cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram

Businesses required to submit annual cyber risk reports

Directors and board members of businesses and critical infrastructure in Australia will now be forced to submit an annual risk management report to the government under a new program.

user icon Daniel Croft
Tue, 21 Feb 2023
Businesses required to submit annual cyber risk reports
expand image

The Critical Infrastructure Risk Management Program (CIRMP) aims to protect the data of individuals from having their sensitive information leaked, developed in response to the devastating Optus and Medibank attacks last year.

“[Businesses] are required to establish, maintain, and comply with a written risk management program that manages the ‘material risk’ of a ‘hazard’ occurring, which could have a relevant impact on their critical infrastructure asset,” the program said.

“Responsible entities must identify, and as far as is reasonably practicable, take steps to minimise or eliminate these ‘material risks’ that could have a ‘relevant impact’ on their asset.”

Cyber Security Minister Clare O’Neil has said that the program will ensure businesses are better prepared in the event of a cyber incident, as well as other areas of risk.

“We must continue to ensure the security of our essential services ... and protect them from a range of threats, including cyber, physical, personnel, supply chain and natural hazards,” Minister O’Neil said.

In addition, Minister O’Neil is launching an updated Critical Infrastructure Resilience Strategy, which assists critical infrastructure in responding to cyber, supply chain and physical attacks and ensures they stay operational.

The update takes into account new emerging risks and aims to promote co-operation between government agencies and private businesses.

Protecting critical infrastructure and essential services has become an increasing concern over the last few years, with both being increasingly targeted over the pandemic.

“The increasingly interconnected nature of critical infrastructure exposes vulnerabilities that could result in significant consequences to our security, economy and sovereignty,” Minister O’Neil said to The Australian.

“The best way to protect our critical infrastructure is through close co-operation between business and government — an alliance that leverages the expertise of all parties and reflects the complex and evolving nature of the threat.”

Luke Power, ANZ managing director of cyber security company Trellix, has said that the new program is a significant step in bolstering the nation’s cyber security.

“The rapid response by Minister for Home Affairs and Cyber Security, Clare O’Neil, is a necessary step forward in protecting critical infrastructure and the data of all Australians. Minister O’Neil’s focus on key sectors will strengthen the nation’s stance on cyber security, by keeping us on the front foot as we see new trends and increased aggression from global ransomware groups targeting Australians,” Power said.

However, manager of opposition business Paul Fletcher has been critical of the new program. He said that “part of this undoubtedly is a bit of political management on the part of Clare O’Neil”.

Fletcher then said that a key strategy in bolstering cyber security in Australia would be the introduction of digital identity providers — a safe and secure way to verify your identity without an institution needing your actual information, meaning there is no data for a hacker to steal.

“The underlying problem with hacking of businesses is that businesses store a lot of your personal information — name, address, driver’s license,” said Fletcher in an interview with Sky News.

“If instead, we could establish our identity digitally where each of us had a so-called trusted digital identity provider.

“One of the advantages of that system would be, in this case, Telstra or Optus or the bank would not keep a whole lot of detailed personal information about you or me — it would have received the digital certificate that would simply verify I was who I was claiming to be.”

Comments powered by CComment

cd intro podcast

Introducing Cyber Daily, the new name for Cyber Security Connect

Click here to learn all about it
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.