Cybersecurity 2025

AUSTRALIA Law and Practice Contributed by: Dennis Miralis and Jack Dennis, Nyman Gibson Miralis

“efficiently and fairly” and have an adequate risk management program. Australian courts have already confirmed that such a risk management plan must ensure adequate cybersecurity and cyber-resilience measures are adequately imple - mented across its business. CPS 234 APRA’s CPS 234 requires APRA-regulated finan - cial, insurance and superannuation entities to comply with legally binding minimum standards of information security, including by: • specifying information security roles and responsibilities for the entities’ board, senior management, governing bodies and individu - als; • implementing and maintaining appropriate information security capabilities; • maintaining tools to detect and respond to information security incidents in a timely way; and • notifying APRA of any material information security incidents. These standards provide that an entity’s board is ultimately responsible for information security and that the board must ensure that its entity maintains information security in a manner that is commensurate with the size and vulnerability of that entity’s information assets. APRA-regulated entities are required to exter - nally audit their organisation’s compliance with CPS 234 and report to APRA in a timely manner. If organisations are non-compliant, they may be required to issue breach notices and cre - ate rectification plans. If organisations are unable to comply with the standards following this process, APRA may undertake a more for -

mal enforcement process which may include enforceable undertakings or court proceedings. Cyber Security Act In addition to the reporting obligations under the CPS 234, certain responsible entities concern - ing “critical financial market infrastructure asset” ( 2.1 Scope of Critical Infrastructure Cybersecu- rity Regulation ) also have ransomware reporting obligations under the Cyber Security Act (see 2.3 Incident Response and Notification Obli - gations ). 3.4 Operational Resilience Enforcement As at the time of writing, there was no enforce - ment action against “data processing or stor - age” providers or other ICT services. In fact, there has been no enforcement action reported in relation to the SOCI Act. According to CISC’s Compliance and Enforce - ment Strategy published in April 2022, the CISC prioritises industry partnership and pursues a co-operative, educative and overall voluntary approach. Although it has a range of regulatory options available, it is yet to use any penalising enforcement action. Depending on the breach, action against ICTs may also come from other regulators such as the OAIC. 3.5 International Data Transfers Government Transfers Although there are limits on the use of the cyber - security information provided by reporting busi - ness entities under the Cyber Security Act and Intelligence Services Act 2001 (Cth), these limi - tations are unlikely to prevent the ASD, National Cyber Security Coordinator (NCS Coordinator) or CIRB from disclosing the information to for - eign authorities or joint partnerships for particu -

CHAMBERS.COM