Skip to main content

Article

2023-2030 Australian Cyber Security Strategy

The long-awaited 2023-2030 Australian Cyber Security Strategy has just been released. Here’s a breakdown of key highlights on how the Australian Government plans to create a secure and resilient digital environment for individuals, businesses, and the nation as a whole.

Building a cyber-resilient nation for a secure digital future

On 22 November 2023, the Australian Government released its long-awaited 2023-2030 Australian Cyber Security Strategy. This strategy was the result of intensive consultation and aims to work towards making Australia a world leader in cyber risk management and security. It will be delivered in three phases over the next 7 years, with each phase building on the achievements of the last. This will include a commitment of $587 million to provide increasingly complex layers of defence to fight cybercrime and ensure Australian citizens and businesses become more cyber resilient.[1]

6 key "cyber shields" of protection

Fundamental to the strategy is the concept of six key "cyber shields" of protection, which are:

  1. Strong business and citizens: a commitment to ensure that Australian citizens and businesses are better protected from cyber threats and can recover quickly following a cyber-attack.
  2. Safe technology: Ensuring that Australians can trust that their digital products and services are safe, secure, and fit for purpose.
  3. World-class threat sharing and blocking: Ensuring that Australia has access to real-time threat data and the ability to block threats at scale.
  4. Protected critical infrastructure: Protecting critical infrastructure and essential government systems so that they can withstand and bounce back from cyber-attacks.
  5. Sovereign capabilities: Working towards Australia having a flourishing cyber industry, enabled by a diverse and professional cyber workforce.
  6. Resilient regional and global leadership: Ensuring that our region is more cyber resilient and will prosper from the digital economy. Upholding international law and best practice and shaping global rules and standards in line with shared interests.

The strategy is designed to be implemented in three phases, requiring ongoing collaboration between the Government and industry experts. Each phase will build upon the last, leading to an end goal of Australia being one of the most advanced and cyber resilient nations globally.

Phase 1
The first phase will be from 2023-2025 and aims to strengthen foundations, address critical gaps in the cyber shields, build better protections for the most vulnerable citizens and businesses, and support improved cyber maturity uplift across our region.

Phase 2
Phase two will be from 2026-2028 and involve a scale-up of cyber maturity with investment in the broader cyber ecosystem, cyber industry, and creating a diverse cyber workforce.

Phase 3
The final phase scheduled for 2029-2030 will be more globally focused. In this phase, the Government will aim to advance the global frontier of cybersecurity and lead the development of emerging cyber technologies capable of adapting to new risks and opportunities across the cyber landscape.

The strategy contains much detail about how each of the cyber shields will be implemented during the three phases. It also outlines the creation of an Executive Cyber Council consisting of both Government and industry representatives tasked with driving the strategy initiatives and fostering the sharing of threat intelligence and information. 

Key initiatives and impacts on businesses

Let’s take a look at some of the key initiatives in the new strategy that will impact businesses:

  1. Simplified reporting of cyber incidents
    A simplified and streamlined reporting process will be implemented, which aims to make it easier for businesses and individuals to report cyber incidents and obtain assistance when facing a cyber threat. A single reporting portal will consolidate various reporting channels with clear reporting guidelines, provide assistance and support, and encourage collaboration with law enforcement and the sharing of information between relevant stakeholders and reporting entities.
  2. Mandatory reporting of ransom demands and payments and creation of a ransomware "playbook"
    The Australian Government has not entirely banned the payment of ransom demands but is requiring the reporting of ransomware attacks via a "no fault, no liability" initiative. This is aimed at addressing the concern that many Australian businesses are not reporting cyber incidents due to the fear of recrimination from authorities and regulators. The Government is also planning to release a ransomware playbook to guide businesses in both preparing for and responding to ransom demands.
  3. Data retention
    The Government has acknowledged that there needs to be further guidance around data management and retention for the security of sensitive or critical data that falls outside the scope of the Privacy Act 1988 and the Security of Critical Infrastructure Act (SOCI) 2018. The goal is to provide further legislative amendments to govern non-personal data and simplify data retention requirements.
  4. Focus on emerging technology
    The strategy recognises the importance of addressing cybersecurity challenges associated with emerging technologies such as artificial intelligence, quantum computing, and the Internet of Things (IoT). It encourages businesses to adopt secure practices when using these technologies.
  5. Strengthening of critical infrastructure
    The strategy focuses on enhancing the security of critical infrastructure sectors, such as energy, telecommunications and transportation, to protect against cyber threats. Telcos are particularly in focus, and the Government will work with the industry to move the security regulation of the telecommunications sector from the Telecommunications Sector Security Reforms (TSSR) in the Telecommunications Act 1997 to the SOCI Act to align their obligations with other critical infrastructure.
  6. Defining good cyber corporate governance
    The strategy acknowledges that current cyber regulations and standards are based on generalisations and terminology such as "reasonable efforts." The Government has committed to providing clarification as to exactly what cyber governance obligations and expectations are, which will assist businesses in creating strong cyber frameworks with clear definitions.

This is a significant development for the future of cyber risk management in Australia and will now be followed up with further legislation and directives aimed at implementing this strategy.

Overall, the 2023-2030 Australian Cyber Security Strategy aims to create a secure and resilient digital environment for individuals, businesses, and the nation as a whole. It recognises the evolving nature of cyber threats and the need for proactive measures to address them.

Learn more

Marsh is well-equipped to assist organisations in navigating the evolving cyber risk landscape and regulatory environment. With expertise in cyber risk management and insurance solutions, we can help your business thrive in the digital economy through enhancing your cyber resilience, developing robust frameworks and strategies to mitigate potential threats. If you have any questions about the Government’s new cyber security strategy or other cybersecurity matters, please contact one of our cyber specialists.

[1]www.homeaffairs.gov.au/about-us/our-portfolios/cyber-security/strategy/2023-2030-australian-cyber-security-strategy

 

Our people

Steve Thompson

Steve Thompson

Senior Manager, Cyber Solutions, Marsh Advisory

This publication is not intended to be taken as advice regarding any individual situation and should not be relied upon as such. The information contained herein is based on sources we believe reliable, but we make no representation or warranty as to its accuracy. Marsh shall have no obligation to update this publication and shall have no liability to you or any other party arising out of this publication or any matter contained herein. Any statements concerning actuarial, tax, accounting, or legal matters are based solely on our experience as insurance brokers and risk consultants and are not to be relied upon as actuarial, accounting, tax, or legal advice, for which you should consult your own professional advisors. Any modelling, analytics, or projections are subject to inherent uncertainty, and any analysis could be materially affected if any underlying assumptions, conditions, information, or factors are inaccurate or incomplete or should change. LCPA 23/507