Clifford Chance

The threat of cyber and ransomware attacks to Australian infrastructure and the economy is a top Government priority driving regulatory reforms.

Recent high-profile ransomware attacks

Australia has recently joined the US and other allies and called out and condemned the role of the Chinese government in global cyber-attacks (link).

This condemnation follows the recent and widespread attacks targeting Microsoft's ubiquitous Exchange Server platform which impacted firms globally and in Australia – causing thousands of firms to patch their servers against software exploits allegedly used by Chinese hacking group HAFNIUM (link).

This follows media coverage in May this year about the threats posed by cyber-attacks on critical infrastructure (links here, here and here) flowing from high-profile ransomware attacks on Colonial Pipeline in the United States and JBS Foods globally.

The cost of cyber attacks

It is estimated that in 2020 ransomware attacks cost the Australian economy AUD1.4 billion – which includes ransom demands and the costs of business disruptions. The chairman of the US Federal Reserve, Jerome Powell has estimated the costs of cyber-attacks to be more than USD20 billion for 2021 and were "his No. 1 concern for a major event causing financial instability".

The threat response - proposed regulatory reforms

The frequency, cost and profile of cyber-attacks has steadily increased since the release of Australia's Cyber Security Strategy 2020 (6 August 2020).

An initiative flowing from the 2020 Strategy, was proposed legal and regulatory reforms to incentivise Australian businesses and individuals to invest in cyber security to protect themselves and the wider economy from cyber security threats.

In a recent discussion paper, Strengthening Australia’s cyber security regulations and incentives, (the Discussion paper) the Australian Government is seeking stakeholder views about how to incentivise businesses to invest in cyber security, including through possible regulatory changes.

The paper proposes three broad objectives or "areas of action":

• setting clear cyber security expectations;
• increasing transparency and disclosure; and
• protecting consumer rights.

Clear cyber security expectations may involve using cyber security standards for corporate governance (large businesses), smart devices and minimum standards for protection of personal information (personal data protection).

The preferred approach for large businesses appears to be a voluntary principles-based (non-prescriptive) standard that aligns with similar international standards. The Discussion paper provides at page 21 that:

"A voluntary standard would strengthen and complement existing director’s duties under the Corporations Act, because a voluntary standard could be considered by a court when determining whether failures relating to the oversight of cyber risk constituted a breach of directors’ duties."

Standards for smart devices (i.e. Internet of Things devices – not necessarily including smart phones) could take the form of mandatory product standards requiring manufacturers to meet a minimum level of cyber security requirements. In particular, the discussion paper proposes Australia adopt the existing European cyber security standard for smart devices ETSI EN 303 645.

Minimum standards to protect personal information could take the form of an enforceable code that aligns with the Australian Privacy Principles (APP) found in Schedule 1 of the Privacy Act 1988 (Cth) (Privacy Act). Such a code may be brought into force by amending the Privacy Act and could be used to provide greater clarity around the meaning of the words "such steps as are reasonable in the circumstances" in respect of personal information found under APP 11 (which provides for security of personal information).

Increased transparency may be achieved through cyber security labelling for smart devices, disclosure polices for vulnerabilities and cyber security health checks for small businesses.

Protection of consumer rights is being considered by way of appropriate legal remedies (for consumers and individuals following a cyber-incident).

The legal reforms being considered to protect consumer rights include a review of the Privacy Act in relation to creating a direct right or cause of action for privacy breaches and reform of the Australian Consumer Law to clarify its application to digital products (smart phones, smart devices) and create a civil prohibition for consumer guarantees. 

Submissions on the discussion paper can be made up to 11:59pm on 27 August 2021.

For related briefings, please see the below articles from our US team:

• New York Department of Financial Services Issues Ransomware Guidance in Wake of Increased Attacks
• SEC Enforcement Action Against First American Underscores Importance of Accurate Disclosures of Cybersecurity Risk
• Microsoft Data Breach: Risk, Regulation and Managing a Crisis
• Ransomware: Prevention & Response