Directors and industry at risk from ‘knee-jerk’ laws and policies | #government | #hacking | #cyberattack


These new laws relate to cyber security and include requirements for companies to report incidents to the Australian Cyber Security Centre (ACSC), and also give powers for government to take over operations during a cyber attack on a company deemed critical to national infrastructure.

‘Going inside critical infrastructure’

Mr Bush said the rules overlapped other pre-existing reporting regimes and created a red tape nightmare for boards. He said industry concerns about the implications of new government powers had also been brushed aside, with the legislation passing the lower house before it had even been referred to the Parliamentary Joint Committee on Intelligence and Security.

“It enables a government employee to go inside a critical infrastructure nominated entity and insert monitoring software into their organisation, and that really concerns global technology companies who run global clouds,” Mr Bush said.

“The notion that someone from government can wander in with a hard drive or a USB and insert software into global clouds is naturally very concerning. It is concerning to tech companies, to energy companies, to retail companies and to banks right across the economy.”

However, he said it was the regulatory overlap that was worrying businesses most, and boards being threatened with prosecution because of the impracticalities of compliance.

In the past 12 months there have been reviews and new laws covering the technology sector from the Online Safety Commissioner, the Department of Home Affairs, the Attorney’s General department, Treasury, the Office of the Australian Information Commissioner (OAIC), the Digital Transformation Agency and the Australian Cyber Security Centre.

With data breach notifications the Privacy Act requires companies to report to the OAIC on breaches of personal information, regardless of whether it is the result of a cyber incident or human error. However, under the new critical infrastructure rules any cyber related breach will also need to be reported to the ACSC within the Australian Signals Directorate.

The AIIA thinks it is unreasonable to expect companies to be worrying about two different reporting requirements, with different agencies and with different timeframes, at a time when they should be focusing on recovering from a cyber incident.

‘A very heavy stick’

On top of that, the Department of Home Affairs has kicked off industry consultation about proposed new ransomware reporting obligations that will apply to all Australian businesses that have revenues of more than $10 million a year.

“Depending on the severity of an attack, businesses will have to report ransomware details to the ACSC within 12 hours, and when you ask the bureaucrats what the purpose is, they say it is so that they can gather greater information on what is going on,” Mr Bush said.

“It’s a worthy ambition, but it’s a very heavy stick and lever that they’re putting on the economy and on businesses just to get information that they will already get a good view on through the critical infrastructure bill.”

The AIIA is proposing a council of technology regulators, which would work on a similar principal to the Council of Financial Services Regulators that sits across the Australian Prudential Regulation Authority, the Australian Securities and Investments Commission, the Australian Treasury and the Reserve Bank of Australia to ensure effective and efficient financial regulation.

“We would argue that the relevant people who are creating laws and policies that govern the tech sector should come together and work on any new regulation and industry needs to be part of that process,” Mr Bush said.

“It would stop this fairly siloed, knee-jerk response to issues as they arise … If you get better policy outcomes and industry endorse it, then it’s good for government.”



Original Source link

Leave a Reply

Your email address will not be published.

two + eight =