Next Investors logo grey

Will mistrust between government and industry affect new cyber laws?


Published 09-APR-2018 11:32 A.M.


4 minute read

Hey! Looks like you have stumbled on the section of our website where we have archived articles from our old business model.

In 2019 the original founding team returned to run Next Investors, we changed our business model to only write about stocks we carefully research and are invested in for the long term.

The below articles were written under our previous business model. We have kept these articles online here for your reference.

Our new mission is to build a high performing ASX micro cap investment portfolio and share our research, analysis and investment strategy with our readers.

Click Here to View Latest Articles

As of February 22, Australian companies are now required to comply with the new Data Breach Notification Regulation that was passed under the 2017 Act Privacy Amendment (Notifiable Data Breaches). This regulation impacts all Australian organisations and agencies that currently adhere to the 1988 Privacy Act. Given the dramatic migration of cyber crime and fraud to businesses and government organisations of all sizes over the past five years, federal regulation of data breach notification, to both hold organisations accountable and encourage the implementation of cyber security best practices, seems the obvious answer.

Op-Ed by Terry Roberts, Executive Chair of WhiteHawk Limited (ASX:WHK)

Ideally, we want to know what breaches are happening across government, industry, non-profits, and academia; the magnitude of the breach and the level of sensitivity of the data stolen; and, if available, the who, why, and how of the cyber adversary that took the data. This regulation is designed to gain insight into the scope of cyber events and the impact to our economies.

However, there is one major drawback to this regulation – the fact that it is federally administered. For over a decade, based upon my research and experience, I have recommended that cyber event reporting should be federally sponsored but administered by a non-profit, third party entity that is equally trusted by government and industry, and a proven cyber thought leader.

This is because private businesses and non-profits, by necessity must protect first their reputation and revenue. On the other hand, the government focus is on breach mitigation and customer warning and awareness. As a result, companies may be hesitant to report directly to the government because of their understandably conflicted priorities. And frankly, around the world, there simply is not a complete level of trust between government and industry.

An academic institute or non-profit cyber think tank can best serve as trusted entity for both industry and government and be the expert recipient for cyber event and breach reporting, conduct cyber intelligence analysis, and systematically disseminate notifications, preventative insights and recommendations broadly, without attribution to the impacted company or entity. Utilising a third party as the reporting mechanism means that a company’s reputation will be protected while the customers, clients, and personnel are still appropriately notified about remediation and mitigation of the event. This type of approach is more holistic, scalable and impactful over time.

I have also recommended this third-party framework in the US, where data breach notification regulation is currently highly segmented by state and industry. For example, the health care industry has specific rules about reporting personal information breaches through the Health Insurance Portability and Accountability Act of 1996 (HIPAA). However, there is not currently one broad regulation encompassing data breach notifications like the Australian Data Breach Notification Regulation in the US.

So, how does a company prepare for a cyber breach? The first and most important lesson is that strong cyber protection is not about doing everything. It simply isn’t affordable or practical. Instead, you must insure that your customer files are protected and that your proprietary conversations and online communications are encrypted. It’s the digital equivalent of making sure your doors and windows are locked and your jewels are in a safe. Begin by assessing your organisation’s critical functions and prioritising what should be protected first, then back up everything else. Just like that, you are taking the first steps towards protecting your organisation.

It is also important to know that the first step for one company might be the third or fourth step for another, which can make the process seem overwhelming. This is especially true for small and midsize businesses (SMB), who, as a result, are often the most unprepared for a breach.

Until now, there hasn’t been a place for SMBs to quickly and easily profile their risks and put affordable and impactful solutions in place to lower their business risks today. I’ve worked hard the past several years on focusing my time and attention on building the first online cyber security exchange for this underserved market that doesn’t have the cyber security expertise and perhaps never will. This is what the WhiteHawk Cyber Security Exchange is all about. It is an exchange of best practices, cybercrime and fraud trends, analysis of your business risk, and an open marketplace of innovative products and service options.

Australia’s new data breach notification regulation is an important step in increasing peace of mind for both government regulators and consumers that can minimise serious harm to consumers who have had their information stolen or released. Now, we need to work together to help businesses of all sizes put into place the infrastructure to protect their businesses against cyber threats and we offer our expertise to the Australian government to take it to the next level.

Terry Roberts is Executive Chair and founder WhiteHawk Limited, world’s first online cyber security marketplace. Prior to this she was the United States Deputy Director of Naval Intelligence (DDNI).

General Information Only

S3 Consortium Pty Ltd (S3, ‘we’, ‘us’, ‘our’) (CAR No. 433913) is a corporate authorised representative of LeMessurier Securities Pty Ltd (AFSL No. 296877). The information contained in this article is general information and is for informational purposes only. Any advice is general advice only. Any advice contained in this article does not constitute personal advice and S3 has not taken into consideration your personal objectives, financial situation or needs. Please seek your own independent professional advice before making any financial investment decision. Those persons acting upon information contained in this article do so entirely at their own risk.

Conflicts of Interest Notice

S3 and its associated entities may hold investments in companies featured in its articles, including through being paid in the securities of the companies we provide commentary on. We disclose the securities held in relation to a particular company that we provide commentary on. Refer to our Disclosure Policy for information on our self-imposed trading blackouts, hold conditions and de-risking (sell conditions) which seek to mitigate against any potential conflicts of interest.

Publication Notice and Disclaimer

The information contained in this article is current as at the publication date. At the time of publishing, the information contained in this article is based on sources which are available in the public domain that we consider to be reliable, and our own analysis of those sources. The views of the author may not reflect the views of the AFSL holder. Any decision by you to purchase securities in the companies featured in this article should be done so after you have sought your own independent professional advice regarding this information and made your own inquiries as to the validity of any information in this article.

Any forward-looking statements contained in this article are not guarantees or predictions of future performance, and involve known and unknown risks, uncertainties and other factors, many of which are beyond our control, and which may cause actual results or performance of companies featured to differ materially from those expressed in the statements contained in this article. S3 cannot and does not give any assurance that the results or performance expressed or implied by any forward-looking statements contained in this article will actually occur and readers are cautioned not to put undue reliance on forward-looking statements.

This article may include references to our past investing performance. Past performance is not a reliable indicator of our future investing performance.