National changes under way mandate business, industry and government operators adopting heightened cyber security and privacy practices.

The Federal Government's 2023 - 2030 Australian Cyber Security Strategy1 is a seven-year plan to lift Australia's cyber security standards and support the development of world-leading capabilities in this space.

It's an initiative driven by the need to critically improve cyber security standards, align regulations into an integrated national cyber policy, and include the many small to medium businesses (SMEs) that represent the majority of the country's commercial enterprises.

Large scale cyber attacks on Australians such as the Optus and Medicare cyber breaches during 2023 showed corporate and government bodies are not optimally equipped to respond to security breaches. The new government strategy sets out to update existing regulations and provide standard guidelines and mandatory actions in the event of a cyber security breach.

What is the purpose behind the Australian Government Cyber Strategy 2030?

The aim is to:

  • protect customer data and privacy
  • ensure organisations have the right cyber security settings
  • introduce legal and policy settings around ransomware reporting2.

The priorities focus on core policy areas including:

  • regulatory frameworks
  • international strategy
  • securing government systems

as well as potential policy areas spanning:

  • public-private mechanisms to share/block cyber threats
  • workforce and skills pipeline
  • national incident response framework
  • community awareness
  • cyber security ecosystem and technological development
  • security in new technologies (such as quantum computing and AI)
  • implementation governance/evaluation,
  • and further cyber security optimisations under consideration to be considered.

In brief: the 2023 - 2030 Australian Cyber Security Strategy action plan

To achieve the 2030 vision, the Australian government will:
  • support small and medium businesses to strengthen their cyber security
  • work with industry to break the ransomware business model
  • provide clear cyber guidance for businesses
  • make it easier for businesses to access advice and support after a cyber incident
  • secure our identities and provide better support to victims of identity theft.

The Government roadmap identifies six essential cyber security shields.

  1. Strong businesses and citizens: Better protection from cyber threats for Australian citizens and businesses, and the ability to, recover quickly from a cyber attack.
  2. Safe technology: Confidence that digital products and services are safe, secure and fit for purpose.
  3. World class threat sharing and blocking: Access to real-time threat data and the ability to block threats at scale.
  4. Protected critical infrastructure: Critical infrastructure and essential government system will withstand and recover from cyber attacks.
  5. Sovereign capabilities: Enabling Australia's cyber industry to flourish with a diverse and professions workforce.
  6. Resilient regional and global leadership: Making the region more cyber resilient and upholding Australia's international laws while shaping global rules and standards.

What changes will businesses need to be aware of to comply with higher cyber security expectations?

  1. The regulatory framework will be updated via new legislation that may translate to additional obligations for businesses, particularly around the security and disposal of personal information (ie: data privacy, data loss and data retention).
  2. New regulations will make reporting cyber incidents to the relevant authorities mandatory. Businesses will need to establish incident response plans and processes for reporting cyber incidents accurately and in a timely fashion, and SME business operators are likely to be brought into this over time.
  3. Businesses and operators involved in supply chains play a critical role in maintaining critical Australian infrastructure. To ensure a robust and secure supply chain businesses will need to assess and address potential cyber vulnerabilities and boost cyber security measures.
  4. The government emphasises the importance of collaboration and knowledge sharing to collectively defend against cyber threats and enhance resilience.
  5. Businesses should expect to invest in cyber training and upskilling for their employees, and to develop a cyber aware culture to help ensure employees are equipped to identify and respond to cyber threats as part of the governments' minimum cyber standards.
  6. Businesses need to develop cyber security strategies and accountabilities to ensure appropriate measures are in place to prevent, detect, respond to and recover from cyber incidents. These should include response plants, regular risk assessments and employee training.
  7. For businesses with international ties, the government emphasises the importance of sharing best practices and actively participating in joint efforts to enhance cyber security through, where applicable, forums, conferences and information sharing platforms.

Cyber awareness education a keystone in growing Australian cyber resilience

The Federal Government has already been issuing learnings from cyber attacks and will continue to publish privacy documents for company directors, providing guidance on governing principles in managing cyber risk/responding to breach events.

The Australian Institute of Company Directors (AICD) paper 'Governing Through a Cyber Crisis — Incident Response and Recovery for Australian Directors'3 off the back of the need to provide a governing framework to senior leaders, directors, and boards on proactive best practice cyber governance and has significant relevance to the improvement path in cyber security for Australia.

How Gallagher can help

In addition to cyber insurance protection, Gallagher offers expertise, advice and resources for building business resilience to withstand cyber security incidents. Our experts can conduct risk analysis and suggest proactive best practices specific to your business, as well as gap analysis in terms of what underwriters will be looking for, and make recommendations regarding the coverage required to ensure there are no policy deficiencies in your cyber insurance.

Sources

12023 - 2030 Australian Cyber Security Strategy, Australian Government , accessed 2 May 2024.

2Mandatory Notification of Data Breach Scheme, Information and Privacy Commission, 28 Nov 2023.

3Governing Through a Cyber Crisis - Cyber Incident Response and Recovery for Australian Directors, AICD, 28 Feb 2024.

Disclaimer

Gallagher provides insurance, risk management and benefits consulting services for clients in response to both known and unknown risk exposures. When providing analysis and recommendations regarding potential insurance coverage, potential claims and/or operational strategy in response to national emergencies (including health crises), we do so from an insurance and/or risk management perspective, and offer broad information about risk mitigation, loss control strategy and potential claim exposures. We have prepared this commentary and other news alerts for general information purposes only and the material is not intended to be, nor should it be interpreted as, legal or client-specific risk management advice. General insurance descriptions contained herein do not include complete insurance policy definitions, terms and/or conditions, and should not be relied on for coverage interpretation. The information may not include current governmental or insurance developments, is provided without knowledge of the individual recipient's industry or specific business or coverage circumstances, and in no way reflects or promises to provide insurance coverage outcomes that only insurance carriers' control.

Gallagher publications may contain links to non-Gallagher websites that are created and controlled by other organisations. We claim no responsibility for the content of any linked website, or any link contained therein. The inclusion of any link does not imply endorsement by Gallagher, as we have no responsibility for information referenced in material owned and controlled by other parties. Gallagher strongly encourages you to review any separate terms of use and privacy policies governing use of these third party websites and resources.

Insurance brokerage and related services to be provided by Arthur J. Gallagher & Co (Aus) Limited (ABN 34 005 543 920). Australian Financial Services License (AFSL) No. 238312

MORE NEWS & INSIGHTS