On 13 July 2021, the Australian Government opened consultation on options for regulatory reforms and voluntary incentives to strengthen the cyber security of Australia’s digital economy.
Among the issues being canvassed are governance standards for large businesses. Feedback is being sought on whether existing frameworks are sufficient, or whether additional measures, either voluntary or mandatory, should be developed.
A voluntary governance standard would describe the responsibilities of large businesses and processes for managing cyber security risk and would support the role of company boards overseeing cyber security risk. Mandatory standards would go further, requiring large businesses to achieve compliance within a specific timeframe.
Among possible future directions, some are suggesting that directors may be held legally responsible for egregious cyber security negligence in their companies, according to Telstra CEO, Andy Penn.
Penn, who is also chair of the Government’s Cyber Security Industry Advisory Committee, says too many Australian organisations remain under-prepared for escalating cyber risks. He backed proposals to strengthen obligations on directors, but said the degree of responsibility should depend on the significance of the company’s products or services.
Importantly, Penn advised that more needs to be done to make corporate leaders aware of cyber