Telco boards must adhere to cyber risk management programs or risk penalties

Major telecommunications companies, including Optus and Telstra, will now be required to annually approve a new or updated cyber risk management program or face significant penalties. 

These changes are a result of new laws introduced by Home Affairs Minister Clare O'Neil, which now classify telecommunications as "critical infrastructure." 

Previously, similar rules applied to hospitals, utilities, ports, and energy generation assets.

In 2018, O'Neil criticised the Coalition for not including telcos in these critical infrastructure laws, accusing her predecessor of making a deal with the companies. 

The Coalition believed that existing legislation adequately covered telcos, but O'Neil referred to it as "bloody useless" following the Optus breach in October 2022. 

During this breach, an anonymous hacker gained access to sensitive personal information of 9.8 million Australians, including names, birthdates, phone numbers, addresses, passport details, healthcare records, and driver's license details.

These latest changes aim to strengthen critical systems against cyber attacks and provide the government with intervention powers and directions during incidents.

- CyberBeat