- within Finance and Banking topic(s)
- with Inhouse Counsel
- in Australia
- with readers working within the Consumer Industries, Media & Information and Retail & Leisure industries
While there has been significant reform of Australia's cyber-related laws over the last several years – as well as increased signalling from regulators that action will be brought against organisations not fulfilling their obligations – attitudes towards regulation were generally positive.
Jones said there is broad acceptance that appropriate regulation is a good thing, and clear regulation can create certainty for organisations as they invest in regulatory compliance, including cyber uplift programs. He also noted that progress on recent cyber regulatory reform had been marked by high levels of consultation, which had facilitated increased collaboration and enhanced trust between government and industry.
"When it comes to certain regulatory reform areas in Australia, we have seen a degree of genuine consultation and willingness to have open conversations. However, I do think that improved coordination and prioritisation across the different regulators, when they are looking at major reform, would be viewed as a useful development," Jones said.
I do think that improved coordination and prioritisation across regulators, when they are looking at major reform, would be viewed as a useful development."
Peter Jones
Partner
The survey results also suggest that there is some confusion when it comes to terminology used in the regulation of cyber risk in Australia. 26% of respondents admitted to not knowing whether operational resilience obligations applied to their organisation. However, there was greater awareness among organisations captured by the SOCI Act (53% of respondents), with just 6% of those respondents uncertain about their operational resilience obligations.
Despite the comparatively positive outlook in relation to certain aspects of the regulatory environment, Jones noted that, for organisations operating in an internationally competitive environment, overly-onerous domestic compliance requirements or ones which have significant productivity impacts could result in "regulatory arbitrage".
"If a regulatory regime becomes too difficult and costly to comply with, then international organisations may refocus investment in offshore locations which may have lighter handed regimes," Jones said.
"While there are challenges in that space however, no one is saying 'get rid of regulation'. Rather, I think people are saying we need appropriately calibrated regulation that is focussed on a proportional response to risk. And it can never be zero risk."
The regulators are not usually starting with an enforcement or investigation mindset. Very few incidents (relative to the total number of incidents) lead to investigations and, in our experience, a constructive relationship with regulators, whether before, during or after an incident, can be a very useful approach. Misunderstandings can occur 'on the papers' and a combative approach to engagement can lead to unnecessary scrutiny."
Cameron Whittfield
Partner
The banks are acutely aware of their regulatory obligations but across the financial services sector, there is a pide. Concerns have been raised about superannuation funds because it's an area where there have been issues and a need for the regulator to play a stronger role. There would be huge social effects in the event of a serious cyber impact on a super fund, and if significant amounts of money were stolen."
Peter Jones
Partner
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
