Cyber & Regulatory: Navigating cybersecurity risks and privacy reforms

The McGrathNicol 2023 Supply Chain Risk study revealed cybersecurity as a paramount concern for businesses, second only to financial performance. This was supported by our annual ransomware research, with 56% of surveyed Australian businesses subjected to a ransomware attack in the past five years. Regulatory bodies are putting organisations on notice, urging boards and executives to develop more comprehensive cyber risk management strategies.

The Federal Government has pledged to reform the Privacy Act and further modify the SOCI Act. One of the critical suggested changes to the Privacy Act would confer on individuals a direct right of action for redress and allow for greater compensatory damages, similar to the GDPR in Europe.

In 2023, there were five class actions filed in relation to cybersecurity data breaches and, if reforms to the Privacy Act are made, this number is set to increase. The legal class actions currently underway will present a salient lesson for the rest of corporate Australia as to how cyber-related damages are to be assessed moving forward.

New cybersecurity laws, including ransomware reporting with no-fault and no-liability stipulations, an obligation for information sharing, standards for ‘Internet of Things’ technology, and the establishment of a cyber incident review board are also expected to be introduced. Organisations of all sizes should follow these essential steps:

• Conduct periodic cyber risk assessments to evaluate the effectiveness of cyber resilience controls and the use of managed service providers.

• Update supply chain risk management processes to incorporate cyber risk.

• Enhance enterprise risk practices to include broader geopolitical and national security concerns.

• Strategically implement data governance controls to counter attacks from sophisticated cyber criminals.

Companies that fail to address and enhance their cybersecurity and privacy measures may not only fall foul of the regulators; they will likely face an empowered consumer with greater legislative tools to hold them to account.