The Australian government has suggested various policy reforms aimed at improving Australia’s cybersecurity posture. These include proposals and regulations for smart (IoT) devices, mandatory reporting requirements for large businesses, and a code of conduct for handling personal information.
The government’s set of mandatory or voluntary rules for large businesses to improve their cybersecurity management. The mandatory option would require entities to achieve compliance within a specific timeframe. But the Australian government wants the code to be voluntary, because it may be too costly and burdensome for businesses to implement mandatory requirements in the current environment. It also noted the lack of a regulator with the necessary skills and expertise to develop and administer a compulsory standard.
Further, the paper proposes a voluntary cybersecurity health check that would allow small businesses to get a trust mark. It would require businesses to self-assess their compliance with regulations, but there will be basic due diligence provided by the government or a third party.
The paper proposed to create a code of conduct under the Privacy Act that would help ensure the adoption of robust cybersecurity standards. “Establishing a code under the Privacy Act could drive the adoption of cybersecurity standards across the economy by creating regulatory incentives for uptake,” it said.
The government is also considering ways to increase the number of incident disclosure policies that are voluntary and mandatory. The government also has two options for regulating responsible disclosure: a voluntary one and a mandatory one.
The paper aims to introduce clear legal remedies for consumers following a cyber incident. Currently, there are only limited legal options available to consumers.
The paper also proposed regulating IoT devices and helping consumers choose secure devices.
“We believe that one reason that many smart devices are vulnerable is because competition in the market is primarily based on new features and cost,” the paper says. “Unfortunately, consumers often aren’t able to tell the difference between a secure and insecure device, which limits commercial incentives to compete on cybersecurity and leads consumers to unknowingly adopt cybersecurity risk.”
Last year, in a bid to address this issue, the government has issued a voluntary Code of Practice with 13 principles for manufacturers of the Internet of Things devices.
While the recent paper proposes making the Code mandatory for smart device manufacturers. This would require manufacturers to implement a baseline security standard for their devices.
There is also a proposal to introduce a mandatory star rating or a voluntary expiry date label for smart devices to help consumers easily understand whether a smart device is “cyber secure.” The mandatory expiry date label would tell the user how long the security updates will be provided for the device.