On 14 November 2023, Prime Minister Anthony Albanese released a seven-year cyber security strategy intended to address major barriers to businesses reporting malicious intrusions and ransomware attacks (cyber-attacks).1
The strategy seeks to facilitate cyber-attack reporting by companies, government, and critical infrastructure operations to allow for quick and effective responses to cyber-attacks, limit the impacts of such attacks, and assist in developing better protections against future cyber-attacks. The initiatives suggested by the strategy stem from the key recommendations of the government’s review into the recent Optus and Medibank cyber-attacks.2
The strategy is available online here.
The strategy aims to strike a balance between encouraging early and open engagement with the Australian Signals Directorate and national Cyber Co-ordinator (ASDCC) while maintaining an effective regulatory environment that protects the broader public interests.
To encourage early reporting, the strategy seeks to overcome the following main barriers to reporting:
Initiatives to combat fear of repercussions
The main initiatives suggested by the strategy to combat the barrier to reporting of fears of repercussions include:
Initiatives to combat complexity of reporting
The strategy recognises that the current reporting system is complex and companies find it difficult to understand their reporting obligations under the current system. On this premise, the strategy plans:
In the context of frequent and increasingly invasive cyber-attacks occurring in Australia, it is important that there is an organised and uniform approach by government. An important part of this approach is keeping track of the frequency, intensity and nature of cyber-attacks, in order to mitigate the impact of cyber-attack and better protect companies and the public against future cyber-attacks.
Company reporting of cyber-attacks is integral to the government’s ability to protect companies and the public. The strategy is welcomed in that it renders it easier for companies to report cyber-attacks, and afford protections that ensure reporting will be more frequent and done imminently.
It also reflects that this is an area of continued change, and businesses need to keep abreast of the changes to their obligations in this critical area.
If you or your business would like further advice or assistance on how you can minimise any risk with respect to the cyber security of your business or need assistance complying with reporting obligations, please reach out to Iain Freeman.
1 2023 – 2030 Australian Cyber Security Strategy (link)
2 The Australian ‘cyber law shake-up to shield companies’ (online, 17 November 2023)