Insight,

OnBoard,

International Comparison of Cyber Security Regulatory Settings: KWM report commissioned by the AICD

28 June 2023

Our People
KWM Kinetic
Owl Advisory
AU | EN
Current site :    AU   |   EN
Australia
EN |
China
JP | ZH | EN |
China Hong Kong SAR
ZH | EN |
Japan
JP | ZH | EN |
Singapore
ZH | EN |
United States
EN |
Global
ZH | EN |

The increasing regularity of high-profile cyber incidents is a constant and costly reminder that effective cyber resilience is fundamental to realising the promised benefits of digitisation. 

Comparing Australia’s cyber landscape

The Federal Government is developing its 2023-2030 Australian Cyber Security Strategy – exploring a range of policy options, and importantly, considering new and enhanced obligations for Australian entities and directors to specifically address cyber security risks and consequences.

To contribute to this important discussion, the AICD commissioned KWM to analyse and compare existing and proposed cyber security obligations in Australia against those in the United States, Canada, the European Union and the United Kingdom. The analysis has particular regard to directors’ duties and governance.

The survey highlights the significant resources and attention governments internationally are devoting to combatting cyber threats. Companies and boards need to play a proactive role, cognisant that among the proposals mooted in the discussion paper shaping the Federal Government’s 2030 strategy is consideration of an additional specific cyber duty for directors.

See the full report and acknowledgements here.

Key findings and implications

  • There are no specific cyber security duties imposed generally on directors in Australia, the United States[1], Canada[2], the European Union and the United Kingdom.
  • However, there is a growing trend to impose specific cyber security responsibilities on directors under industry-specific regulatory frameworks.
  • Critical infrastructure is a dominating focus of cyber regulatory reforms. Australia currently imposes comparatively stronger cyber specific obligations on directors in respect of critical infrastructure or systems of national significance.
  • Across jurisdictions, there is increasing scope for actions directly against directors.
  • Stronger multidirectional intelligence sharing and cyber support mechanisms are expected across jurisdictions.
  • There is increasing international coordination in response to cyber incidents.
  • Significant new cyber security regulatory developments are expected in each jurisdiction as countries grapple with cyber security threats and risks. All surveyed jurisdictions recently have or are currently upgrading elements of cyber and privacy-related regulations.

Implication for directors

The comparative survey reveals trans-national resolve to fight cyber-crime’s threat to privacy and prosperity, and recognition of the importance of cooperation between stakeholders to prevent and manage incidents. It also shows an increasing trend towards imposing greater responsibilities on boards and management to ensure the cyber security of their organisations in critical industries.

However, recent Australian Government criticism of corporate responses to data breaches, and the question in its strategy discussion paper - ‘Should the obligations of company directors specifically address cyber security risks and consequences?’ – suggests that the Australian Government, at least, is considering broadening these obligations beyond critical industries. However, section 180 of the Corporations Act requires directors to discharge their duties with reasonable care and diligence, which we argue already requires them to take steps to ensure mitigation and management of cyber security risks.

What we think would most assist directors, companies, government agencies, small and medium businesses is clear guidance on what ‘good’ looks like, and how to actually achieve it. The AICD’s Cybersecurity Governance Principles is highly recommended as a valuable starting point for anyone coming up the curve on cyber security governance.

At a Federal level, noting that States may also have specific cyber security legislation and regulations.

At a Federal level, noting that Provinces and Territories may also have specific cyber security legislation and regulations.
Keep reading OnBoard
Categories

Reference

  • [1]

    At a Federal level, noting that States may also have specific cyber security legislation and regulations.

  • [2]

    At a Federal level, noting that Provinces and Territories may also have specific cyber security legislation and regulations.

MEET THE AUTHORS

LATEST THINKING
Insight
NTC Consultation Paper: Streamlining Rolling Stock Approval Processes
The National Transport Commission (NTC) have released a consultation paper for industry feedback as part of their review of existing rolling stock approval processes

14 May 2025

Insight
Under the Hood – Connected Vehicles & Australia’s Privacy Commissioner
Australians have long embraced technological innovation, and nowhere is this more apparent than on our roads. Vehicles that once operated in splendid isolation are now sophisticated, data-generating computers on wheels

13 May 2025

Insight
Reform Reflections: Understanding the Shift in Australia’s Industrial Landscape
The incumbent Australian Labor Party (ALP) has been re-elected to a second consecutive term in office. While all races are yet to be formally declared, the ALP is set to have more seats than at any point since its establishment, and will likely face a materially less fractured Senate, no longer having to rely on patching together support from a diverse group of independents in order to pass legislation.

12 May 2025

EXPLORE LATEST THINKING
OUR PEOPLE
LOCATIONS
MEDIA CENTRE
CAREERS
ABOUT US
Explore Our Expertise
Explore insights
Explore Our Insights

Advertising and Targeting Cookies