NSW govt rejects call to move Cyber Security NSW

The NSW government has rejected calls to move Cyber Security NSW into the Department of Premier and Cabinet, arguing that doing so would have no impact on its “level of independence”.

A parliamentary inquiry into the government’s cyber security and digital information management in March found the oversight role of the whole-of-government office could be “enhanced”.

It followed last year’s high-profile email compromise attack against Service NSW, in which the personal information of 103,000 customers was stolen, and a series of poor audit findings.

The inquiry endorsed shifting the office from Department of Customer Service to the Department of Premier and Cabinet (DPC) to “provide it with more independence from service delivery agencies and increased visibility and authority”.

But responding to the review on Monday, the government rejected the recommendation, saying DCS was a natural home for the office and that moving it would not make it any more independent.

“The DCS is a central agency responsible for whole-of-government strategy, standards and agency accountability in relation to uplifting public sector cyber security,” it said [pdf].

“Locating Cyber Security NSW within DCS’ Digital.NSW division reflects the integrated role of cyber security in all elements of digital transformation and implementation across government.

“All clusters have identical obligations under the cyber security policy. A change of cluster would not change the level of independence of Cyber Security NSW.”

The government was, however, accepting of another recommendation that called for a review of Cyber Security Office in order to provide it with a clearer mandate.

The review, which it said had been completed in 2020, led to the creation of a new governance, risk and compliance function in the policy, awareness and research directorate in Cyber Security NSW.

The function is tasked with overseeing agencies’ cyber security progress and ensuring compliance with the reporting obligations under the NSW cyber security policy, the government said.

The government also supported a review of the cyber security policy, although like the review of Cyber Security NSW, this has also already been completed for the 2021 financial year.

It said the review provided “clarity of several expectations” in an October 2020 directive, which also mandated cyber security training for all government employees – another recommendation.

A number of other recommendations were supported in principle, including the “need to establish an identity resilience service” for citizens; a “limited-scope pilot is underway”.

Equally, the government gave in principle support for a mandatory data breach notification scheme, which is proposed through the Privacy and Personal Information Protection Amendment Bill.

An exposure draft of the bill that will require all departments and agencies, state-owned corporations, local councils and some universities in NSW to report breaches, was published in May.

A review of the responsibilities and resourcing of the Privacy Commissioner was also supported in principle, but the government said this would be considered as part of broad-based future reforms.