Announcement date
22/11/2023
Link to announcement
News (homeaffairs.gov.au)
As part of the 2023-2030 Australian Cyber Security Strategy, the Government announced that it would co-design options to legislate a mandatory cyber security standard for Internet of Things (IoT) devices and develop a voluntary labelling scheme for consumer-grade smart devices.
Problem being addressed
At present, smart device manufacturers are not required to comply with security standards which can lead to an increased risk of vulnerability which may be exploited, exposing consumers to cyber risks. Australian households and businesses are bearing financial costs and negative societal impacts as a result of persistent and preventable cyber security incidents. Estimates of these costs are as high as $29 billion per year. Consumers are often unable to tell the difference between a secure and insecure device due to a lack of clear and accessible information. This limits commercial incentives for manufacturers to prioritise security, leading to consumers unknowingly adopting cyber security risk.
Proposal
Home Affairs considered a combination of a mandatory product standard and voluntary labelling scheme for smart devices as the best option. A voluntary cyber security labelling scheme will provide additional guidance for consumers to inform their smart device purchasing decisions. This will help to mitigate against information asymmetries that currently exist in the smart device market, as cyber security information will become more easily accessible and understandable for consumers. The mandatory product standard will ensure that smart devices are built with minimum security.
Assessed Impact Analysis outcome
Adequate
Assessment comments
To have been assessed as ‘good practice’ under the Guide, the IA would have benefited from:
• A clearer outline and discussion on how each option achieves the policy objective.
• Additional detail on the assumptions that underpin the regulatory costs, specifically for the costs to retailers.
• Further evidence and analysis of the consequences of maintaining the status quo.
Regulatory burden
The average annual regulatory cost to establish mandatory standards for consumer smart devices is estimated to be $49.5 million to manufacturers and retailers across the sector over 10 years.