Regulation driving uplift

Jones said there is broad acceptance that appropriate regulation is a good thing, and clear regulation can create certainty for organisations as they invest in regulatory compliance, including cyber uplift programs. He also noted that progress on recent cyber regulatory reform had been marked by high levels of consultation, which had facilitated increased collaboration and enhanced trust between government and industry.

“When it comes to certain regulatory reform areas in Australia, we have seen a degree of genuine consultation and willingness to have open conversations. However, I do think that improved coordination and prioritisation across the different regulators, when they are looking at major reform, would be viewed as a useful development,” Jones said.

The survey results also suggest that there is some confusion when it comes to terminology used in the regulation of cyber risk in Australia. 26% of respondents admitted to not knowing whether operational resilience obligations applied to their organisation. However, there was greater awareness among organisations captured by the SOCI Act (53% of respondents), with just 6% of those respondents uncertain about their operational resilience obligations.

Despite the comparatively positive outlook in relation to certain aspects of the regulatory environment, Jones noted that, for organisations operating in an internationally competitive environment, overly-onerous domestic compliance requirements or ones which have significant productivity impacts could result in “regulatory arbitrage”.

“If a regulatory regime becomes too difficult and costly to comply with, then international organisations may refocus investment in offshore locations which may have lighter handed regimes,” Jones said.

“While there are challenges in that space however, no one is saying ‘get rid of regulation’. Rather, I think people are saying we need appropriately calibrated regulation that is focussed on a proportional response to risk. And it can never be zero risk.”