The Prime Minister, Hon. Malcolm Turnbull MP, launched Australia’s new Cyber Security Strategy on 21 April 2016. In doing so, the Prime Minister acknowledged that the Bureau of Meteorology had been the target of cyber attack in early 2015.
The range of measures announced emphasises the importance the Government has placed on cyber security and reinforces that businesses of all sizes should consider their exposure to loss stemming from cybercrime and cyber attack as part of their risk management. The Government has released a 1-page snapshot of its new strategy and the full strategy.
The cost of cybercrime to the Australian economy
According to the Strategy, cyber criminal acts cost Australians over $1 billion each year. However, the Strategy also notes that losses from cyber security attacks are estimated to cost economies up to 1% of GDP annually. Applying that measure to the Australian economy suggests that the real impact of cybercrime on the Australian economy is approximately $17 billion annually.
Businesses who suffer cyber attacks may find themselves liable for breaches of their legal obligations, particularly if they have not prepared themselves for cyber attacks. For example, if a business has not taken reasonable steps to secure personal information it collects from individuals, it may have breached the Australian Privacy Principles under the Privacy Act 1988 (Cth) and be liable for pecuniary penalties of in excess of $1 million per breach.
Risks and opportunities for the private sector
The cyber strategy emphasises that the increasing connectedness of Australians creates opportunities for entrepreneurship, but also exposes Australians and Australian business to cyber attacks.
The Government emphasises that cyber security is not just the responsibility of a business’ IT department but should receive serious attention from boards and senior executives. This reinforces the advice given by the Australian Securities & Investments Commission (“ASIC”) in its March 2015 cyber-resilience health check.
ASIC suggested that company directors should take cyber risks into account when discharging their statutory duties as directors. AFS licensees are ‘encouraged’ by ASIC to review the adequacy of their risk management systems and resources to address cyber risks and determine whether cyber risks should be disclosed as a significant risk associated with holding a product in the relevant product disclosure statement.
A snapshot of the Government investments in cyber security
The Prime Minister announced the following investments:
- $230 million over four years to build Australia’s cyber security capability (including $39 million on building a new home for the Australian Cyber Security Centre to improve private sector access, $47 million on threat-sharing centres and $36 million on improving intelligence and investigation capabilities);
- A separate $400 million allocated in the Defence White Paper for Defence cyber capability;
- A Minister Assisting the Prime Minister on cyber security;
- A Special Advisor on Cyber Security will be appointed within the Department of Prime Minister and Cabinet;
- The Foreign Minister will appoint Australia’s first Cyber Ambassador, in order to promote international cooperation on cyber security and to maintain Australia’s influence internationally on cyber security issues;
- Ties will be strengthened with international law enforcement, intelligence agencies and computer emergency response teams to combat the rise of international cybercrime;
- Increased funding on research on the cost of cyber attacks to the Australian economy; and
- Improving Australia’s ‘offensive cyber capabilities’ in order to ‘deter and respond to the threat of cyber attack’ in a manner that is consistent with Australia’s obligations under international law.
Partnership between public and private sectors
The Strategy emphasises the need for partnership between Government and the private sector on increasing Australia’s overall cyber security capabilities. The Prime Minister will host annual cyber security meetings with private sector representatives to address emerging cyber security issues. The Government expects that it will work with the private sector to exchange information on threats and responses through centres in key capital cities and an online cyber threat sharing portal. Additionally, the Government will support Australia’s cyber security sector to promote their capabilities globally.
Importantly, the Prime Minister announced that his Government would develop and introduce national voluntary Cyber Security Governance ‘health checks’ to enable boards and senior management to better understand and plan for their cyber security status, and to support SMEs to have their cyber security tested.
Steps to take
We encourage businesses and organisations to carefully examine their approach to cyber security and to data privacy. The increasing prevalence of cyber attacks means that it may only be a matter of time before an organisation is the target of a cybercriminal act. As is generally the case, prevention is better than cure.