Insight,

Cybersecurity,

International comparison of Cyber Security regulatory settings: KWM report commissioned by AICD

08 May 2023

Our People
GLOBAL | EN
Current site :    GLOBAL   |   EN
Australia
EN |
China
JP | ZH | EN |
China Hong Kong SAR
ZH | EN |
Japan
JP | ZH | EN |
Singapore
ZH | EN |
United States
EN |
Global
ZH | EN |

Comparing Australia’s cyber landscape

The increasing regularity of high-profile cyber incidents is a constant and costly reminder that effective cyber resilience is fundamental to realising the promised benefits of digitisation. Australia is among many countries seeking to reboot its cyber defences. The Federal Government is developing its 2023-2030 Australian Cyber Security Strategy – exploring a range of policy options, and, importantly, considering new and enhanced obligations for Australian entities to specifically address cyber security risks and consequences.

To contribute to this important discussion, the Australian Institute of Company Directors (AICD) commissioned KWM to analyse and compare existing and proposed cyber security obligations in Australia against those in the United States, Canada, the European Union and the United Kingdom (Comparator Jurisdictions).

See the summary of our comparative analysis here and our full report at the AICD website here. We acknowledge the contribution of Fieldfisher and Davies Ward Phillips and Vineberg who collaborated with us to produce this report.

Key findings and implications

  • There are no general duties imposed on directors in relation to cyber security in Australia, the United States [1], Canada [2], the European Union and the United Kingdom.
  • There is a growing trend in all jurisdictions to imposing cyber security responsibilities on directors under industry-specific regulatory frameworks.
  • Critical infrastructure is a dominating focus of cyber regulatory reforms. Australia currently imposes stronger cyber specific obligations on directors in respect of critical infrastructure or systems of national significance when compared against the other jurisdictions.
  • Significant new cyber security regulatory developments are expected in each jurisdiction as countries grapple with cyber security threats and risks. All surveyed jurisdictions recently have, or are in the process of, materially upgrading elements of cyber and privacy-related regulation.

Governance and board accountability

Finding #1: There are no general duties imposed on directors in relation to cyber security

As a general proposition, we find that none of the Comparator Jurisdictions have imposed a general duty on directors to ensure the cyber security of their organisations.

However, in each of the Comparator Jurisdictions, directors have general duties of care, skill and diligence to their organisations. This means that directors should be capable of satisfying themselves that cyber risks are adequately addressed and that organisations are cyber resilient. In the event of a data breach, directors may face claims for breach of these duties, including by regulators.

Finding #2: There is a trend to imposing cyber security responsibilities on directors under industry-specific legislative frameworks

In each Comparator Jurisdiction, we see a trend of increasing governance implications and accountability for boards and management in particular industry sectors. Beyond critical infrastructure, significant sectors – particularly financial services and telecommunications – are subject to sector-specific cyber security obligations:

  • (Financial services): Broadly, there are regulations or legislation in each Comparator Jurisdiction that impose information security or cyber security requirements on financial services entities. For example, in Australia, under CPS 234, the board of an APRA-regulated entity is ultimately responsible for ensuring that the entity maintains its information security.
  • (Telecommunications): In AustraliaCanada, the EU, and the UK, specific cyber notification and reporting obligations are also imposed on telecommunications service providers. At this stage, there is no federal legislation specifically regulating cyber security of communication services and networks in the US.

Beyond the financial services and telecommunications sectors, there is also a range of existing and proposed industry-specific regulations in the Comparator Jurisdictions for other sectors such as transport, health and AI.

Finding #3: There is increasing scope for actions to be brought directly against directors

In the US, there is a strong precedent of class actions being brought against boards and officers in relation to cyber security. While there are no explicit legislative requirements for directors under cyber security legislation in the US, nor a statutory tort arising out of a cyber security or data breach, actions have been brought on the basis that the board has failed to exercise appropriate oversight of a company’s cyber security. Actions have also been brought on other grounds, including breaches of express or implied contracts, negligence, other common law torts, or breaches of consumer protection legislation.

There is far less precedent in Australia for direct actions against directors in relation to cyber security. It is yet to be seen if the environment will change with the recent proposals in the Attorney-General’s Privacy Act Review Report to introduce a direct right of action to enable individuals to apply to the courts for relief in relation to privacy breaches, as well as the introduction of a statutory tort for serious invasions of privacy.

