Macquarie responds to Aust Govt cyber security moves so far

THE FEDERAL Government published industry responses for reforms to Australia’s cyber security legislation on Thursday, including those from Macquarie Technology Group, AWS, CyberCX, AISA, Tech Council of Australia, Telstra and others.

In its submission, the Macquarie group calls for the creation of a co-regulatory industry group modelled on the existing Communications Alliance, which it says will foster collaboration with the Australian Signals Directorate and National Cyber Coordinator.

The company also called for smaller businesses not to be exempted from reporting rules, enabling better threat intelligence sharing to support smaller businesses in that regard. Macquarie further called for the government’s proposed Cyber Incident Review Board (CIRB) not to be modelled on the Australian Transport Safety Bureau (as has been suggested), and for business-critical data to be regulated under the Security Of Critical Infrastructure (SOCI) Act, not the Privacy Act.

Other key points raised in the Macquarie submission included not limiting ransomware reporting obligations to businesses of a certain size or threshold; including small businesses in the regulatory process so that threat sharing would be made simpler; the suggestion of what it called a new Cyber Alliance Board to boost collaboration; the Federal Government taking a lead from other co-regulatory approaches, such as those used in the telecommunications sector; and looking at other models both national and international. 

In its submission Macquarie gave its views on each of these areas:

“Macquarie is however concerned about limiting this [ransomware] reporting obligation to businesses of a certain size or threshold. This concern is twofold. Firstly, Macquarie repeats its general concerns regarding exceptions to cyber security standards. In order to close the gaps in our current legislative and regulatory framework for cyber security (an aim of the Paper), we need a fulsome legislative response rather than have specific businesses not subject to the regimes.

“Macquarie submits that the way to assist small businesses and the perception that they may not be in a position to absorb the additional regulatory burden imposed by a new reporting obligation is to make the threat sharing as simple as possible.

“We strongly acknowledge the importance of this collaboration [between the ASD Cyber Coordinator] and have considered the issue in detail and suggest that Government consider the establishment of a Cyber Alliance Board to assist this objective.

“To best achieve outcomes while working together we suggest the Australian Government look to other co-regulatory approaches to support and encourage industry self-regulation as models for best practice. The telco sector in specific, which is a related field (with technology, data and connectivity being at the core), provides a useful precedent for co-regulation.

“The co-regulatory model, or Cyber Alliance Board, could focus specifically on co-regulatory and legislative matters while keeping the existing [Trusted Information Sharing Network] TISN, industry and security discussions separate. For example, the current SOCI reviews the subject of this paper and those scheduled for 2025 would clearly benefit from a legislative guidance from key cyber industry stakeholders. 

“The United States’ Cyber Safety Review Board (CSRB) is a potential model [for the CIRB]. However, we disagree that the Australian Transport Safety Bureau (ATSB) is a precedent that should be followed. The ATSB was formed on 1 July 1999 and it investigates transport safety matters. This is a very established area with known and recognised risks and solutions which have been drawn from decades of research and data. Cyber is far less known.

“We have heard some feedback from members of industry that the best place for regulating business critical data is the Privacy Act. We strongly disagree. The Privacy Act does not provide guidance and regulation on how to best store data and respond to breaches. The SOCI regime does. The Government must look beyond an individual rights approach which the Privacy Act provides.”

Macquarie’s full submission can be read here. 

www.macquarietechnologygroup.com

ends