Insight,

NEXT: Edition 6,

Australia’s cyber landscape – how do we compare?

17 July 2023

Our People
KWM Kinetic
Owl Advisory
AU | EN
Current site :    AU   |   EN
Australia
EN |
China
JP | ZH | EN |
China Hong Kong SAR
ZH | EN |
Japan
JP | ZH | EN |
Singapore
ZH | EN |
United States
EN |
Global
ZH | EN |

Cyber incidents are increasing in regularity and becoming more high-profile. It’s a constant and costly reminder that effective cyber resilience is fundamental to realising the promised benefits of digitisation. For organisations and their leaders, this means a growing and changing area of complex responsibility.

The Federal Government is developing its 2023-2030 Australian Cyber Security Strategy, exploring a range of policy options, and, importantly, considering new and enhanced obligations for Australian entities and directors to specifically address cyber security risks and consequences.

To contribute to this important discussion, the Australian Institute of Company Directors (AICD) commissioned KWM to analyse and compare existing and proposed cyber security obligations in Australia against those in the United States, Canada, the European Union and the United Kingdom.

This report highlights the significant resources and attention governments internationally are devoting to combatting cyber threats.  Companies and boards need to play a proactive role, cognisant that among the proposals mooted in the discussion paper shaping the Federal Government’s 2030 strategy is consideration of an additional specific cyber duty for Directors.

Our discussion below breaks down the report’s key findings and what they mean.

This research was prepared for the AICD. A version of this article first appeared here. You can read the full report and acknowledgements here.

Key findings and implications
INDIVIDUAL
Example uses 2
  • There are no specific cyber security duties imposed generally on directors in Australia, the United States [1], Canada [2], the European Union and the United Kingdom.
  • However there is a growing trend to impose specific cyber security responsibilities on directors under industry-specific regulatory frameworks. 
  • Critical infrastructure is a dominating focus of cyber regulatory reforms. Australia currently imposes comparatively stronger cyber specific obligations on directors in respect of critical infrastructure or systems of national significance.
  • Significant new cyber security regulatory developments are expected in each jurisdiction as countries grapple with cyber security threats and risks. All surveyed jurisdictions recently have or are currently upgrading elements of cyber and privacy-related regulations.

At a Federal level, noting that States may also have specific cyber security legislation and regulations. 

At a Federal level, noting that Provinces and Territories may also have specific cyber security legislation and regulations.

At a Federal level, noting that States may also have specific cyber security legislation and regulations. 

At a Federal level, noting that Provinces and Territories may also have specific cyber security legislation and regulations.

At a Federal level, noting that States may also have specific cyber security legislation and regulations. 

At a Federal level, noting that Provinces and Territories may also have specific cyber security legislation and regulations.

Governance and board accountability

Finding #1: There are no specific duties imposed generally on directors in relation to cyber security

As a general proposition, none of the jurisdictions surveyed have yet imposed a specific duty on directors generally to ensure the cyber security of their organisations.

However, in each jurisdiction, directors owe general duties of care, skill and diligence. This means that directors should be capable of satisfying themselves that cyber risks are adequately addressed.

Finding #2: There is a trend to imposing cyber security responsibilities on directors under industry-specific legislative frameworks

We see a trend of increasing governance implications and accountability for boards and management in particular industry sectors, especially critical infrastructure.

Other significant sectors – particularly financial services and telecommunications – are also subject to sector-specific cyber obligations. In some jurisdictions, there are similar specific regulations imposed on, or proposed for, the transport, health and AI industries.

Finding #3: There is increasing scope for actions directly against directors

In the US, there is a strong precedent of cyber security related class actions being brought against boards and officers.  In the EU and UK, there is also clear scope for data subjects to claim compensation from directors, given that ‘natural persons’ can be liable for breaches of the GDPR or UK GDPR.

There is far less precedent for direct actions against directors in Australia and Canada in relation to cyber security. This could change in Australia following the Privacy Act Review proposals to introduce a direct right of action for individuals for privacy breaches, and a statutory tort for serious invasions of privacy.

Sector-specific cyber security obligations

Finding #5: In general, stronger sector-specific cyber security obligations are being introduced to address supply chain and national security cyber risks.

Australia’s cyber specific obligations for critical infrastructure and systems of national significance on directors are currently stronger than surveyed jurisdictions.