Similarly, in Canada, a new private right of action has been proposed so that affected individuals may seek damages from organisations that have breached privacy legislation. It is also possible that these proposals could result in increased levels of litigation on privacy matters, including through representative groups.

In the EU and UK, there is no explicit cause of action against company directors. However, data subjects may be able to claim compensation from directors in certain circumstances, given that ‘natural persons’ can be liable for breaches of the GDPR or UK GDPR. More broadly, as data subjects have a direct right of action in the EU, there is clear scope for class actions related to cyber security and data breaches. In the UK, directors can be liable for data protection offences committed with their consent or connivance.

Sector-specific cyber security obligations

Finding #4:

In general, stronger sector-specific cyber security obligations are being introduced to address supply chain and national security risks posed by cyber threats.

In particular, Australia currently imposes stronger cyber specific obligations on directors in respect of critical infrastructure or systems of national significance when compared against other Comparator Jurisdictions.

Critical infrastructure is a dominating focus of cyber regulatory reforms across all Comparator Jurisdictions.

In Australia, the ongoing reforms to the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act) are central to Australia’s national strategy to strengthen cyber security and protect Australian businesses against cyber threats. At present, the SOCI Act imposes obligations on responsible entities for critical infrastructure assets in relation to reporting, notification, government assistance, risk assessment and planning.

Federal regulation in the US is trending in a broadly similar direction in relation to the reporting and notification of incidents in critical industries. Its ambit is otherwise comparably limited.

Canada’s security of critical infrastructure regime is in the nascent stages. Although a cyber security bill is proposed, there is currently no legislation that applies specifically to Canada’s critical infrastructure.

By comparison, the EU and UK have an advanced and comprehensive framework regulating cyber security of critical infrastructure. In both jurisdictions, operators of essential services are required to take appropriate and proportionate measures to detect and manage security risks and notify relevant authorities about incidents that have a significant impact on the continuity of the essential services.

Cyber intelligence sharing mechanisms and frameworks

Finding #5: Stronger multidirectional information sharing mechanisms are expected across jurisdictions.

In all Comparator Jurisdictions, there is a range of mechanisms and frameworks to facilitate intelligence sharing and cyber support in relation to cyber security threats and incidents. These mechanisms are largely voluntary. As cyber risks continue to grow and affect both governments and companies, there is a focus on increasing the speed and scale of cyber intelligence sharing and cyber threat blocking.

At present, there are a number of Australian agencies that can provide information and support to companies in relation to a cyber threat or cyber incident. In particular:

  • the ACSC leads the Australian Government’s cyber security efforts; and
  • AusCERT is specifically charged to facilitate cyber security threat information sharing and monitoring.

However, there is no legal obligation to report cyber incidents to the ACSC (except for responsible entities for critical infrastructure assets under the SOCI Act). There is also no requirement to notify the Australian Federal Police, or other Australian law enforcement body, of a cyber incident even though it can be useful to do so.

While the US Government has identified robust cyber intelligence sharing and victim notification mechanisms as a strategic priority, there is only limited coordinated cyber intelligence sharing for entities outside critical sectors at present. For entities in critical sectors, real time intelligence sharing tools are available. Importantly, these tools offer companies anonymity, as well as certain liability and privacy protections to encourage information sharing. However, use of the tools is not mandatory.

Canadian companies have access to a range of limited voluntary cyber intelligence sharing frameworks. The Canadian Centre for Cyber Security also issues alerts and advice on potential, imminent or actual cyber threats, vulnerabilities or incidents relevant to Canada and Canadians.

In the EU and UK, the mechanisms to facilitate cyber information sharing are more robust. In both jurisdictions, there is a designated national single point of contact to provide specific support to companies during cyber incidents. Significantly in the UK, registered UK private sector organisations and government departments can also access a secure and confidential platform to share cyber threat information in real time. This platform enables fast, scaled and multidirectional information sharing. At present, sharing remains voluntary.

