The constant evolution of cyber threats, coupled with an increasing active regulatory landscape, has made it imperative for organisations to prioritise both cyber security and compliance, and to balance cyber risks and costs of compliance or mitigation.
We outline how cyber security is changing in Australia and the obligations businesses operating in both Australia and internationally should be aware of.
Why are cyber attacks and data incidents so common?
The increase in cyber attacks in Australia continues in 2023, and could be for a number of reasons, including;
- an increased business reliance on new technology, making opportunities to attack more likely;
- financial motivation for cybercriminals;
- increased availability of tools and resources to launch successful attacks;
- unpatched vulnerabilities in software and systems;
- human error and a lack of cybersecurity awareness;
- a rapidly evolving threat landscape, whereby cybercriminals are finding new ways to exploit existing vulnerabilities or to bypass new security measures.
It is difficult to say whether there are more data incidents or whether the threat actors are just getting better at what they do and perhaps the true answer lies somewhere in between.
Addressing the risk and prevalence of cyber attacks and data incidents requires a multi-faceted approach involving robust cybersecurity measures, continuous education and awareness at the personal and organisational levels, improved software development practices in the private sector and open source communities, and deeper collaboration and cooperation among the public and private sectors, both domestically and internationally.
What is changing with cyber security awareness in Australia?
In recent years, the Australian Government and various organisations have taken significant steps to enhance cyber security awareness and education across the country.
Some notable developments include:
- The Australian Cyber Security Centre, established in 2014, is a Commonwealth government initiative serving as a central hub for cyber security information, advice and guidance in Australia.
- The Australian Institute of Company Directors and the Cyber Security Cooperative Research Centre launched the Cyber Security Governance Principles in October 2022. The Principles offer a framework for assisting Australian company directors to oversee and engage with management on cyber security risk.
- The 2023-2030 Australian Cyber Security Strategy, which is a plan to enhance the nation’s cyber security capabilities, strengthen critical infrastructure protections and foster international collaboration.
- The Australian government established the National Office of Cyber Security, and from 3 July 2023 appointed Air Marshall Darren Goldie AM CSC to be Australia’s first National Cyber Security Coordinator. The Coordinator will lead national cyber security policy, the coordination of responses to major cyber incidents, whole-of-government cyber incident preparedness efforts and the strengthening of Commonwealth cyber security capability.
Community expectations are also changing, and in the face of more frequent cybercrime incidents, victims are expecting that public and private organisations will take greater responsibility for securely collecting and handling personal information. And equally, that holders offer more efficient and better notice in the case of a data breach affecting those personal details.
How are obligations for regulation compliance changing for companies?
Regulation and compliance obligations are growing. In only recent years, there have been a number of data breach notification schemes introduced, particularly at a federal government level in Australia, but this is also occurring worldwide.
Some of the Australian notification schemes include:
- the Notifiable Data Breaches Scheme,
- the notice provisions in Part of the Corporations Act 2001 (Cth) which requires Australian Financial Services licence holders to let ASIC know if there is a breach or non-compliance of their licence obligations; and
- responsible entities of critical infrastructure assets are required by the Security of Critical Infrastructure Act 2018 (Cth) to report cyber security incidents to the Australian Cyber Security Centre (ACSC) within 12 hours for ‘significant impact’ incidents, and within 72 hours for all other incidents. Some responsible entities are also required to establish, maintain and comply with a Critical Infrastructure Risk Management Program for each of their critical infrastructure assets.
Do compliance obligations apply internationally?
Outside of Australia, there are also similar data breach notification, cyber security or critical infrastructure schemes. If your organisation is operating outside of Australia, there may be multiple schemes that you need to consider when evaluating your compliance notifications.
How can HopgoodGanim assist?
HopgoodGanim’s Intellectual Property, Technology and Cyber Security team provide market-leading advice for new and existing businesses on all aspects of cyber security, including cyber preparedness and data breach incident response. The team handles cyber, privacy and data protection claims, helping clients mitigate and manage complex scenarios, and advise proactively on technology, liability and privacy risks.
Find out more about our cyber security practice.