In a rapidly digitising world, the urgency to fortify cyber defences has never been greater.thumb- Yet, in Australia, APRA's recent 2023 announcements, the 2022 ASX guidelines on company disclosures, and newly issued mandates by ASIC showcase a cautious yet proactive approach. This article presents a panoramic view, emphasising the significance of the Australian regulations in the context of the EU and the U.S. developments in 2023.
APRA’s 2023 Game Plan: A Deep Dive
APRA’s 2023-24 Corporate Plan has sent ripples through Australia’s financial sector. According to APRA, "risks to operational resilience are heightened" due to the rise in cyber-attacks and the increasingly interconnected financial system. The regulator also outlined its strategies for system-wide risks, operational resilience, and climate-related financial risks. Its commitment to "heighten expectations on regulated entities to address identified control weaknesses" offers a comprehensive, multipronged approach. While not as punitive as EU regulations, it places considerable onus on the corporations, thereby aligning more closely with the American model represented by the SEC.
Australia's APRA has adopted a more all-encompassing approach, laid out in its Corporate Plan for 2023-2024. Rather than concentrating solely on one financial sector, the plan cuts across banking, insurance, and superannuation. APRA aims to boost system-wide resilience against an array of risks, from economic instability and climate change to cybersecurity threats.
The plan echoes the sentiments of APRA Chair John Lonsdale, who emphasised the need to be “protected today” and “prepared for tomorrow.”
The ASX and ASIC in 2022: Filling the Gaps
Since 2017, ASX has been educating the market on “Cyber Pulse”. Last year, ASX urged listed companies to "implement a plan for how they will inform the market of a data breach." Similarly, ASIC’s new guidelines emphasise corporate governance responsibilities. The continuous disclosure obligations under ASX’s Listing Rule 3.1 compel corporations to act “promptly and without delay,” a requirement that complements APRA’s emphasis on operational resilience.
Global Advances in 2023: EU Commission and SEC
In July 2023, the SEC underscored the need for standardised cybersecurity disclosures. Simultaneously, the EU Commission is significantly ramping up its transatlantic cyber intelligence operations and legislative frameworks. Their concerted efforts seem to create a proactive shield, one that appears to be a step ahead of Australia's regulatory mechanisms.
Europe’s take on cybersecurity, unlike America’s national security-centric view, prioritises personal privacy. The EU's Cyber Resilience Act aims to standardise cybersecurity measures across different sectors and threatens hefty fines for non-compliance. While this is a step in the right direction, critics argue that it might stymie technological innovation and deployment.
Frightening or Enlightening the U.S.?
The EU's emphasis on privacy has some predicting a rift between European and U.S. policies. Unlike the U.S., which largely considers cybersecurity a matter of national security, the EU is more focused on individual privacy rights. This divergence could strain partnerships and shared initiatives between the two regions, as each places a different set of values at the forefront of its cybersecurity agenda.
Comparative Insights: Australia’s Cautious Progress vs. Global Initiatives
APRA and SEC: Risk Mitigation vs. Disclosure
While APRA is actively working to mitigate systemic risks, the SEC's focus is primarily on informing investors. APRA’s approach resonates with the SEC’s intent but adds layers that address systemic vulnerabilities.
The EU Commission has advanced to the implementation stage of its cybersecurity strategy, while Australia's Federal Home Affairs remains in the planning phase, highlighting a gap in readiness between the two. Additionally, ASX and ASIC's guidelines in Australia are centred more on corporate governance and reporting, an emphasis not as prevalent in EU or U.S. regulations.
The Road Ahead for Australia
Australia’s regulatory fabric, led by APRA, ASX, and newly issued ASIC guidelines, is cautiously but steadily evolving. However, when compared to the fast-paced changes at the SEC and the EU Commission, there’s a palpable need for Australia to accelerate its efforts.
While APRA's 2023 plans are comprehensive, they lack the aggressive pace set by the EU and the U.S. The meticulous and cautious Australian approach is both its strength and its limitation. A concerted effort that accelerates the pace of these regulatory changes could put Australia on an equal footing with its global counterparts, ensuring not just a resilient domestic framework but also a robust participation in crafting a global cybersecurity landscape.
