- Exclusive
- Politics
- Federal
- Cybersecurity
This was published 3 years ago
‘Real and present danger’: Government considers making company directors personally liable for cyber attacks
Company directors could be held personally responsible for cyber attacks under new standards being discussed with industry as government research shows cyber crime is costing the Australian economy about $3.5 billion a year.
Home Affairs Minister Karen Andrews will on Tuesday declare the country “cannot allow this criminal activity to become a significant handbrake on our economic growth and digital security”.
“The government is taking action to mitigate the real and present danger that cyber crime presents to Australians and our economy,” she said. “I want to make sure Australian businesses – big and small – are secure and consumers are protected.”
The extra responsibilities for directors of large Australian companies, similar to those they already have for workplace health and safety, will be canvassed in a government discussion paper on cyber-security reforms.
The cyber-security standards to be co-designed with industry will cover corporate governance, smart devices and the handling of personal information. It has not yet been decided whether the new standards, which were first floated in the 2020 Cyber Security Strategy, will be mandatory or companies will opt in.
The discussion paper says a mandatory regime may be “too costly and onerous given the current state of cyber-security governance and in the midst of an economic recovery”. It appears to favour the voluntary model but warns there is a risk that industry “may not substantially adopt the standards and could continue to manage cyber risk as it currently does”.
Under the voluntary approach, the new standards could be written into the ASX’s corporate governance rules and practices, which would at least force companies that did not adopt the requirements to explain why to shareholders.
The federal government also wants more transparency covering internet-connected devices including “security labelling” and better disclosure of vulnerabilities, as well as clear legal remedies for victims of cyber attacks.
The extra responsibilities would be in addition to proposed laws imposing a range of obligations on operators of critical infrastructure to respond to cyber attacks, including allowing the Australian government’s cyber security agencies to intervene in companies’ networks.
The Australian Institute of Criminology will release a report on Tuesday putting the total economic cost of cyber crime at $3.5 billion a year, including $1.9 billion lost by individual victims.
Based on a survey of 11,840 people, the AIC found Australians spent $597 million dealing
with the consequences of cyber attacks and $1.4 billion on prevention, and recovered just $389 million.
Ransomware attacks – a form of malware designed to encrypt a victim’s files until a ransom is paid – have been a growing concern for Australian businesses. Toll Holdings, BlueScope Steel, Lion Dairy and Drinks, and Nine Entertainment (owner of The Sydney Morning Herald and The Age) have all been hit by major ransomware attacks over the past 18 months, with some paying ransoms to the cyber hackers.
A report by the Australian Strategic Policy Institute will on Tuesday call on the government to better clarify the legality of ransomware payments and be more transparent when attacks occur.
“The Australian government shouldn’t criminalise the payment of ransoms. Instead, a mandatory reporting regime should be adopted, fostering an information-sharing culture without fear of legal repercussions,” the ASPI report says.
The Morning Edition newsletter is our guide to the day’s most important and interesting stories, analysis and insights. Sign up here.