As cyber security obligations for private companies and directors grow, orgs turn to SaaS

A Bill recently passed in parliament represents a new benchmark in the way governments are willing to impose cyber security obligations on private businesses to protect national interests.

Cyber attacks against businesses and government entities of all sizes have grown in intensity and frequency worldwide, driven by disruptive technologies and geopolitical competition.

This is causing governments to re-evaluate the protections in place for their infrastructure and services critical to their country.

Towards the end of 2021, the Australian government made a big statement when it passed The Security Legislation Amendment (Critical Infrastructure) Bill 2021. The new Act, which reviews and revises the Security of Critical Infrastructure Act 2018 (SOCI Act), significantly expands both the number and type of businesses subject to the provisions of the law and increases the Federal Government’s powers.

The Federal Government powers include information-gathering directions, action directions and an intervention request, where the Minister for Home Affairs can access, alter, remove or disconnect parts of the asset in various ways.

These powers can be invoked where serious cyber security incidents occur in relation to critical infrastructure sector assets. The Act represents a new high watermark in the way governments are willing to impose obligations on private businesses to protect national interests. With no slowdown in the threat of cyber attacks on the horizon, these obligations are only likely to continue to increase for organisations and the people who lead them.

Cyber obligations are set to increase for company leaders

The government outlined in Australia’s Cyber Security Strategy 2020 that it will work with businesses to consider legislative changes that set a minimum cyber security baseline across the economy. As part of this, the government aims to clarify the duties for company directors and other business entities.

Considering the current risk environment, and the Federal Government making cyber security a priority, it is highly likely that the obligations and responsibilities for directors when it comes to cyber security will increase in the future.

Already directors around the world are paying a personal price for cyber security breaches.

In the US, Target’s CEO stepped down shortly after it was disclosed that the company had suffered a significant data breach, as did Sony Pictures Entertainment’s co-chair, and the Director of the US Office of Personnel Management, when similar incidents occurred.

In Australia, the obligations for directors vary depending on the industry. According to section 180 of the Corporations Act 2001 (Cth), directors need to guard against key business risks.

Cyber incidents fall into this category, so directors are already exposed to damages claims and regulatory investigations if they don’t ensure their companies have sufficient systems and processes in place to protect against cyber security threats.

For companies with an Australian Financial Services Licence (AFSL), the onus on directors is even greater. AFS licensees must have systems and controls in place to manage business risks. Australian Prudential Regulation Authority (APRA) and the Australian Securities and Investments Commission (ASIC) have both made it clear that cyber risks are a key systems and control issue.

IT costs and skill shortages are making cyber security difficult

As the threat of cyber crimes continue to escalate, businesses are in a challenging position. Firstly, the cost of cyber security is expensive. According to new research from IBRS and Insight Economics, large organisations already dedicate an average of 7.5% of their ICT budget to protecting against cyber threats.

But the skills challenge is even greater than the increasing call on budgets.

Many companies do not have the time, or skillset to effectively protect against cyber threats. This is especially difficult for smaller government agencies and companies, who are just as susceptible to cyber attacks, but lack the large IT budgets and resources.

Australia is facing a skills shortage for cyber security professionals. Data from AustCyber illustrates that Australia needs an additional 7,000 skilled cyber security specialists over the next two years.

How SaaS can relieve regulatory pressure from companies

This might seem like a hopeless situation. However, one technology has emerged that addresses the key issues facing Australian organisations – Software as a Service (SaaS), a cloud-based technology.

SaaS delivers applications over the internet on a consumption basis. The SaaS provider, takes on the responsibility of ensuring its platform is the most up-to-date, secure and efficient. By its nature, SaaS is scalable, and a security patch applied to the system is immediately delivered to all customers.

By moving to SaaS, organisations effectively transition from a model where they own and therefore must maintain the compliance and currency of their software, including against new cyber security vulnerabilities, to one where they are paying an expert to attest to those tasks being delivered as a service.

This is supported by research from IBRS and Insight Economics, which explores the economic impacts of SaaS. According to several case studies, governments and businesses that have migrated to SaaS found both an improvement in their cyber security, as well as a reduction in costs.

In fact, the report found that if all major Australian industries transitioned from their on-premise software to SaaS, Australia could stand to gain $252 billion in savings over the next 10 years.

Looking at the cyber security landscape in Australia, directors need to ask themselves if their systems are adequately prepared for a cyber security incident and consider the multiple benefits outsourcing the risk to a SaaS platform could bring.

For more information on the economic benefits of SaaS, download the research from IBRS and Insight Economics, commissioned by TechnologyOne.

Publish date

24 Jan 2022

Ready to learn more?

To create a better experience for your entire workforce, complete the form to speak to a solutions expert.