BGA’s Australia team, led by Managing Director Fergus Hanson, wrote an update to clients on the recent series of cybersecurity measures adopted by the government. The update addressed the impact of the measures as well as what they could mean for companies and other stakeholders moving forward.

Context

Over the past few months, the Australian government has been working through a series of cybersecurity measures. Of particular note are the Security Legislation Amendment (Critical Infrastructure) Bill 2020, initially introduced last December, which imposed mandatory cyber incident reporting for certain critical infrastructure networks, and the belatedly launched International Cyber and Critical Technology Engagement Strategy released this month by Australia’s Department of Foreign Affairs and Trade.

These measures are being driven in the midst of a changing domestic and international context. This includes work that the Quad is advancing on cyber issues as well as the appointment of relatively new government stakeholders such as Assistant Defense Minister Andrew Hastie appointed in December 2020 and Home Affairs Minister Karen Andrews who has been helping drive the Critical Infrastructure Bill since being appointed in March 2021.

Significance

The measures reinforce the government’s belief that its cybersecurity measures reflect a balanced approach at a time when Australia is seeking business investment to solidify its economic recovery in the midst of the global coronavirus pandemic.

The cybersecurity measures mean additional obligations on reporting and information-sharing for companies. This includes mandatory cyber incident reporting and potentially acquiescing to controversial step-in powers to allow the government to assist during a crisis.

Implications

Looking ahead, companies may have potential opportunities to shape ongoing government guidance and policy formulation. Government agencies including the Department of Home Affairs have indicated an openness to collaborate with other stakeholders to inform guidance and sharing actionable, anonymous information that will improve cyber resilience.

Companies should also watch key developments on cybersecurity emerging through the rest of the year to assess the evolution of government policy. These include the holding of Aqua Ex, a major cyber exercise involving over 60 entities from Australia’s critical infrastructure sector, and the development of the working group on critical and emerging technology within the Quad.

BGA’s Australia team will continue to keep you updated on developments at home and abroad as they occur and assess the implications for companies and other stakeholders.