Regulators should be legislatively prohibited from pursuing regulatory or enforcement action against superannuation funds based on information those funds provide to the National Cyber Security Coordinator (NCSC) around cyber breaches.
The Association of Superannuation Funds of Australia (ASFA) has told a Parliamentary Committee that such a prohibition is needed to ensure that regulators do not seek to pursue such action on their own initiative.
In a submission filed with the Parliamentary Joint Committee on Intelligence and Security, ASFA said “there should be an express legislative provision that states that no regulatory or enforcement action can be taken where information on a relevant incident has been provided to the NCSC”.
“As the legislation is currently drafted, the information provided to the NCSC cannot be used for that purpose,” ASFA said. “However, regulators could independently acquire the same information and then take action.”
“It must be clear in the legislation and explanatory materials that where a disclosure has been made under this Part, no regulatory or enforcement action can be taken, regardless of where or how the information is acquired,” it said.
Elsewhere in its response, ASFA expressed concern at the increased powers which would be conferred via the legislative changes, pointing out that the amendments change the current law so that directions can require a specified entity to disclose information covered by the Privacy Act.
In doing so ASFA said was cautioning against extending what were already very broad powers.
“ASFA specifically recommends that:
- Ministerial authorisation of the Secretary giving the directions outlined above should expire after a set timeframe, to ensure that such directions are targeted, limited and subject to appropriate and regular oversight.
- Ministerial authorisations and directions by the Secretary should be subject to the parliamentary scrutiny and disallowance provisions in the Legislation Act 2003 (Cth).
- Consideration should be given as to if these powers should be narrowed, constrained by a more detailed list of legislated necessary preconditions prior to their use.”