International coordination for cyber incidents

Finding #6: There is increasing international coordination in response to cyber incidents

Effective international coordination has been recognised as key to addressing and responding to cyber incidents. Accordingly, there has been an increasing effort to scale the emerging model of collaboration by national cyber security stakeholders to cooperate with the international community. For example, partnerships such as the Counter-Ransomware Initiative, the Quadrilateral Security Dialogue (or the Quad) and AUKUS allow Australia (and other Comparator Jurisdictions) to:

  • share cyber threat information;
  • exchange model cyber security practices;
  • compare sector-specific expertise;
  • drive secure-by-design principles; and
  • coordinate policy and incident response activities with its international counterparts.

Future directions

Finding #7: Significant new cyber security regulatory developments are expected in each jurisdiction.

Significant new cyber security regulatory developments are expected in each jurisdiction as countries grapple with cyber security threats and risks.  Each Comparator Jurisdiction recently has, or is in the process of, materially upgrading elements of its cyber and privacy-related regulation.

In Australia, significant reforms in cyber security and data governance are likely to occur in the near future. At this stage, it is not clear what reforms will result from the consultation in relation to the Strategy Paper. However, additional new cyber security-related obligations are separately expected to be introduced under changes to Australia’s data privacy arising out of the Attorney-General’s landmark Privacy Act Review Report.

In the other Comparator Jurisdictions, similar new cyber security regulation developments are being pursued:

  • In the US, the White House recently published its 2023 National Cyber Security Strategy. Although the strategy does not particularise the proposed new cyber obligations, it sets out the US Government’s intention to integrate federal cyber security centres, establish new critical infrastructure cyber security requirements, and scale intelligence sharing and victim notification mechanisms.
  • In Canada, there are new obligations proposed for operators of critical cyber systems, as well as similarly significant new developments regarding the Canadian federal privacy framework.
  • In the EU, on top of its already advanced cyber regulatory landscape, additional new and enhanced cyber obligations are proposed, including in relation to AI systems.
  • The UK’s cyber regulatory landscape is also moving quickly. In particular, the UK Government has proposed amendments to the scope of the existing privacy and data protection regime.

State of flux

Clearly, the international cyber regulatory landscape is in a state of flux. However, in general, each of the other Comparator Jurisdictions share common cyber policy objectives to Australia. Each jurisdiction is implementing regulatory reforms to make them more cyber secure and cyber resilient, often in a way that is increasingly consistent. This is to be expected, given the global nature of cyber security risks and the natural convergence of policy outcomes and mechanisms to address them.

At a Federal level, noting that States may also have specific cyber security legislation and regulations.  

At a Federal level, noting that Provinces and Territories may also have specific cyber security legislation and regulations.

Reference

  • [1]

    At a Federal level, noting that States may also have specific cyber security legislation and regulations.  

  • [2]

    At a Federal level, noting that Provinces and Territories may also have specific cyber security legislation and regulations.

MEET THE AUTHORS

LATEST THINKING
Insight
Trade Volatility: Adopting a "Trump Majeure Clause" in Commercial Contracts
In today’s disrupted global trade environment, where policy shifts and trade sanctions can emerge unexpectedly, buyers and sellers of goods face heightened legal and financial uncertainty and risk. Sudden changes in trade laws, particularly tariffs and sanctions, can materially affect contract performance and pricing. To mitigate these risks, parties to commercial contracts may benefit from incorporating a tailored provision, which we shall refer to as the "Trump Majeure Clause" (TMC). The TMC is a hybrid of the traditional force majeure clause and a change in law clause, designed specifically to address disruptions caused by newly imposed tariffs or trade sanctions. Its purpose is to allow contractual flexibility in the face of government actions that frustrate the original purpose of entering into the agreement.

08 May 2025

Insight
Vietnam Sets the Stage for Carbon Trading
Vietnam has released an approved roadmap for a domestic carbon market, in a significant step towards achieving net-zero emissions by 2050. A phased approach will see a pilot start in June 2025, working towards full implementation by 2029.

05 May 2025

Insight
Climate governance & reporting trends of the ASX50 in 2024: Healthcare
It is estimated that the health system is responsible (either directly or indirectly) for 5% of Australia’s greenhouse gas emissions, with clinical care contributing to over half of greenhouse gas emissions produced by health systems.[2]

29 April 2025

EXPLORE LATEST THINKING
OUR PEOPLE
LOCATIONS
MEDIA CENTRE
CAREERS
ABOUT US
VIEW FROM ASIA
Explore Our Expertise
Explore insights
Explore Our Insights

Advertising and Targeting Cookies