The cyber security landscape: a regional comparison

The increasing regularity of high-profile cyber incidents is a constant and costly reminder that effective cyber resilience is fundamental to realising the promised benefits of digitisation.

Governments around the world have been considering the cyber security threat landscape and enacting new laws and regulations to ensure that steps are taken by industry to manage these risks.

The Australian Institute of Company Directors ("AICD") recently commissioned King & Wood Mallesons to analyse and compare existing and proposed cyber security obligations in Australia against those in the United States, Canada, the European Union and the United Kingdom (collectively the "Surveyed Jurisdictions") .

A copy of the full report, prepared with the assistance of Fieldfisher, Davies Ward Philips and Vinberg, is available on the AICD website here.

The report findings help to highlight regional synergies and differences with respect to cyber security obligations and policy and will therefore no doubt be of keen interest to EU and UK clients with international reach. We summarise the key findings below.

Key findings - overview

Across the Surveyed Jurisdictions, the report observed:  

• There are no general duties imposed on directors in relation to cyber security.
• A growing trend towards the introduction of cyber security responsibilities on directors under industry-specific regulatory frameworks.
• Critical infrastructure is a dominating focus of cyber regulatory reforms.
• Significant new legislative and regulatory developments in cyber security are expected, with all recently or currently materially upgrading elements of their cyber and privacy-related regulation.

Governance and board accountability

1. Finding #1: There are no general duties imposed on directors in relation to cyber security.

The report observed that none of the Surveyed Jurisdictions impose general duties on directors to ensure the cyber security of their organisations. However, in all Surveyed Jurisdictions, directors have general duties of care, skill and diligence to their organisations. This means that directors should be capable of satisfying themselves that cyber risks are adequately addressed and that organisations are cyber resilient. In the event of a data breach, directors may face claims for breach of these general directors' duties, including by regulators.

2. Finding #2: There is a trend towards imposing cyber security responsibilities on directors under industry-specific legislative frameworks.

The report observed a trend of increasing governance implications and accountability for boards and management in particular industry sectors. Beyond critical infrastructure, significant sectors (particularly financial services and telecommunications) are subject to sector-specific cyber security obligations. For example:
EU/UK Under the NIS 2 Directive ((EU) 2022/2555), EU member states must ensure that the boards and directors of regulated entities approve and oversee the implementation of cyber security risk management measures. Failure to do so may expose companies, officers and directors to liability, depending on the applicable implementation of NIS 2 into local EU Member State law. In the UK, a Supervisory Statement SS1/21 issued by the Prudential Regulation Authority sets out its expectations that company boards in the financial sector should collectively possess adequate knowledge, skills and experience to inform decisions that have consequences for operational resilience.

Australia In Australia, under CPS 234, the board of an APRA-regulated entity is ultimately responsible for ensuring that the entity maintains its information security.

3. Finding #3: There is increasing scope for actions to be brought directly against directors in relation to cyber security.

EU/UK There is no explicit cause of action against company directors under either the EU or UK GDPR. However, in the UK, directors can be liable for data protection offences committed with their consent or connivance. There is also the potential for directors to be subject to compensation claims from individuals if and to the extent that they are considered a distinct and separate "controller" from the company, such as if they go beyond the scope of the company's instructions and make their own decisions about the way in which data is processed. Breach of general directors' duties is still the most likely cause of action to be brought against company directors in relation to cyber security failings.

US There is a strong precedent of class actions being brought against boards and officers in relation to cyber security in the US. While there are no explicit legislative requirements for directors under cyber security legislation in the US, nor a statutory tort arising out of a cyber security or data breach, actions have been brought on the basis that the board has failed to exercise appropriate oversight of a company’s cyber security. Actions have also been brought on other grounds, including breaches of express or implied contracts, negligence, other common law torts, or breaches of consumer protection legislation.

Australia There is far less precedent in Australia for direct actions against directors in relation to cyber security. It is yet to be seen if the environment will change with the recent proposals in the Attorney-General’s Privacy Act Review Report to introduce a direct right of action to enable individuals to apply to the courts for relief in relation to privacy breaches, as well as the introduction of a statutory tort for serious invasions of privacy.

Sector-specific cyber security obligations

4. Finding #4: In general, stronger sector-specific cyber security obligations are being introduced to address supply chain and national security risks posed by cyber threats.

Critical infrastructure is a dominating focus of cyber regulatory legislation and reforms across all Surveyed Jurisdictions.

EU/UK Both the EU and UK already have an established and comprehensive framework regulating cyber security of critical infrastructure. In both jurisdictions, operators of essential services and digital service providers are required to take appropriate and proportionate measures to detect and manage security risks and notify relevant authorities about incidents that have a significant impact on the continuity of the essential services.

Australia The ongoing reforms to the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act) are central to Australia’s national strategy to strengthen cyber security and protect Australian businesses against cyber threats. At present, the SOCI Act imposes obligations on responsible entities for critical infrastructure assets in relation to reporting, notification, government assistance, risk assessment and planning.

