NAB wants the governent to impose minimum cyber security standards on cloud providers, due to the power imbalance in trying to negotiate clauses into cloud service agreements.
In a submission [pdf] to the government’s 2023-2030 Australian Cyber Security Strategy discussion paper, the ‘big four’ bank suggested that mandatory minimum standards apply to all SaaS, cloud storage and IT service providers “doing business in Australia and storing or processing personal information.”
The bank said that Australian businsses are “heavily (and increasingly reliant)” on the security postures and investments of outsourced third-party providers.
“These businesses typically contract on standard form contracts with IT providers on a ‘take it or leave it’ basis,” NAB said.
“These standard-form contracts are generally designed to minimise the IT provider’s responsibility and liability for cyber security, which reduces incentive to invest in and prioritise robust cyber security.
“To address this, we recommend that IT providers are subject to additional specific regulations in relation to cyber security which do not rely on bilateral negotiations between IT providers and their customers.”
Other industries – such as telecommunications – have regulations along similar lines to address power imbalances between wholesalers supplying capacity and services, and retailers that on-sell it.
NAB’s suggestion to accomplish this is to use Australian Privacy Principle 11 – to take “such steps as are reasonable in the circumstances to protect the information” – but to then go on and specify “the most important steps” providers have to take to meet that principle.
NAB suggests those steps could align with the Australian Signals Directorate’s ‘Essential Eight’ controls, and be “ratcheted up” over time “as the threat landscape evolves”.
The bank said the obligation for a provider to comply with a modified APP11 principle, as suggested, “should be implied by statute into all contracts between IT providers and their customers.”
“An IT provider’s failure to comply with APP11 (so amended) may then result in contractual liability to the IT provider’s customer and to data subjects under the Privacy Act,” NAB said.
“This would cumulatively increase incentives for IT providers to improve cyber security practises, and particularly to ensure that at least the specific steps enumerated in the new regulation are taken.”
While NAB said that small-to-medium businesses would particularly benefit from such a scheme, it noted that even larger players – presumably such as itself – could also be beneficiaries.
“Even larger enterprises experience difficulties with IT suppliers in relation to these issues,” it said.
Elsewhere in its submission, NAB called for a mandated “Cleaner Pipes” program – set up by Telstra to crack down on scam texts – across the whole telecommunications sector