Why industry consultation is essential in cybersecurity

Written by Sarah Sloan, Head of Government Affairs and Public Policy, ANZ.

The dust has yet to settle following Optus’ unfortunate data breach, and National Cybersecurity Minister Claire O’Neil has already signaled plans for reform.

The government’s continued commitment to improving Australia’s cybersecurity resilience and data security is commendable and should be welcomed. When a major data breach occurs, it is reasonable for governments and citizens to question whether our current laws are adequate and fit for purpose.

Last week the government announced that banks and other financial institutions would be notified of data breaches when they occur to help identify and prevent fraudulent activity. These measures could be a major and much-needed boost to strengthen consumer protection against future data breaches, provided they are underpinned by cybersecurity and privacy principles.

As with any policy, however, the devil is in the details.

As noted ABC News, Minister O’Neil herself has suggested that current data and cybersecurity requirements must be fit for purpose. And to make them fit for purpose, it is essential that relevant industry stakeholders are able to help shape them – or at least contribute to the conversation, so that all aspects are considered.

The decision to bring the country’s financial services industry into the breach notification loop can be an appropriate first step to strengthen data security at all levels. Australian banks have done a reliable good job of sharing information about cybersecurity threats and best practices with each other.

But any obligation imposed on banks or other institutions must be reasonable and proportionate. Additionally, the scope of any potential regime may need to be broadened to include other businesses, as well as state and federal government authorities, such as those that issue driver’s licenses or health insurance cards.

Today, Australia’s expectations for data governance and data breaches are firmly anchored in privacy law, so any review of the adequacy of our laws following this recent violation should logically begin there. The Privacy Act remains the most appropriate instrument to address public concerns about the management and retention of their personally identifiable information.

The government has already flagged changes to the Privacy Act, saying it may consider increasing penalties associated with data breaches and expanding our privacy obligations to better align with international best practices. While this may be the impetus for cultural change across Australia, the government may also wish to consider incentives for adherence to good practice.

However, what precisely constitutes reasonable and proportionate regulation can only be determined by consulting the industries it may affect.

It is therefore important that the government takes a holistic and thoughtful approach to any policy and regulatory changes it deems necessary by speaking and listening to trusted industry stakeholders.

When it comes to cybersecurity, I think we can all agree on the importance of up-to-date, best-practice standards, policies and laws to keep pace with evolving threats.

In April this year, the former government, with the support of the then opposition, passed significant and far-reaching reforms aimed at strengthening the cybersecurity posture and the resilience of our critical infrastructure. These new obligations are still in the process of coming into force and continue to be implemented by industry in partnership with government. As the cyber threat landscape is rapidly changing, it is important for policy makers to understand how regulatory obligations operationalize when considering additional layers of liability. We shouldn’t shift the regulatory targets onto the industry now.

The more industry can work together and with government, the greater the chance of keeping pace with the changing threat landscape. This public-private consultation and industry collaboration also supports the evolution of technology that is playing an increasingly important role in making businesses and individuals visible and defending against real-time cyberattacks.

As we have seen in recent years, cyberattacks can affect anyone, and it is in all of our interests to be part of the solution. A hit on one of us is a hit on all of us. On this front, industry has as much a role to play as government, both in implementing appropriate technologies and in developing new policies and regulations.

This is why effective collaboration between government at all levels and the private sector to combat the rise in cyberattacks has never been a higher priority. And perhaps nowhere does such collaboration have more impact than when it comes to creating new policies to protect businesses and their customers from harm.

The federal government is already doing good work in the area of ​​public-private collaboration in cyber defence. This can be seen in initiatives such as the Australian Cyber ​​Security Center (ACSC) Partnership Program, which gives organizations and individuals the opportunity to engage with the national cyber security agency and other partners to leverage collective understanding, experience, skills and capacity to build cyber resilience across Australia. This program could be further used to develop new guidance documents and security advisories on important security concepts such as attack surface management and zero trust.

As the above initiatives demonstrate, we are on the right track. Now we need to further deepen collaboration in the decision-making processes behind the development of new policies and laws to help protect Australian people and businesses from future cyberattacks and data breaches.

After all, cybersecurity is first and foremost a team sport. By working together, the whole becomes more powerful than the sum of its parts. But if the wrong players are left on the bench, it could lead to a lost game. And cybersecurity is definitely a game we don’t want to lose.

Leave a Reply