US Federal regulation in the US is trending in a broadly similar direction in relation to the reporting and notification of incidents in critical industries. Its ambit is otherwise comparably limited.

Canada The security of critical infrastructure regime in Canada is in the nascent stages. Although a cyber security bill is proposed, there is currently no legislation that applies specifically to Canada’s critical infrastructure.

Cyber intelligence sharing mechanisms and frameworks

5. Finding #5: Stronger multidirectional information sharing mechanisms are expected.

The Surveyed Jurisdictions were observed to have a range of mechanisms and frameworks to facilitate intelligence sharing and cyber support in relation to cyber security threats and incidents. These mechanisms are largely voluntary. As cyber risks continue to grow and affect both governments and companies, there is a focus on increasing the speed and scale of cyber intelligence sharing and cyber threat blocking.

EU/UK The mechanisms to facilitate cyber information sharing in the EU and UK are relatively robust. In both jurisdictions, there is a designated national single point of contact to provide specific support to companies during cyber incidents. Significantly, in the UK, registered UK private sector organisations and government departments can also access a secure and confidential platform to share cyber threat information in real time. This platform enables fast, scaled and multidirectional information sharing. At present, sharing remains voluntary.

Australia At present, there are a number of Australian agencies that can provide information and support to companies in relation to a cyber threat or cyber incident. In particular: the ACSC leads the Australian Government’s cyber security efforts; and, AusCERT is specifically charged to facilitate cyber security threat information sharing and monitoring. However, there is no legal obligation to report cyber incidents to the ACSC (except for responsible entities for critical infrastructure assets under the SOCI Act). There is also no requirement to notify the Australian Federal Police, or other Australian law enforcement body, of a cyber incident even though it can be useful to do so.

US While the US Government has identified robust cyber intelligence sharing and victim notification mechanisms as a strategic priority, there is only limited coordinated cyber intelligence sharing for entities outside critical sectors at present. For entities in critical sectors, real time intelligence sharing tools are available. Importantly, these tools offer companies anonymity, as well as certain liability and privacy protections to encourage information sharing. However, use of the tools is not mandatory.

Canada Canadian companies have access to a range of limited voluntary cyber intelligence sharing frameworks. The Canadian Centre for Cyber Security also issues alerts and advice on potential, imminent or actual cyber threats, vulnerabilities or incidents relevant to Canada and Canadians.

International coordination for cyber incidents

6. Finding #6: There is increasing international coordination in response to cyber incidents.

Effective international coordination has been recognised as key to addressing and responding to cyber incidents. Accordingly, there has been an increasing effort to scale the emerging model of collaboration by national cyber security stakeholders to cooperate with the international community. For example, in the EU, there is cooperation through ENISA. Elsewhere, there are partnerships such as the Counter-Ransomware Initiative, the Quadrilateral Security Dialogue (or the "Quad" – a partnership between the US, India, Japan and Australia) and AUKUS (a trilateral security and technology pact between Australia, US and UK) enable participating territories to:

• share cyber threat information;
• exchange model cyber security practices;
• compare sector-specific expertise;
• drive secure-by-design principles; and
• coordinate policy and incident response activities with its international counterparts.

Future directions

7. Finding #7: Significant new cyber security regulatory developments are expected in each Surveyed Jurisdiction.

Significant new cyber security regulatory developments are expected in each of the Surveyed Jurisdiction as countries grapple with cyber security threats and risks. 

EU/UK In the EU, on top of its already advanced cyber regulatory landscape, additional new and enhanced cyber obligations are proposed, including in relation to AI systems. The UK’s cyber regulatory landscape is also moving quickly. In particular, the UK Government has proposed amendments to the scope of the existing privacy and data protection regime.

Australia Significant reforms in cyber security and data governance are likely to occur in Australia in the near future. At this stage, it is not clear what reforms will result from the consultation in relation to the Strategy Paper. However, additional new cyber security-related obligations are separately expected to be introduced under changes to Australia’s data privacy arising out of the Attorney-General’s landmark Privacy Act Review Report.

539. In the US, the White House recently published its 2023 National Cyber Security Strategy. Although the strategy does not particularise the proposed new cyber obligations, it sets out the US Government’s intention to integrate federal cyber security centres, establish new critical infrastructure cyber security requirements, and scale intelligence sharing and victim notification mechanisms.
540. In Canada, there are new obligations proposed for operators of critical cyber systems, as well as similarly significant new developments regarding the Canadian federal privacy framework.

State of flux

Clearly, the international cyber security regulatory landscape is in a state of flux. However, in general, the Surveyed Jurisdictions share common cyber security policy objectives. Each jurisdiction is implementing regulatory reforms to make them more cyber secure and cyber resilient, often in a way that is increasingly consistent. This is to be expected, given the global nature of cyber security risks and the natural convergence of policy outcomes and mechanisms to address them.

Importantly, appropriate corporate governance is required to take into account cyber security threats and to manage regulatory compliance across industry sectors and international jurisdictions in which companies operate.