Defining “Reasonable”: Lessons from the Frontline of 921A Compliance

Cyber Resilience
Written By Shane Bell

Source: NSB Cyber

 

Acting as expert witnesses in cyber matters has given us a unique perspective on what ‘reasonable steps’ in cyber security really looks like. We have supported organisations on both sides the regulatory and company sides, covering notifiable data breaches, s921a compliance issues, and Australian Privacy Principles compliance issues.

Being in that position gives us a front-row seat as to how the regulators approach “reasonableness,” and more importantly, what can happen when organisations cannot demonstrate that their cyber security approach was reasonable at a specific point in time, such as prior to an incident.

The Challenge of Undefined Reasonableness

In our view, the biggest challenge organisations currently face with the specifics of s921a compliance is that the regulator has not (yet) clearly defined what “reasonable steps” look like. This uncertainty leaves many AFSL entities in a tough position.

Across the sector, and especially among smaller entities, cyber practices are often still developing, with limited budgets making it harder to prioritise building maturity. As a result, the first time many organisations think seriously about ‘reasonable’ cyber practices is after a data breach (either their own, or another operator in the market). By then, it’s often too late.

What ‘Reasonable’ Looks Like in Practice

Having worked on both sides, we’ve developed a clearer understanding of which controls tend to be expected, raised as inadequate, or considered as unreasonable when tested under scrutiny.

As an example, things like multi-factor authentication, documented risk assessments, and evidence of governance processes consistently come up as the kinds of measures organisations are expected to have in place. 

A Practical Approach to Compliance

We advise organisations to start with a baseline set of controls that are widely regarded as foundational or ‘the minimum’. Then, build on them based on your organisation’s size, complexity, and risk profile and risk appetite. This ensures the essentials are covered while tailoring the program to your unique organisational context. 

How We Help Clients Define Reasonable

When we approach this from a consulting perspective, we fold our first-hand expert witness experience into our support to clients.

In that moment, we see our role to assist in considering and defining what “reasonable” looks for an organisation from a position of subject matter expertise and then get hands-on to establish the right controls, governance, and evidence so that the chosen approach can be communicated or demonstrated with confidence. 

Leadership is Key

Leadership plays a critical role here. Boards and Executives set the direction of the organisation, and their involvement in defining “reasonable” is often what ensures cyber obligations are treated with the same weight as financial or operational ones.

When leaders are visible in these discussions, it brings organisational context that technical teams may not always see - growth plans, regulatory exposure, future business strategy - all of which shape what is reasonable for the entity.

The Importance of Evidence

Equally important is how these decisions are documented. Relating this back to our expert witness work, we’ve seen organisations struggle to respond to regulators, not only because they failed to act, but because they failed to record why certain risks were accepted moments, or why particular controls were implemented as a priority over others.

Documenting decisions creates a defensible position: you can demonstrate that choices were made consciously, proportionately, and in good faith. That evidence often makes all the difference when facing regulatory scrutiny.

The Outcome of a Reasoned Approach

The outcome of this approach is twofold:

  • the identification and a reduction in unacceptable risk exposure before an incident or data breach occurs, and

  • ongoing comfort that compliance obligations under s921a are being met in a way that makes sense for a business, that can be explained or defended if that is ever required.

It’s a proactive, practical approach that shifts the conversation from box-ticking to true resilience. 

Our Advice

We’ve seen first-hand what happens when “reasonable” is left undefined until after an incident. Our advice? Don’t wait for a regulator to decide it for you.

Take advantage of the insights we’ve gained working on both sides of the table and use them to set yourself up with confidence. 

Build lasting cyber resilience. Book your meeting with NSB Cyber today.

Shane Bell
Previous

Why Incident Response Plans Fail Under Pressure
Next

Cutting Through the Noise: Refreshing Your ISO 27001 Program