Critical infrastructure is a dominating focus of cyber regulatory reforms across all surveyed Jurisdictions:

  • In Australia, the ongoing reforms to the Security of Critical Infrastructure Act 2018 (Cth) are central to Australia’s national strategy to strengthen cyber security. At present, obligations are imposed on responsible entities for critical infrastructure assets in relation to reporting, notification, government assistance, risk assessment and planning.
  • US federal regulation of critical industries is trending in a broadly similar direction to Australia in relation to reporting and incident notification. Its ambit is otherwise comparably limited.
  • Canada’s security of critical infrastructure regime is in nascent stages. Although a cyber security bill is proposed, there is currently no legislation that applies specifically to Canada’s critical infrastructure.
  • the EU and UK have advanced, comprehensive frameworks regulating cyber security of critical infrastructure. In both jurisdictions, essential services operators must take measures to detect and manage security risks and notify relevant authorities about incidents.

Cyber intelligence sharing mechanisms and frameworks

Finding #6: Stronger multidirectional information sharing mechanisms are expected across jurisdictions.

In each jurisdiction, there is a range of mechanisms and frameworks to facilitate intelligence sharing and cyber support in relation to cyber security threats and incidents. These mechanisms are largely voluntary. As cyber risks continue to grow and affect both governments and companies, there is a focus on increasing the speed and scale of cyber intelligence sharing and cyber threat blocking.

International coordination for cyber incidents

Finding #6: There is increasing international coordination in response to cyber incidents

Recognising international coordination’s value in addressing and responding to cyber incidents, there is increasing effort to scale collaboration among the international community. For example, partnerships such as the Counter-Ransomware Initiative, the Quadrilateral Security Dialogue (or the Quad) and AUKUS allow Australia (and other Comparator Jurisdictions) to:

  • share cyber threat information;
  • exchange model cyber security practices;
  • compare sector-specific expertise;
  • drive secure-by-design principles; and
  • coordinate policy and incident response activities with its international counterparts.

Future directions

Finding #7: Significant new cyber security regulatory developments are expected in each jurisdiction.

Significant new cyber security regulatory developments are expected in each jurisdiction as countries grapple with cyber security threats and risks.

Clearly, the international cyber regulatory landscape is in a state of flux. However, in general, the surveyed jurisdictions share common cyber policy objectives to Australia. Each jurisdiction is implementing regulatory reforms to make them more cyber secure and cyber resilient, often in a way that is increasingly consistent. This is to be expected, given the global nature of cyber security risks and the natural convergence of policy outcomes and mechanisms to address them.

Implications for Directors

This survey reveals trans-national resolve to fight cyber-crime’s threat to privacy and prosperity, and recognition of the importance of cooperation between stakeholders to prevent and manage incidents. It also shows an increasing trend towards imposing greater responsibilities on boards and management to ensure the cyber security of their organisations in critical industries.

However recent Australian Government criticism of corporate responses to data breaches, and the question in its strategy discussion paper - ‘Should the obligations of company directors specifically address cyber security risks and consequences?’ – suggests that the Australian Government, at least, is considering broadening these obligations beyond critical industries. However, section 180 of the Corporations Act requires directors to discharge their duties with reasonable care and diligence, which we argue already requires them to take steps to ensure mitigation and management of cyber security risks.

What we think would most assist directors, companies, government agencies, small and medium businesses is clear guidance on what ‘good’ looks like, and how to actually achieve it. The AICD’s Cybersecurity Governance Principles is highly recommended as a valuable starting point for anyone coming up the curve on cyber security governance.

Categories

Reference

  • [1]

    At a Federal level, noting that States may also have specific cyber security legislation and regulations. 

  • [2]

    At a Federal level, noting that Provinces and Territories may also have specific cyber security legislation and regulations.

MEET THE AUTHORS

LATEST THINKING
Insight
Reform Reflections: Understanding the Shift in Australia’s Industrial Landscape
The incumbent Australian Labor Party (ALP) has been re-elected to a second consecutive term in office. While all races are yet to be formally declared, the ALP is set to have more seats than at any point since its establishment, and will likely face a materially less fractured Senate, no longer having to rely on patching together support from a diverse group of independents in order to pass legislation.

12 May 2025

Insight
Wipeout! Merchant the latest decision in wave of anti-avoidance cases
On 14 May 2024 the Federal Court of Australia in Merchant v Commissioner of Taxation [2024] FCA 498 held that the general anti-avoidance rule and dividend stripping provisions contained in Part IVA of the Income Tax Assessment Act 1936 (Cth) (ITAA36) applied to deny tax benefits obtained by the taxpayer arising from steps it took in connection with a share sale to a third party.

12 May 2025

Insight
The great election wash up - and what we’re watching next…
As the post-election dust settles, the KWM team has pulled together a succinct assessment of the Government’s key policy positions, legislative priorities and issues to watch for in the next term of Parliament.

09 May 2025

EXPLORE LATEST THINKING
OUR PEOPLE
LOCATIONS
MEDIA CENTRE
CAREERS
ABOUT US
Explore Our Expertise
Explore insights
Explore Our Insights

Advertising and Targeting Cookies