PwC has publicly welcomed the introduction of the Security Legislation Amendment (Critical Infrastructure) Bill 2020 by the Australian Government as a significant step to securing the future economic prosperity of Australia.
The Australian Government has recognised the need for greater protection of Australia’s ‘critical infrastructure assets’ and ‘systems of national significance’, expanding regulation to enhance cybersecurity awareness and responsiveness across a number of sectors.
Corinne Best, Partner, Assurance – Trust & Risk at PwC Australia, said the firm supports the Critical Infrastructure Bill introduced by the Australian Government and believes it is an important initiative in securing Australian critical infrastructure and supporting national resilience. Government and business have simultaneously acknowledged the importance of strengthening resilience in the face of disruption and shocks, and this presents a window of opportunity for regulatory reform and to build new partnerships.
“We believe that an enhanced regulatory framework for critical infrastructure will enable industry and government to work more effectively together to reduce risk of disruption from all hazards and threats, and enable rapid restoration of social and economic activities when crises eventuate. It is important the Government sets the right tone with the new reforms, specifically in regards to the cybersecurity responsibilities that belong to critical infrastructure entities, and the role that government plays from a risk management perspective.”
Best notes that critical infrastructure operators across various industry sectors exist on a broad spectrum of cybersecurity maturity ranging from organisations who have invested in cybersecurity for many years versus those with limited resources who have only recently embarked on that journey.
“One of the challenges and opportunities of this legislation is uplifting critical infrastructure operators’ cyber maturity so they can meet these obligations – for many this will be a journey, rather than a switch that can be flicked once the legislation comes into place. To raise the baseline across that spectrum, it is important for operators to learn from those who are doing well and strengthen the resilience of those less mature, less resourced operators in order to raise the bar holistically.
“We would also hope that current Australian Government standards would be applied so as not to duplicate reporting, accreditation standards and regulatory requirements, to reduce unnecessary burden. Ideally, requirements and standards for various documentation and compliance reporting should align with the Information Security Manual, the Cloud Assessment and Authorisation Framework, the Notifiable Data Breach Scheme and the Protective Security Policy Framework,” continued Best.
In 2020, disruption came in many forms including accelerated digitisation, to pandemics, bushfires, and floods – and the impacts of those threats are becoming increasingly converged.
“2020 has brought into stark relief that disruption is a fact of life and is occurring with increasing frequency around the world. Cyber attacks across Australia have also accelerated substantially over the last 12 months, with more cyber attacks targeting cloud services, ransomware and state-sponsored hacks expected. Whilst there are tremendous benefits from increasing digitisation and automation, the risk of disruption to our most critical services has increased, physical boundaries and geographic isolation can no longer be considered a safeguard.
“The year 2020 will be remembered as a challenging one and moving towards 2021, leaders will be taking stock, learning lessons and mapping their way to recovery. Critical infrastructure was disproportionately challenged in 2020 experiencing spikes in cyber threat, load burdens and environmental, economic and geo-political adversity. The Critical Infrastructure Bill, and other trends from 2020 will be important markers for leaders planning the way ahead,” concluded Best.