New cyber security rules for business

Home Affairs Minister Karen Andrews. Picture: Joel Carrett
Home Affairs Minister Karen Andrews. Picture: Joel Carrett

Businesses would face new minimum cybersecurity requirements and tougher standards on the handling of personal information under proposed new rules to make the nation more resilient to digital threats.

Manufacturers of smartphones and other “internet of things” devices would have to ensure their products met baseline standards under the cybersecurity blueprint.

A new government discussion paper said weak commercial incentives were hindering private sector investments in cybersecurity measures, imposing huge costs on the broader community.

It flagged the introduction of clear minimum expectations on businesses to manage cybersecurity risks, and better information for consumers about the security of technology products.

Consumers would also get access to clear legal remedies after cybersecurity incidents, under proposed changes.

The consultation comes amid a new Australian Institute of Criminology report estimating the total annual economic impact of cybercrime in Australia at $3.5 billion, including $1.9 billion lost by Australian victims.

The paper said cyber governance standards could be expanded beyond the owners of critical infrastructure businesses, which face tough cybersecurity obligations and mandatory cyber incident reporting.

“It is widely accepted that cyber security risks are an increasingly important set of risks that most large businesses, including those established in the corporate form, need to oversee and manage,” it said.

“However, there is no explicit requirement that cyber security forms part of many existing obligations including those applicable to directors.”

It said both voluntary and mandatory requirements were being considered, supported by better cybersecurity education.

It said a voluntary system risked lower compliance, but “a mandatory standard may be too costly and onerous given the current state of cyber security governance”.

New technical standards, such as a requirement for multi factor authentication, are also being considered to help protect Australians’ data.

The paper flags an enforceable code to require companies to “take reasonable steps to protect personal information” by mitigating cybersecurity risks.

But it warns the design of the code must not overburden businesses.

Home Affairs Minister Karen Andrews said the government was acting to address what was a growing international problem.

“We cannot allow this criminal activity to become a significant handbrake on our economic growth and digital security,” she said.

“I want to make sure Australian businesses – big and small – are secure, and consumers are protected.”

Fergus Hanson, the head of the Australian Strategic Policy Institute’s International Cyber Policy Centre, said most Australian firms “routinely under-invest in cyber security”.

“Sectors like banking have an absolute crystal-clear rationale for investing in cybersecurity, because they’re trying to get people to stop stealing their money.

“But for companies in other sectors it is not a top priority. So we see over and over again people’s data being leaked or stolen, or company being held to ransom and their services disrupted.”

He said incentives, potentially through the taxation system, were a better way to improve cybersecurity practices than heavy-handed regulation.