Latest News

In our previous blog we covered how privacy and data security are governed in Australia and some of the expected upcoming changes. 

The Privacy Act is intended to be a legislation that ‘covers the field’ in terms of being applicable to a broad range of organisations and businesses. But in certain industries, more specific regulations and rules may apply. The enforcement of these more specific rules is the responsibility of other regulators, which work alongside the Office of the Australian Information Commissioner (OAIC). 

In this blog post we list some of the other Australian cyber security requirements and regulations that are industry specific. 

Australian Prudential Regulation Authority's (APRA) Prudential Standard CPS 234

APRA CPS 234 is a standard designed to improve the cyber resilience of APRA-monitored organisations and their response to security breaches. The standard applies to banks, credit unions, life and general insurers, building societies, health insurers, and superannuation entities, which APRA oversees, and requires them to take necessary measures to defend against cyber attacks and other information security incidents. 

One of the key objectives of CPS 234 is to reduce the likelihood of security incidents occurring, and the standard emphasises the importance of third-party risk management. All regulated entities have been expected to meet these requirements since July 2019. 

Payment Card Industry Data Security Standard (PCI DSS)

The Payment Card Industry Data Security Standard (PCI DSS) is a set of rules that applies to any company that handles credit card information. If you sell products or services to customers and allow them to pay via credit card, then the standard applies to you.

The purpose of PCI DSS is to have a standardised set of rules that govern how customer credit card information should be processed, stored and transmitted. These are designed to reduce credit card fraud. The framework was created in 2004, and it is managed by the PCI Security Standards Council.

Australian Energy Sector Cyber Security Framework (AESCSF)

Energy security and safety have been in the news more in recent years. In response, the AESCSF is a cyber security framework developed specifically for the energy sector in Australia. It provides guidance for organisations operating in the energy sector on how to identify and manage cyber security risks, and to improve their overall cyber security. It applies to industry participants in the electricity and gas sectors that operate in:

• generation, 
• transmission, 
• distribution, 
• retail sale, 
• production, and,
• transportation

Defence Industry Security Program (DISP) 

The Defence Industry Security Program (DISP) is a security vetting program that supports Australian businesses to meet their security obligations when working on Defence projects, contracts and tenders. Managed by the Defence Industry Security Office, DISP provides security requirements for Defence contracts, access to Defence security advice and support services, helps manage security risks, and provides confidence to Defence and other government entities when procuring goods and services from industry members. 

Security of Critical Infrastructure Act 2018 

The Security of Critical Infrastructure Act 2018 came into force in July 2018 and was designed to manage the national security risks to Australia’s critical infrastructure. The Act applies to infrastructure assets in the electricity, water, gas and ports sectors. Recently, this legislation has been updated as part of the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022.

The purpose of these recent reforms was to add extra strength to previous frameworks to managing the risks to critical infrastructure. The reforms mainly apply to the responsible entity for critical infrastructure assets. These assets are declared as ‘Systems of National Significance’ by the legislation and are those assets that are essential to the economic stability, national security and social stability of the country. 

The Act shifts the responsibility of identifying, preventing and mitigating material risks to those critical assets, to the extent that those actions are reasonably practicable. Consistent with cyber security best practices, there is also regular risk management reviews and updates required, which must be documented in the form of an annual report. 

Not every piece of important infrastructure will be a system of national significance as defined in the Act. For most businesses, the primary relevance of this Act will be to be aware that contracting as a service provider with the administrators of such assets might come with additional scrutiny and reporting requirements so that those operators can satisfy their legal obligations.

Key Takeaways 

This might be the first time you are hearing of these laws and regulations, so don’t worry if it seems like an overwhelming amount of detail. The law in this space is rapidly evolving to keep up with the changes in our digital world. 

To better understand which of these laws apply to your business, and more importantly, to find out what you might need to do to comply with them, feel free to contact CyberUnlocked for timely, up to date advice specific to your business and industry.