KWM TOPICS >

Cybersecurity

GLOBAL | EN
Current site :    GLOBAL   |   EN
Australia
China
China Hong Kong SAR
Japan
Singapore
United States
Global

It's not just cyber security, it's cyber resilience and cyber regulation

As many have realised, it’s not a question of ‘if’ but ‘when’ a cyber security breach happens. The scale, speed and impact of cyber security breaches means that you need to be prepared to act on the assumption that a cyber security breach will occur, and to ensure that your organisation is resilient enough to recover from the breach. This requires planning and testing your business continuity and cyber breach plans to make sure that your organisation can continue to operate effectively even if there is a very significant incident that incapacitates your IT systems. ASIC has put Boards on notice that it expects them to ensure that their organisations pay sufficient attention and devote adequate resources to cyber security and cyber resilience.

And, if its not enough dealing with the impact of a cyber breach from a resilience perspective, you also have to deal with the regulatory implications of a cyber security incident. These range from ASX notifications under continuous disclosure obligations for listed entities, to notifications of regulators (the OAIC, the CISC and APRA) under a range of statutory notification obligations.

Our team has been advising clients involved in two of the most significant breaches in recent times on navigating through this maze of issues, as well as on the regulatory investigations, representative claims and class actions that have resulted from those breaches.

OUR CYBER SECURITY INSIGHTS

An Omnibus Cyber Security and Infrastructure Package

The Government has released a legislative package that implements a range of initiatives aimed at improving Australia’s cyber security consistent with its 2023-2030 Cyber Security Strategy.

14 October 2024

SOCI roadmap – where are we at now, and what’s coming up next?

Responsible entities of critical infrastructure assets who are subject to the Security of Critical Infrastructure (Critical infrastructure risk management program) Rules (LIN 23/006) 2023 (Rules) must comply with a designated cyber security framework (or an equivalent framework) by 18 August 2024.

15 March 2024

Strengthening Australia’s critical infrastructure against cyber risks: Consultation on legislative reforms close 1 March 2024

The Security of Critical Infrastructure Act (SOCI Act) is again being expanded, this time as part of the Australian Government’s 2023-2030 Cyber Security Strategy.

21 February 2024

Securing Australia’s digital future: unpacking the 2023-30 Cyber Security Strategy

The Government’s 2023-2030 Cyber Security Strategy aims to make Australia the most cyber secure nation and a global leader in cyber security by 2030

05 December 2023

Lessons for organisations and boards in the wake of ASIC’s November 2023 cyber pulse survey

Regulated organisations have been warned to address significant gaps in their cyber security and resilience following ASIC’s latest cyber pulse survey.

29 November 2023

Lessons from where you don’t want to be: Analysing the OAIC’s latest report on notifiable data breaches

The OAIC’s latest report on the Privacy Act’s notifiable data breach scheme reveals a declining number of notifications.

06 September 2023

APRA has finalised CPS 230: The clock is ticking for regulated entities to comply with new requirements

On 17 July 2023, the Australian Prudential Regulation Authority (APRA) released the long awaited final Prudential Standard CPS 230 Operational Risk Management (CPS 230) following extensive industry consultation. CPS 230 will replace the current APRA Prudential Standards for Outsourcing (CPS 231 / SPS 231 / HPS 231) and Business Continuity Planning (CPS 232 / SPS 232) so that CPS 230 will become the core standard for APRA-regulated entities when outsourcing services and managing other operational risk (including business continuity).

03 August 2023

UK Supreme Court weighs in on APP scams

The UK Supreme Court in a landmark judgment (Philipp v Barclays Bank UK Plc [2023] UKSC 25) has unanimously held that a bank does not have a common law duty to customers to refrain from acting on their instructions where the bank believes the customer is the victim of an authorised push payment scam.

14 July 2023

APRA finds gaps in compliance with CPS 234

The Australian Prudential Regulation Authority (APRA)’s initial round of tripartite cyber assessments of regulated entities against prudential standard CPS 234 (CPS 234) has revealed significant control gaps in relation to their compliance with the requirements of CPS 234.

