The federal government has announced that the country’s biggest banks and financial services companies – and by implication insurance companies – are taking part in war-gaming style exercises to test how they would respond to cyberattacks.
The move is one of the government’s cyber defence initiatives in the wake of the major attacks on Medibank, Optus and Latitude Financial that impacted millions of Australians.
New legislation passed last year, widening the definition of Australia’s critical infrastructure, helps make these government initiatives possible. One of these items, the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (SLACIP Act) came into effect on April 2, 2022.
Until then, the regulatory burden of being regarded by the government as critical infrastructure only applied to four sectors: electricity, gas, water and maritime ports. These changes last year increased the number of areas covered by the Act to include financial services and markets and, therefore, the insurance industry.
“We are looking here at one particular part of the economy, but it is those entities, businesses and assets that are considered critical infrastructure - and insurance is one of those,” said data privacy and cyber expert, Alec Christie (pictured above).
When Insurance Business suggested to the Clyde & Co partner that this expansion of Australia’s definition of critical infrastructure sounds like a paradigm shift, he agreed.
“It is in Australia, yes,” said the Clyde & Co partner. “It was four sectors before and now it’s 11.”
However, he said, while this change is big for Australia, it’s already passe in other western world countries.
“In the UK, US and Canada, larger insurers were always considered as critical along with the banking system,” said Christie.
The government’s recent focus on cyber security governance initiatives is also not novel internationally.
“China did it two years ago, the UK has been doing it for years, the US are patchy but do it across various sectors and Canada and other jurisdictions are doing it as well,” he said.
Christie said the European Union (EU) is ahead of the curve on cyber security governance by considering the implementation of “a much broader definition of critical infrastructure,” that he expects to involve about 50% of the economy.
However, he said, in one respect, the Australian government’s moves are “a step beyond” what others are considering.
“This current government is seriously thinking about starting, from the bottom up, an economy wide, government wide baseline cyber security,” said Christie.
He said these cyber moves are part of recent expansions to the Security of Critical Infrastructure Act 2018 (SOCI Act).
“Recent expansions to the Security of Critical Infrastructure Act 2018 have resulted in greater obligations being imposed on insurers,” says a soon-to-be published Clyde & Co briefing. “Although it aims to improve cyber security frameworks across Australian industries, hefty penalties for non-reporting mean insurers must ensure that they are on top of the new requirements.”
In 2023, says the briefing, there will be new obligations under what’s called a Risk Management Program (RMP) involving annual reporting of performance against RMP criteria.
Christie links these changes to other regulatory initiatives like the Australian Prudential Regulation Authority’s (APRA’s) proposed new operational risk prudential standards, due to start in January, 2024. These include a Financial Accountability Regime (FAR) to increase transparency and accountability across the financial services industry.
“Certainly FAR, in terms of the accountability framework and the governance uplift, that’s very much a part of these changes to SOCI and that, in turn, is very much connected to critical infrastructure looking at cyber,” said Christie.
He said insurers are starting to see these critical infrastructure initiatives reflected in APRA requirements.
“Generally, in business, the government is currently talking about baseline cybersecurity uplifting to a mandatory obligation,” said Christie. “What was happening in critical infrastructure and with APRA in CPS 234 [an outline of the government’s cyber security requirements] is starting to spread wider and more seriously because I think the government sees what is happening with ransomware and other cyber incidents as a real blight on the economy, something that’s really holding us back.”
At the moment, the new RMP requirements coming into effect in August, said Christie, don’t apply directly to insureds.
“A lot of insureds in the cybersecurity space, when they have this critical infrastructure, have this additional reporting obligation,” he said.
Christie suggested this could be good news for insurers because, in some ways, it relieves them of some of the cyber risk managing responsibility.
“Insureds in critical infrastructure will have to show the department what they’re doing and the department gets to say, ‘Sorry, that’s not good enough, you’ve not assessed that risk properly, here’s our feedback,’” he said. “So what they’ve got to do is come up with this program to manage the risk, in particular, cyber, and then, every year, they’ve got to report on it.”
