Phisherman - Australia’s new Cyber Security Strategy protecting businesses and customers

On 14 November 2023, Prime Minister Anthony Albanese released a seven-year cyber security strategy intended to address major barriers to businesses reporting malicious intrusions and ransomware attacks (cyber-attacks).¹

The strategy seeks to facilitate cyber-attack reporting by companies, government, and critical infrastructure operations to allow for quick and effective responses to cyber-attacks, limit the impacts of such attacks, and assist in developing better protections against future cyber-attacks. The initiatives suggested by the strategy stem from the key recommendations of the government’s review into the recent Optus and Medibank cyber-attacks.²

The strategy is available online here.

The strategy

The strategy aims to strike a balance between encouraging early and open engagement with the Australian Signals Directorate and national Cyber Co-ordinator (ASDCC) while maintaining an effective regulatory environment that protects the broader public interests.

To encourage early reporting, the strategy seeks to overcome the following main barriers to reporting:

• non-reporting for fear of repercussions by regulating authorities; and
• the complexity of reporting under the current system.

Initiatives to combat fear of repercussions

The main initiatives suggested by the strategy to combat the barrier to reporting of fears of repercussions include:

• legislate a “limited use obligation”, which ensures that when companies report cyber-attacks to the ASDCC, other government’s entities are limited in how they can use the shared information; and
• introduce a new mandatory no-fault reporting system which would require companies to report cyber ransom demands, but would not ban the companies from paying the ransom demands.

Initiatives to combat complexity of reporting

The strategy recognises that the current reporting system is complex and companies find it difficult to understand their reporting obligations under the current system. On this premise, the strategy plans:

• for an industry code of practice to be established; and
• for a single online reporting portal to be developed which will help companies navigate mandatory obligations and bring key reporting links together in one place.

Lavan comment

In the context of frequent and increasingly invasive cyber-attacks occurring in Australia, it is important that there is an organised and uniform approach by government. An important part of this approach is keeping track of the frequency, intensity and nature of cyber-attacks, in order to mitigate the impact of cyber-attack and better protect companies and the public against future cyber-attacks.

Company reporting of cyber-attacks is integral to the government’s ability to protect companies and the public. The strategy is welcomed in that it renders it easier for companies to report cyber-attacks, and afford protections that ensure reporting will be more frequent and done imminently.

It also reflects that this is an area of continued change, and businesses need to keep abreast of the changes to their obligations in this critical area.

If you or your business would like further advice or assistance on how you can minimise any risk with respect to the cyber security of your business or need assistance complying with reporting obligations, please reach out to Iain Freeman.