Business needs single cyber incident report portal: Productivity Commission

The Productivity Commission has urged the government to give business a single cyber incident reporting portal to simplify the burden of a growing number of mandatory reporting obligations.

In its Advancing Prosperity report [pdf], the commission said meeting requirements under the Security of Critical Infrastructure Act, (SoCI) the Privacy Act, Australian Prudential Regulatory Authority, and mandatory ransomware reporting under the proposed Ransomware Action Plan, would be easier with a single portal.

“One option to simplify cyber security incident reporting would be to have a single interface or portal for Australian businesses to lodge all cyber incident-related reports required under various regulations”, the report said.

It noted that such a portal would be able to route reports to the appropriate government agency (the Australian Cyber Security Centre and the Office of the Australian Information Commissioner, for example).

That would also offer automation opportunities for affected companies.

“This could provide the platform for the government to work with cyber security software providers to build incident reporting functions into commonly used software, so that reports are automatically sent to relevant agencies if an incident occurs,” the commission said.

SoCI should have a review process

The commission also said some security regulations were rushed through.

"Stakeholders have observed that the Security Legislation Amendment (Critical Infrastructure) Act 2021  — which included broadening the definition of critical infrastructure, increased reporting obligations and new government intervention powers — was rushed following the recommendation of the Parliamentary Joint Committee on Intelligence and Security, which did not allow for suitable consultation," the commission said.

It also said critical infrastructure security regulation lacks review processes.

“The government should monitor and evaluate the effectiveness and economic impact of implemented policies to improve its understanding of the trade off between security and growth, and recalibrate the regulations as required," it said.

"An evaluation mechanism could also improve government’s ability to incorporate industry feedback into its regulations.”

The commission also called for better public information campaigns, saying that while generalised “how to protect your business” advice is valuable.

“Improving the relevance and accessibility of general cyber security advice would require providing guidance based on businesses’ specific operations and risk factors," it wrote.