Consistent with recent statements from regulators, larger businesses are expected to do more to protect their customers, their supply chains, and the broader economy from cyber risks. Read more about regulatory pressure to manage supply chain risks, practical steps to understand and secure your organisation's data and the particular challenges of identity data.
- Develop “thorough and comprehensive” cyber response plans for significant incidents – Don’t wait for new regulation before you start uplifting operational and strategic response plans, but do be prepared to update your plans with details of the single reporting portal, engagement with the National Cyber Security Coordinator, information sharing with authorities, and potentially new processes like a "no-fault" post incident review by the Cyber Safety Review Board. Work with legal advisors to understand what protections will be afforded to information you will need to share and incorporate learnings into incident response planning and reporting.
- Turn heightened expectations and more advisories into action – Regulators simply expect more than ever before. An explosion in cyber advisories and guidance is blurring lines between minimum requirements, recommended practice, best practice and aspirational objectives. Business leaders need to quickly translate advisories into action – or face regulatory action, reputational and market consequences and litigation risks. Ashurst has a model for “thorough and comprehensive” incident response planning to help assess an organisation's cyber maturity and help meet regulatory expectations.
- Help shape what's coming – The Government has already undertaken significant consultation, but more consultation will be needed to iron out the details – both in the immediate term and for the foreseeable future. This is a once in a generation opportunity to shape national-level policy. The consultation period begins before Christmas and will wrap up by 24 March 2024. The Government expects to work hand-in-glove with industry to co-design a more secure future – and industry needs the bandwidth to engage.
An ambitious reform agenda
The 2023-30 Australian Cyber Strategy is a comprehensive blueprint for a more cyber resilient Australia. It demonstrates how the Australian Government intends to deliver on its bold commitment to be a world leader in cyber security by 2030. The Strategy is supported by an Action Plan that is not limited to simply regulatory changes but describes a complex web of measures designed to uplift Australia’s cyber security workforce, lift cyber defences, drive better collaboration, and build cyber resilience into the fabric of our economy.
The Strategy and Action Plan break the six cyber shields into 20 strategic initiatives, with 60 specific actions scheduled to launch over the next two years alone. Many of these are integrated strategic and tactical interventions that build on one another – so that the whole is greater than the sum of its parts.
We have drawn out below some key measures that are likely to impact business in the short term. Read on for a deeper dive into a few of these issues.