12 July 2023

Australian Government releases new Data and Digital Government Strategy

The Minister for Finance, Senator the Hon Katy Gallagher, recently launched for consultation a draft Data and Digital Government Strategy: The data and digital vision for a world-leading APS to 2030 (Draft Strategy). You’re invited to make comments on the Draft Strategy by 25 July 2023.

07 July 2023

Hong Kong’s new financial crime tool

Fraud is one of the thorniest problems for banks and their customers globally, with billions of dollars of leakage to opportunists, criminal syndicates and thieves. The Hong Kong Monetary Authority (HKMA) has recently announced Hong Kong’s newest institutional financial crime tool – FINEST. The initiative was launched in collaboration with the Hong Kong Police Force (HKPF) and The Hong Kong Association of Banks (HKAB). King & Wood Mallesons was delighted to serve as legal advisor on the project. This alert summarises the key points to know.

30 June 2023

Lifting our gaze: an update on the Australian space industry and satellite cyber security

The Australian space industry has cause for excitement after a joint statement issued by the Prime Minister of Australia and the President of the United States on 20 May 2023.

26 May 2023

KWM privacy bytes – Privacy Act Review Report individual rights

Released in February this year, the Government’s long-awaited Privacy Act Review Report (Report) contains 116 proposals for privacy reform. In this, our second article in the Privacy Bytes series, we take a closer look at the new individual rights the Report proposes to include or expand in the Privacy Act.

09 May 2023

International comparison of Cyber Security regulatory settings: KWM report commissioned by AICD

The increasing regularity of high-profile cyber incidents is a constant and costly reminder that effective cyber resilience is fundamental to realising the promised benefits of digitisation. Australia is among many countries seeking to reboot its cyber defences.

08 May 2023

The risk management program rules under the SOCI Act have now come into force

The Security of Critical Infrastructure (Critical infrastructure risk management program) Rules (LIN 23/006) 2023 (CIRMP Rules) have now been made and came into force with effect from 17 February 2023.

20 February 2023

Lloyd’s of London announces cyber-attack insurance exclusions for “state backed cyber-attack”

Lloyd’s of London has directed that commencing in March 2023, underwriters are to exclude losses arising from any “state backed cyber-attack” from all standalone cyber-attack policies.

05 October 2022

Themes emerging from recent crypto attacks

We are barely finished with the first quarter of the calendar year and already we have seen multiple “hacks” in the crypto space that have resulted in the losses of over US$1 billion.

16 May 2022

Of charlatans and poor choices: how restrictions on crypto assets are growing worldwide

Yet the ancient origin of the word goes to the essence of today’s regulatory tension: ‘crypto’ has its origin in the Greek word ‘kruptos’, meaning ‘hidden’. Governments and regulators around the world are working to bring crypto assets into view.

22 February 2022

International comparison of Cyber Security regulatory settings - Summary

The increasing regularity of high-profile cyber incidents is a constant and costly reminder that effective cyber resilience is fundamental to realising the promised benefits of digitisation. Australia is among many countries seeking to reboot its cyber defences.

SHOW MORE SHOW LESS

OUR PRIVACY INSIGHTS

Privacy Annual Update 2024

Each year, we write this publication to recap the key developments in Australian privacy law over the past year.

11 December 2024

Data Wars Part IV: Enforcement reforms in the Privacy Amendment Bill

The Australian Government is seeking to implement reforms to the Privacy Act 1988 (Cth) (Privacy Act).

21 November 2024

Data Wars Part III: Statutory tort, incoming!

With a substantially pared back Privacy and Other Legislation Amendment Bill 2024 (the Bill) before Parliament, only the statutory tort remains.

15 October 2024

Whose phone is it anyway? Navigating employee privacy and employer data in the age of BYOD

An ever-increasing proportion of business is conducted outside of the physical office and contracted hours – most commonly, on an employee’s mobile device, whether it is their personal device or employer-provided.

11 October 2024

Breaking down the Privacy Amendment Bill

The Government has (at last) introduced the first tranche of long-anticipated privacy reforms.

18 September 2024

Privacy Act Reforms – A Long Running Saga, Yet Still to be Continued …

A privacy reform Bill has been introduced to parliament. If enacted, the Bill will implement significant changes to the Privacy Act, including introducing broader enforcement powers for the Australian Information Commissioner, a statutory tort for serious invasions of privacy, greater transparency for individuals regarding use of personal information for automated decision-making, and additional protections for children’s privacy.

