It's not just cyber security, it's cyber resilience and cyber regulation
As many have realised, it’s not a question of ‘if’ but ‘when’ a cyber security breach happens. The scale, speed and impact of cyber security breaches means that you need to be prepared to act on the assumption that a cyber security breach will occur, and to ensure that your organisation is resilient enough to recover from the breach. This requires planning and testing your business continuity and cyber breach plans to make sure that your organisation can continue to operate effectively even if there is a very significant incident that incapacitates your IT systems. ASIC has put Boards on notice that it expects them to ensure that their organisations pay sufficient attention and devote adequate resources to cyber security and cyber resilience.
And, if its not enough dealing with the impact of a cyber breach from a resilience perspective, you also have to deal with the regulatory implications of a cyber security incident. These range from ASX notifications under continuous disclosure obligations for listed entities, to notifications of regulators (the OAIC, the CISC and APRA) under a range of statutory notification obligations.
Our team has been advising clients involved in two of the most significant breaches in recent times on navigating through this maze of issues, as well as on the regulatory investigations, representative claims and class actions that have resulted from those breaches.
OUR CYBER SECURITY INSIGHTS
An Omnibus Cyber Security and Infrastructure Package
The Government has released a legislative package that implements a range of initiatives aimed at improving Australia’s cyber security consistent with its 2023-2030 Cyber Security Strategy.
14 October 2024
SOCI roadmap – where are we at now, and what’s coming up next?
Responsible entities of critical infrastructure assets who are subject to the Security of Critical Infrastructure (Critical infrastructure risk management program) Rules (LIN 23/006) 2023 (Rules) must comply with a designated cyber security framework (or an equivalent framework) by 18 August 2024.
15 March 2024
Strengthening Australia’s critical infrastructure against cyber risks: Consultation on legislative reforms close 1 March 2024
The Security of Critical Infrastructure Act (SOCI Act) is again being expanded, this time as part of the Australian Government’s 2023-2030 Cyber Security Strategy.
21 February 2024
Securing Australia’s digital future: unpacking the 2023-30 Cyber Security Strategy
The Government’s 2023-2030 Cyber Security Strategy aims to make Australia the most cyber secure nation and a global leader in cyber security by 2030
05 December 2023
Lessons for organisations and boards in the wake of ASIC’s November 2023 cyber pulse survey
Regulated organisations have been warned to address significant gaps in their cyber security and resilience following ASIC’s latest cyber pulse survey.
29 November 2023
Lessons from where you don’t want to be: Analysing the OAIC’s latest report on notifiable data breaches
The OAIC’s latest report on the Privacy Act’s notifiable data breach scheme reveals a declining number of notifications.
06 September 2023
APRA has finalised CPS 230: The clock is ticking for regulated entities to comply with new requirements
On 17 July 2023, the Australian Prudential Regulation Authority (APRA) released the long awaited final Prudential Standard CPS 230 Operational Risk Management (CPS 230) following extensive industry consultation. CPS 230 will replace the current APRA Prudential Standards for Outsourcing (CPS 231 / SPS 231 / HPS 231) and Business Continuity Planning (CPS 232 / SPS 232) so that CPS 230 will become the core standard for APRA-regulated entities when outsourcing services and managing other operational risk (including business continuity).
03 August 2023
UK Supreme Court weighs in on APP scams
The UK Supreme Court in a landmark judgment (Philipp v Barclays Bank UK Plc [2023] UKSC 25) has unanimously held that a bank does not have a common law duty to customers to refrain from acting on their instructions where the bank believes the customer is the victim of an authorised push payment scam.
14 July 2023
APRA finds gaps in compliance with CPS 234
The Australian Prudential Regulation Authority (APRA)’s initial round of tripartite cyber assessments of regulated entities against prudential standard CPS 234 (CPS 234) has revealed significant control gaps in relation to their compliance with the requirements of CPS 234.
12 July 2023
Australian Government releases new Data and Digital Government Strategy
The Minister for Finance, Senator the Hon Katy Gallagher, recently launched for consultation a draft Data and Digital Government Strategy: The data and digital vision for a world-leading APS to 2030 (Draft Strategy). You’re invited to make comments on the Draft Strategy by 25 July 2023.
