As a leading professional services firm, KPMG Australia (KPMG) is committed to meeting the requirements of our stakeholders – not only the organisations we audit and advise, but also employees, governments, regulators and the wider community.
We strive to contribute to the debate that is shaping the Australian economy and welcome the opportunity to provide a submission to the Department of Home Affairs’ (Home Affairs) Discussion Paper: Strengthening Australia’s cyber security regulations and incentives (the Discussion Paper).
COVID-19 and the impact on the risk environment
The COVID-19 pandemic has relocated workers from their corporate environment to studies, bedrooms and kitchen tables all over the world – and the vulnerability of organisations has expanded exponentially as a result. Since the start of the pandemic, cyber criminals have capitalised on this disruption. They have industrialised and commoditised the scale at which they can launch attacks. There has never been a more important time for government and business to reassess the key pillars that support a safe, secure and resilient cyber sector.
In this context, KPMG International surveyed 17 Australian CEOs, all representing businesses with over US $1 billion turnover, as part of the 2021 Global CEO Outlook Pulse Survey. The survey found that 59 percent of those Australian CEOs plan to invest more in data security measures compared to a year ago, as cyber security risk poses the greatest threat to their organisation’s growth. KPMG’s 2021 CEO Outlook also confirmed that the top three risks to growth over the next 3 years for Australian CEOs were cyber (22%), regulatory (20%) and supply chain (12%).
Cyber security top technology investment priority
KPMG’s 2020 Global CIO survey also found that in addition to cybercrime challenges faced before the current COVID-19 crisis, more than four in ten (41 percent) companies have experienced additional cyber security incidents, mainly from spear phishing and malware attacks. This challenge has caused security to become the top technology investment priority, and for the first time in the KPMG survey’s 22-year history, cyber security expertise has become the highest skill set in demand.
The Global CEO Outlook Pulse Survey and the 2020 Global CIO survey both demonstrate that cyber risk is top of mind for many business leaders, however there is a wide variation in the level of cyber security knowledge depending on the businesses size and risk appetite. While all directors have an obligation to act in the best interests of the company, the degree to which cyber security is considered within existing obligations can be unclear for directors.
A clear set of cyber security regulatory reforms
KPMG’s submission addresses the three broad themes in the Discussion Paper: setting clear minimum expectations, increasing transparency, and disclosure and protecting consumers. But it also calls out opportunities for the Australian Government to address additional challenges, such as mandatory reporting of cyber incidents, cyber risk through a geopolitical lens and measures to boost Australia’s cyber security workforce, the latter often a key inhibiter for investing in cyber security.
KPMG’s view is that a clear set of cyber security regulatory reforms should drive practices that strengthen Australia’s collective ability to deter, prevent, defend, detect, respond and recover from cyber incidents and enable greater commercial and market opportunities. Ambition for a high performing and competitive cyber security industry will also have positive flow on effects throughout the Australian economy. Cyber security regulatory reforms across the economy will create demand for cyber security and related services, and thus support acceleration of Australia’s cyber security industry, but we must have the workforce ready to take up the challenge.
Attracting and retaining cyber security professionals
Governments and private organisations are finding it challenging to find skilled cyber security professionals. To ensure a pipeline of skilled ICT and cyber security professionals, it is critical that Australian policy makers, education providers and businesses work together to increase the number of professionals coming into the workforce and increase the common services that can be leveraged.
While there is limited capacity to employ cyber professionals, business leaders must remain alert to cyber security threats. This could be achieved through increased digital literacy amongst Australia’s non-technical professionals including at the board and executive level. Education providers and businesses can address this need through high-quality learning and development opportunities. There may be a role for government to accelerate interest and access to these opportunities.
Greater and clearer security standards and transparency
KPMG’s submission highlights that the already strong evidence that cyber incidents are affecting Australian government agencies, businesses and individuals with often devastating implications. Mandatory reporting of cyber incidents may help policy makers accurately assess the scale of incidents and their impacts and drive market changes, if de-identified information is shared.
Lastly, as a consumer of technology products, KPMG welcomes greater and clearer security standards and transparency on the security features of technology products. KPMG undertakes thorough risk assessments to ascertain product security and suitability, however we recognise other businesses or individuals may not be able to undertake rigorous assessments. Improving the security standards of technology products, coupled with changing user behaviour, should help to reduce instances of cybercrime. These standards and user behaviours need to keep up with evolving technologies and abilities of cybercriminals.
KPMG sets out 19 findings that seek to strengthen and better incentivise investment in cyber security to ensure we can be a leading digital economy prepared to meet the challenges of a heightened cyber security risk environment.