AUSTRALIA Law and Practice Contributed by: Dennis Miralis and Jack Dennis, Nyman Gibson Miralis
to prevent, detect, respond to or minimise the impact of future cybersecurity incidents of a similar nature. In pursuit of national cohesion, the state authori - ties adopt the following approaches. • The ACSC facilitates information and collabo - ration across private, public and NGO sectors to develop collective cyber-resilience and to respond to cyber-incidents. In this regard, the ACSC has commenced: a partnership programme, involving private, public, and NGO sectors, to enable information sharing and network hardening; and an alert service, which provides information on recent cyber threats as well as prevention and mitigation advice. • The Joint Cyber Security Centres (JCSC) are state-based agencies which collaborate with organisations across the private, public and NGO sectors on cybersecurity and cyber - crime threats and response options. 3. Financial Sector Operational Resilience Regulation 3.1 Scope of Financial Sector Operational Resilience Regulation Even for the financial sector, there is a patch - work of legislation covering the financial sec - tor’s operational resilience, leading to variation in scopes. This legislation includes the SOCI Act, the Corporations Act, the Banking Ac 1959 (Cth) and the Insurance Act 1973 (Cth). Corporations Act As a starting point, the Corporations Act impos - es a duty to exercise “care and diligence” on all directors and officers of corporations (Section 180) which inherently involves considerations
relating to cybersecurity resilience. But more specifically, the Corporations Act requires cor - porations holding financial licences to have ade - quate risk management systems (Section 912A). CPS 234 On top of this, APRA’s CPS 234 regulates infor - mation security standards for APRA-regulated financial, insurance and superannuation entities. Other Legislation (SOCI Act and Cyber Security Act) Additionally, other legislation and regulation applicable to sectors beyond the financial is equally relevant here. These include the SOCI Act, since the financial services and markets sector does fall within its scope, so as to include certain banking assets, superannuation assets, insurance assets and financial market infrastruc - ture assets (see 2. Scope of Critical Infrastruc- ture Cybersecurity ). Each of these are, in turn, defined and cover a range of assets owned or operated by entities with certain Australian mar - ket licensees, CS facility licensees, benchmark administrators, and more, but most with the underlying condition that the asset is “critical to the security and reliability of the financial ser - vices and markets sector”. Those that fall outside the scope of the SOCI Act may fall within the scope of the Cyber Secu - rity Act, which imposes reporting obligations on “reporting business entities”. See 2. Scope of Critical Infrastructure Cybersecurity . 3.2 ICT Service Provider Contractual Requirements Information and communications technology (ICT) service providers are not expressly defined in Australia. However, legislation does address “data processing or storage” assets and pro - viders. Such an asset may be considered itself
20
CHAMBERS.COM
Powered by FlippingBook