The Public Governance, Performance and Accountability Act 2013 is a key piece of legislation that establishes a framework of governance, performance, and accountability for Australian government and Commonwealth organizations. The PGPA Act’s main goal is to ensure that all government bodies practice effective management of public resources and are transparent in their activities.
Although the PGPA Act itself is not directed toward effective cybersecurity practices, many of its key areas, such as risk management and resource management, are highly relevant to cybersecurity.
This article focuses on the cybersecurity implications of the PGPA Act, how it affects businesses and public sector entities, and how government and Commonwealth entities can meet their compliance standards.
Find out how UpGuard helps businesses and their vendors meet compliance standards >
What is the PGPA Act 2013?
The PGPA Act is an Australian legislation created by the Australian Department of Finance in 2013 that establishes the framework for governance, performance, and accountability of Commonwealth entities and companies.
Although the core objective is to ensure financial resources are properly managed, the broader scope is to ensure the Commonwealth public sector adheres to best practices of governance, performance, and accountability to promote trust in the Australian government.
What are the key points of the PGPA Act?
The main areas that the PGPA Act covers are:
- Governance: Establishing strict governance standards for all government and Commonwealth entities or companies
- Performance Management: Establishing a comprehensive performance management framework to assess the effectiveness and efficiency of these entities
- Accountability: Building transparency and accountability through rigorous reporting requirements
- Resource Management: Enforcing the proper use and management of public resources, such as property or money, to ensure they are used efficiently and for the intended purposes
- Reporting: Requiring entities to prepare annual reports, providing a comprehensive account of their performance and financial situation
How does the PGPA Act affect cybersecurity?
While the PGPA Act is broad in scope, its principles indirectly impact cybersecurity by implementing risk management and accountability practices, which include safeguarding digital assets and information systems.
For example, Section 16 of the PGPA Act requires “accountable authorities of entities to establish and maintain appropriate systems of risk oversight, management, and internal control.” These systems of risk oversight would include managing financial, operational, and compliance risks, which naturally include cybersecurity risks as part of an entity's broader risk management framework.
Section 17 also mentions internal controls, which are closely related to risk management, as it outlines the duties of accountable authorities to establish and maintain internal control systems. These systems include measures that address both financial and non-financial risks, which are part of an overall comprehensive cyber risk management strategy.
Who must comply with the PGPA Act?
The PGPA Act applies to all Commonwealth companies and entities, including parliamentary departments, departments of state, listed entities, and other government-owned corporations. The types of government bodies are as defined:
- Non-corporate Commonwealth entities (NCEs)
- Corporate Commonwealth entities (CCEs)
- Wholly-owned Commonwealth companies (CCs)
- Government business enterprises (GBEs)
What are the penalties for non-compliance with the PGPA Act?
Non-compliance with the PGPA Act can result in a variety of penalties, including:
- Administrative sanctions, including additional reporting requirements or the withholding of government funding
- Legal action, which can lead to monetary fines or other legal penalties
In most cases, non-compliance can also result in reputational damage, which can negatively affect organizations if they violate PGPA Act obligations.
PGPA Rule 2014
The Public Governance, Performance, and Accountability Rule 2014 (PGPA Rule) is a legislative instrument that supports and amends the PGPA Act, providing additional detailed procedures and specifics required for compliance. It translates the broad principles of the PGPA Act into actionable guidelines, enabling entities to implement the PGPA Act’s mandates effectively.
Like the PGPA Act 2013, the PGPA Rule is not directly focused on cybersecurity. However, its updated procedures can be referenced when companies are establishing cybersecurity standards with respect to governance, performance, and accountability.
Key Provisions of the PGPA Rule 2014
The PGPA Rule covers a wide range of governance, performance, and financial management aspects. From a cybersecurity perspective, several provisions of the Rule are particularly significant:
- Risk Management: The Rule mandates the establishment of appropriate risk oversight and management systems. This includes identifying, assessing, and treating risks, which is critical for cybersecurity risk management. Entities should integrate cybersecurity risks into their overall risk management frameworks, ensuring they are identified, assessed, mitigated, and continuously monitored.
- Information Management: The Rule emphasizes the importance of managing government information as a key strategic resource, which includes setting requirements for safeguarding sensitive information. Entities must implement controls to protect information from unauthorized access, disclosure, modification, loss, or deletion.
- Performance and Accountability Reporting: The Rule requires entities to prepare and publish annual reports detailing their overall performance. The reports can include progress on managing cyber risks and the effectiveness of cybersecurity measures. These annual performance statements are meant to hold entities accountable for their overall performance (and subsequently the internal cybersecurity management) but also to promote a culture of continuous improvement.
- Auditing: The Rule outlines requirements for internal and external audits, including auditing financial statements and performance reports. Commonwealth entities are responsible for designating an audit committee. Cybersecurity practices can also be subject to audits to ensure compliance with policies, standards, and legislation. These audits provide assurance that cybersecurity measures are effective and that entities are managing cybersecurity risks appropriately.
How does the PGPA Act relate to other Australian cyber regulations?
The PGPA Act relates to other cyber regulations in Australia through its risk management and accountability principles. It complements specific cybersecurity regulations, such as the SOCI Act 2018, the Australian Government Information Security Manual (ISM), and the Protective Security Policy Framework (PSPF), by promoting a culture of security within the governance frameworks.
The PGPA Act’s emphasis on governance and accountability enhances the effectiveness of cybersecurity measures outlined in the ISM and PSPF by ensuring they are integrated into the broader governance, risk, and compliance (GRC) practices of entities.
Additionally, by requiring a systematic approach to risk management, the PGPA Act indirectly promotes the adoption of best cybersecurity practices, as entities are heavily encouraged to identify, assess, and mitigate cyber risks. The PGPA Act's reporting requirements also ensure that entities monitor their effectiveness and report on their overall risk management performance, therefore integrating transparency and accountability in cybersecurity practices.
Lastly, the PGPA Act and the SOCI Act 2018 can also be seen as complementary to each other, with the PGPA Act establishing the governance framework in which Commonwealth entities operate and the SOCI Act addressing specific national security concerns related to critical infrastructure, including cybersecurity.
