### NAB Advocates for Government-Enforced Cyber Security Standards for Cloud Services
NAB is urging the government to establish mandatory cyber security standards for cloud service providers to address the challenges businesses face in securing favorable terms in cloud service agreements due to existing power imbalances. The bank emphasizes the need for such standards in a submission to the government’s discussion paper on the 2023-2030 Australian Cyber Security Strategy. It proposes that these standards should apply to all Software as a Service (SaaS), cloud storage, and IT service providers operating in Australia, especially those handling personal information.
The bank highlights the growing dependence of Australian businesses on the security measures and investments of third-party providers, who often offer services on a “take it or leave it” basis through standard form contracts. These contracts tend to minimize the provider’s liability for cyber security, thereby diminishing their incentive to prioritize and invest in robust security measures. NAB suggests that specific regulations should be introduced to enforce cyber security responsibilities on IT providers without relying on individual negotiations.
NAB recommends leveraging the Australian Privacy Principle 11, which mandates taking reasonable steps to protect information, and specifying key actions that align with the Australian Signals Directorate’s ‘Essential Eight’ controls. The bank believes that incorporating these requirements into contracts by statute and holding providers accountable for non-compliance could significantly motivate improvements in cyber security practices.
Furthermore, NAB proposes extending the “Cleaner Pipes” program, initially introduced by Telstra to combat scam texts, across the entire telecommunications sector. This initiative, along with the proposed cyber security standards, aims to benefit businesses of all sizes, including large enterprises that currently face challenges in dealing with IT suppliers on cyber security issues.
NAB is advocating for the government to establish mandatory cyber security standards for cloud service providers, highlighting the challenge of negotiating security terms in cloud service agreements due to a significant power disparity. In its submission to the government’s discussion paper on the 2023-2030 Australian Cyber Security Strategy, the major bank proposes that these compulsory standards should cover all Software as a Service (SaaS), cloud storage, and IT service providers that operate within Australia and handle personal information.
The bank emphasizes the growing dependence of Australian businesses on the security measures and investments of third-party providers. It points out that businesses often have to accept standard contracts from IT providers, which tend to limit the providers’ responsibility and liability for cyber security. This situation, according to NAB, diminishes the motivation for providers to focus on and invest in strong cyber security measures.
To counteract this, NAB suggests the introduction of specific regulations for IT providers concerning cyber security, which would not depend on individual negotiations between providers and their clients. It draws parallels with the telecommunications industry, which has similar regulations to manage the power imbalance between service wholesalers and retailers.
NAB proposes leveraging the Australian Privacy Principle 11, which mandates taking reasonable steps to protect information, and specifying key actions that providers must undertake to adhere to this principle. The bank believes these steps should be in line with the Australian Signals Directorate’s ‘Essential Eight’ controls and should evolve over time to address changing threats.
The bank argues that incorporating a modified version of APP11 into all contracts between IT providers and their customers by law would increase providers’ accountability. Failure to comply could lead to contractual liabilities under the Privacy Act, thereby incentivizing providers to enhance their cyber security practices.
NAB points out that while small-to-medium businesses would greatly benefit from such regulations, larger organizations would also find them advantageous. The bank also advocates for a broader implementation of Telstra’s “Cleaner Pipes” program, which aims to combat scam texts, across the entire telecommunications industry.