iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
A recent report by the Australian Productivity Commission has called on the government to develop a single cyber incident reporting portal for businesses.
The report titled Advancing Prosperity: 5-year Productivity Inquiry Report is the second report released in five yearly intervals by the Productivity Commission and largely evaluated the nation’s productivity performance in light of the aftermath of the COVID-19 pandemic, economic challenges and the current cyber climate.
In the report, the Productivity Commission made a number of recommendations to improve the current cyber reporting, which is currently difficult for businesses as mandatory reporting legislation develops and the number of reporting requirements grows.
“The cost for businesses of complying with cyber security regulations should be reduced by streamlining incident reporting requirements, with all reporting to occur via a single online interface,” the report said.
“The operating system underlying this interface would then direct reports to the Australian Cyber Security Centre or other relevant government agency as required.
“This could provide the platform for the government to work with cyber security software providers to build incident reporting functions into commonly used software so that reports are automatically sent to relevant agencies if an incident occurs.”
As the commission points out, “there is currently no universal requirement for Australian businesses to report cyber security incidents”.
Instead, there are several different specific reporting obligations, generally targeting operators of critical infrastructure organisations or businesses that have suffered private personal data breaches, financial institutions and large businesses that suffer from ransomware attacks.
“The proliferation of reporting requirements and the need to report to different agencies could place unnecessary burdens on businesses at an already challenging time when they are focusing on recovering from the security breach,” the report said.
Instead, a single reporting solution that would see government agencies coordinate and communicate issues would solve the problem.
The commission admits that coordination has its own issues, but that the reporting would need to be done in a way where the “benefits of a more unified approach to incident reporting” would outweigh them.
“One option to simplify cyber security incident reporting would be to have a single interface or portal for Australian businesses to lodge all cyber incident-related reports required under various regulations,” the report said.
“The operating system underlying the interface would then direct reports to the ACSC or relevant government agency as required to inform the response, without the business needing to make multiple reports or spend time identifying to whom and how they need to report.”
The commission also concluded that several current security regulations relating to critical infrastructure were rushed and lacked review processes.
“Industry stakeholders have observed that the Security Legislation Amendment (Critical Infrastructure) Act 2021 (Cth) — which included broadening the definition of critical infrastructure, increased reporting obligations and new government intervention powers — was rushed following the recommendation of the parliamentary joint committee on intelligence and security, which did not allow for suitable consultation (Karen 2021; Kwan 2021),” the report said.
Speaking to company stakeholders, the commission found that while critical infrastructure security regulations are appreciated, the government rushed through early consultation “a little too fast”, according to one stakeholder. This resulted in apprehension and confusion in government processes.
In addition to the above issues, the Privacy Commission believes that the government has a responsibility to develop cyber resilience and “adopt good security practices”.
While the general cyber practice and security advice is helpful, “incorporating criteria about a software provider’s security capabilities and cyber risk management practices explicitly into government procurement decisions would take this one step further and incentivise organisations seeking to supply goods and services to improve their cyber resilience”.
The full Privacy Commission report can be found here.
Be the first to hear the latest developments in the cyber industry.