12 September 2024

Data Wars Part II: A direct right of action

In our previous Insight, we explored the proposed statutory tort for serious invasions of privacy detailed in the Attorney-General’s Department’s Privacy Act Review Report (Report) in February 2023. Draft legislation is expected in coming months.

29 August 2024

Risk of GenAI - Probing the privacy pitfalls

The Australian public is nervous about AI and has low trust that companies using AI will protect their personal data.

01 August 2024

Data Wars - Part I: Tortious invasions of privacy

The Australian Government has confirmed its commitment to introduce a new direct right of action for breaches of the Privacy Act 1988 (Cth) (the Act) or the Australian Privacy Principles (APPs), and a statutory tort for serious invasions of privacy.

12 July 2024

Consumer Energy Resources: data and privacy

Welcome back to our 5-part series exploring the emerging opportunities and challenges associated with the uptake of CER in Australia from a tech law perspective, with a focus on privacy and data, AI and automation, cyber security and contracting to enable the transition to CER.

20 June 2024

Representative complaints under the Australian Privacy Act – recent developments

Data breach litigation in Australia is a relatively new occurrence. The courts have recently decided that a multiplicity of court cases and administrative investigations into the same incident may run in parallel.

20 March 2024

Australian privacy regulator sues in data breach case

On 3 November 2023, the Australian Information Commissioner filed proceedings in the Federal Court of Australia against Australian Clinical Labs Limited seeking a civil penalty (fine) in connection with the company’s response to a data breach that occurred in February 2022.

13 November 2023

Inching forwards: Government responds to Privacy Act Review Report

TL;DR The Government has today released its long-awaited response to the proposals made in the Attorney General’s Privacy Act Review Report.

28 September 2023

Europe’s AI regulation gets real : what to know (and do) about the EU AI Act as it nears finalisation

More than two years ago, the European Union (EU) released the first draft of the Artificial Intelligence Act (AI Act). This was the first significant attempt at regulating AI on a large scale. In June, it passed a major milestone bringing it closer to finalisation. There is some way to go, but the signs are clear. Our experts share what the AI Act means for companies worldwide – and why now is the time to start thinking about risk mitigation steps.

26 June 2023

Have your say on the regulation of Artificial Intelligence in Australia: Recent Developments

Artificial Intelligence (AI) is increasingly becoming a focal point for lawmakers and regulators around the world. Like many nascent technologies, AI has the potential for both harmful as well as positive outcomes, with algorithmic biases and the generation of misleading or erroneous outputs of particular concern. Consequently, safety and the effective management of AI risk has been at the forefront of the minds of Australian regulators. While some overseas jurisdictions are already further down the path towards AI regulation, there have been three recent significant developments in

26 June 2023

KWM privacy bytes – Privacy Act Review Report individual rights

Released in February this year, the Government’s long-awaited Privacy Act Review Report (Report) contains 116 proposals for privacy reform. In this, our second article in the Privacy Bytes series, we take a closer look at the new individual rights the Report proposes to include or expand in the Privacy Act.

09 May 2023

Developments in the regulation of Artificial Intelligence

Artificial intelligence (AI) has captured the attention of the world over the last 12 months. From AI chatbots to AI-generated art and inventions, AI has the potential to radically transform our economy, our society, and humanity.

19 April 2023

ChatGPT and the Importance of AI Governance

ChatGPT, the artificial intelligence chatbot developed by OpenAI, has become the fastest growing consumer product in history, reaching 100 million monthly active users within a mere 2 months of its launch. It has caused shockwaves across the education, media and marketing industries and has stoked fears of broader job losses amongst white collar workers.

14 April 2023

KWM Privacy Bytes - Privacy Act Review Report: Collecting and using of personal information

The Government’s long-awaited Privacy Act Review Report contains 116 proposals for reform. While not fundamentally changing the current principles based approach, these proposals will require a step change in how Australian companies collect and use personal information.

30 March 2023

Privacy Act Review Report (Finally) Released

The Government has released a long-awaited report setting out its privacy reform agenda. This landmark report proposes many significant changes.

17 February 2023

SHOW MORE SHOW LESS