Australia’s Federal Government is considering whether company directors should be made personally liable for cyberattacks on their organisations that cost around $A3.5 billion.

The extra responsibilities would be in addition to proposed laws imposing a range of obligations on operators of critical infrastructure to respond to cyberattacks and would allow the Australian government’s cybersecurity agencies to intervene in companies’ networks.

“The government is taking action to mitigate the real and present danger that cybercrime presents to Australians and our economy,” Home Affairs Minister Karen Andrews said recently. “I want to make sure Australian businesses – big and small – are secure and consumers are protected – we cannot allow this criminal activity to become a significant handbrake on our economic growth and digital security”.

Cybercrime responsibilities for directors of Australian companies similar to workplace health and safety, are part of a government discussion paper on cyber-security reforms to be considered.

The cyber-security standards to be co-designed with industry will cover corporate governance, the handling of personal information and even smart devices. It has not yet been decided whether the new standards, which emerged from the 2020 Cyber Security Strategy, will be mandatory.

Relevant to the security industry, the federal government also wants more transparency covering internet-connected devices including security labelling and better disclosure of vulnerabilities, as well as legal pathways for victims of cyberattacks.

According to the AIC, cybercrime costs Australia $A3.5 billion a year, including $1.9 billion lost by individual victims. Based on a survey of 11,840 people, the AIC found Australians spent $597 million dealing with the consequences of cyberattacks and $1.4 billion on prevention.