07 July 2023
Hong Kong’s new financial crime tool
Fraud is one of the thorniest problems for banks and their customers globally, with billions of dollars of leakage to opportunists, criminal syndicates and thieves. The Hong Kong Monetary Authority (HKMA) has recently announced Hong Kong’s newest institutional financial crime tool – FINEST. The initiative was launched in collaboration with the Hong Kong Police Force (HKPF) and The Hong Kong Association of Banks (HKAB). King & Wood Mallesons was delighted to serve as legal advisor on the project. This alert summarises the key points to know.
30 June 2023
Lifting our gaze: an update on the Australian space industry and satellite cyber security
The Australian space industry has cause for excitement after a joint statement issued by the Prime Minister of Australia and the President of the United States on 20 May 2023.
26 May 2023
KWM privacy bytes – Privacy Act Review Report individual rights
Released in February this year, the Government’s long-awaited Privacy Act Review Report (Report) contains 116 proposals for privacy reform. In this, our second article in the Privacy Bytes series, we take a closer look at the new individual rights the Report proposes to include or expand in the Privacy Act.
09 May 2023
International comparison of Cyber Security regulatory settings: KWM report commissioned by AICD
The increasing regularity of high-profile cyber incidents is a constant and costly reminder that effective cyber resilience is fundamental to realising the promised benefits of digitisation. Australia is among many countries seeking to reboot its cyber defences.
08 May 2023
The risk management program rules under the SOCI Act have now come into force
The Security of Critical Infrastructure (Critical infrastructure risk management program) Rules (LIN 23/006) 2023 (CIRMP Rules) have now been made and came into force with effect from 17 February 2023.
20 February 2023
Lloyd’s of London announces cyber-attack insurance exclusions for “state backed cyber-attack”
Lloyd’s of London has directed that commencing in March 2023, underwriters are to exclude losses arising from any “state backed cyber-attack” from all standalone cyber-attack policies.
05 October 2022
Themes emerging from recent crypto attacks
We are barely finished with the first quarter of the calendar year and already we have seen multiple “hacks” in the crypto space that have resulted in the losses of over US$1 billion.
16 May 2022
Of charlatans and poor choices: how restrictions on crypto assets are growing worldwide
Yet the ancient origin of the word goes to the essence of today’s regulatory tension: ‘crypto’ has its origin in the Greek word ‘kruptos’, meaning ‘hidden’. Governments and regulators around the world are working to bring crypto assets into view.
22 February 2022
International comparison of Cyber Security regulatory settings - Summary
The increasing regularity of high-profile cyber incidents is a constant and costly reminder that effective cyber resilience is fundamental to realising the promised benefits of digitisation. Australia is among many countries seeking to reboot its cyber defences.
OUR PRIVACY INSIGHTS
Privacy Annual Update 2024
Each year, we write this publication to recap the key developments in Australian privacy law over the past year.
11 December 2024
Data Wars Part IV: Enforcement reforms in the Privacy Amendment Bill
The Australian Government is seeking to implement reforms to the Privacy Act 1988 (Cth) (Privacy Act).
21 November 2024
Data Wars Part III: Statutory tort, incoming!
With a substantially pared back Privacy and Other Legislation Amendment Bill 2024 (the Bill) before Parliament, only the statutory tort remains.
15 October 2024
Whose phone is it anyway? Navigating employee privacy and employer data in the age of BYOD
An ever-increasing proportion of business is conducted outside of the physical office and contracted hours – most commonly, on an employee’s mobile device, whether it is their personal device or employer-provided.
11 October 2024
Breaking down the Privacy Amendment Bill
The Government has (at last) introduced the first tranche of long-anticipated privacy reforms.
18 September 2024
Privacy Act Reforms – A Long Running Saga, Yet Still to be Continued …
A privacy reform Bill has been introduced to parliament. If enacted, the Bill will implement significant changes to the Privacy Act, including introducing broader enforcement powers for the Australian Information Commissioner, a statutory tort for serious invasions of privacy, greater transparency for individuals regarding use of personal information for automated decision-making, and additional protections for children’s privacy.
