As a leading professional services firm, KPMG Australia (KPMG) is committed to meeting the requirements of all our stakeholders – not only the organisations we audit and advise, but also employees, governments, regulators – and the wider community.
We strive to contribute in a positive way to the debate that is shaping the Australian economy and we welcome the opportunity to provide a submission to the 2023-2030 Australian Cyber Security Strategy Discussion Paper (the discussion paper) building on our September 2021 submission in response to the strengthening Australia’s cyber security regulations and incentives discussion paper.
The Australian cyber landscape has been particularly dynamic since our last submission and the release of the former government’s Cyber Security Strategy in 2020. But still, many of the priority topics – from skills and sovereign industry, through to the legislative environment and critical infrastructure protection – remain constant. KPMG welcomes the Government’s ambition and sees it as a national imperative to work towards Australia being the most cyber secure nation in the world by 2030.
This Strategy will need to catalyse activity across the nation towards this objective, strengthening Australia’s collective ability to prevent, deter, detect, respond to and recover from cyber incidents, as well as enabling greater commercial and market opportunities for our sovereign cyber industry. But to be successful, the policies and initiatives included in the upcoming Strategy need to be implemented at speed, scale and with purpose – anything less will see us move towards 2030 without substantive progress.
KPMG’s submission calls out opportunities to address challenges, such as developing measurable cyber security goals and the establishment of a range of metrics that could be utilised by government to measure the success of a cyber security uplift in response. There are several regulatory and policy frameworks that institute both overlapping and incomplete security-related obligations and standards for cyber risk management. A fragmented and complex regulatory approach does not support and drive organisations to effectively address cyber risks.
KPMG’s submission builds on our recent response to the Review of the Privacy Act which recommends that policymakers closely consider outcomes of both reviews given their overlapping remits. This submission examines mandatory reporting of cyber incidents, cyber risk through a geopolitical lens and measures to boost Australia’s cyber security workforce, the latter often a key inhibiter for investing in cyber security.
We stand ready to help our clients, governments and the community be prepared for the unique cyber security challenges identified in the discussion paper and look forward to working with the Government in strengthening Australia’s cyber security capability.