12 September 2024
Data Wars Part II: A direct right of action
In our previous Insight, we explored the proposed statutory tort for serious invasions of privacy detailed in the Attorney-General’s Department’s Privacy Act Review Report (Report) in February 2023. Draft legislation is expected in coming months.
29 August 2024
Risk of GenAI - Probing the privacy pitfalls
The Australian public is nervous about AI and has low trust that companies using AI will protect their personal data.
01 August 2024
Data Wars - Part I: Tortious invasions of privacy
The Australian Government has confirmed its commitment to introduce a new direct right of action for breaches of the Privacy Act 1988 (Cth) (the Act) or the Australian Privacy Principles (APPs), and a statutory tort for serious invasions of privacy.
12 July 2024
Consumer Energy Resources: data and privacy
Welcome back to our 5-part series exploring the emerging opportunities and challenges associated with the uptake of CER in Australia from a tech law perspective, with a focus on privacy and data, AI and automation, cyber security and contracting to enable the transition to CER.
20 June 2024
Representative complaints under the Australian Privacy Act – recent developments
Data breach litigation in Australia is a relatively new occurrence. The courts have recently decided that a multiplicity of court cases and administrative investigations into the same incident may run in parallel.
20 March 2024
Australian privacy regulator sues in data breach case
On 3 November 2023, the Australian Information Commissioner filed proceedings in the Federal Court of Australia against Australian Clinical Labs Limited seeking a civil penalty (fine) in connection with the company’s response to a data breach that occurred in February 2022.
13 November 2023
Inching forwards: Government responds to Privacy Act Review Report
TL;DR The Government has today released its long-awaited response to the proposals made in the Attorney General’s Privacy Act Review Report.
28 September 2023
Europe’s AI regulation gets real : what to know (and do) about the EU AI Act as it nears finalisation
More than two years ago, the European Union (EU) released the first draft of the Artificial Intelligence Act (AI Act). This was the first significant attempt at regulating AI on a large scale. In June, it passed a major milestone bringing it closer to finalisation. There is some way to go, but the signs are clear. Our experts share what the AI Act means for companies worldwide – and why now is the time to start thinking about risk mitigation steps.
26 June 2023
Have your say on the regulation of Artificial Intelligence in Australia: Recent Developments
Artificial Intelligence (AI) is increasingly becoming a focal point for lawmakers and regulators around the world. Like many nascent technologies, AI has the potential for both harmful as well as positive outcomes, with algorithmic biases and the generation of misleading or erroneous outputs of particular concern. Consequently, safety and the effective management of AI risk has been at the forefront of the minds of Australian regulators. While some overseas jurisdictions are already further down the path towards AI regulation, there have been three recent significant developments in
26 June 2023
KWM privacy bytes – Privacy Act Review Report individual rights
Released in February this year, the Government’s long-awaited Privacy Act Review Report (Report) contains 116 proposals for privacy reform. In this, our second article in the Privacy Bytes series, we take a closer look at the new individual rights the Report proposes to include or expand in the Privacy Act.
09 May 2023
Developments in the regulation of Artificial Intelligence
Artificial intelligence (AI) has captured the attention of the world over the last 12 months. From AI chatbots to AI-generated art and inventions, AI has the potential to radically transform our economy, our society, and humanity.
19 April 2023
ChatGPT and the Importance of AI Governance
ChatGPT, the artificial intelligence chatbot developed by OpenAI, has become the fastest growing consumer product in history, reaching 100 million monthly active users within a mere 2 months of its launch. It has caused shockwaves across the education, media and marketing industries and has stoked fears of broader job losses amongst white collar workers.
14 April 2023
KWM Privacy Bytes - Privacy Act Review Report: Collecting and using of personal information
The Government’s long-awaited Privacy Act Review Report contains 116 proposals for reform. While not fundamentally changing the current principles based approach, these proposals will require a step change in how Australian companies collect and use personal information.
30 March 2023
Privacy Act Review Report (Finally) Released
The Government has released a long-awaited report setting out its privacy reform agenda. This landmark report proposes many significant changes.
17 February 2023