What is the PGPA Act and the PGPA rule?

The Public Governance, Performance and Accountability (PGPA) Act 2013 serves as a critical legislative framework for governance, performance, and accountability within Australian government and Commonwealth organizations.

While the PGPA Act’s primary focus revolves around transparent and efficient resource management, its principles significantly influence how these entities approach cybersecurity. In particular, its focus on risk oversight, internal controls, and accountability integrates seamlessly with modern cyber risk management strategies.

This blog will focus on:

• What are the main compliance implications of the PGPA Act?

• What are the most important security implications of the PGPA rule?

The PGPA Act 2013, established by the Australian Department of Finance, defines clear standards for the governance, performance, and accountability of Commonwealth entities and companies. Although originally enacted to ensure the sound management of financial resources, the Act’s underlying principles promote robust governance and performance frameworks that extend into other critical areas, including cybersecurity.

1. Governance: Enforces stringent governance practices to uphold integrity and responsible stewardship across government and Commonwealth entities.

2. Performance Management: Introduces a performance framework to measure the efficiency and effectiveness of these entities.

3. Accountability: Demands transparent reporting and disclosure, ensuring decision-makers remain answerable for their actions.

4. Resource Management: Mandates prudent use of public resources to guarantee that funds and assets—digital and otherwise—are employed for their intended purposes.

5. Reporting Requirements: Requires annual reports detailing overall performance, financial health, and compliance efforts, including risk management outcomes.

Though the PGPA Act does not explicitly target cybersecurity, its focus on risk management and internal controls inevitably encompasses digital security threats:

• Section 16 of the Act obliges accountable authorities to implement appropriate systems of risk oversight and management. In a modern operational context, this naturally extends to assessing, mitigating, and monitoring cyber risks.

• Section 17 calls for the maintenance of internal control systems, which also play a pivotal role in safeguarding information systems against unauthorized access, data breaches, and other cyber threats.

Compliance with the PGPA Act is mandatory for specific Commonwealth entities, reflecting the government’s commitment to consistent standards of governance and accountability across these organizations. It applies to all Commonwealth entities, including:

• Non-corporate Commonwealth entities (NCEs)

• Corporate Commonwealth entities (CCEs)

• Wholly-owned Commonwealth companies (CCs)

• Government business enterprises (GBEs)

Penalties for Non-Compliance

• Administrative sanctions, such as increased reporting obligations or reduced funding

• Legal penalties, including fines or remedial orders

• Reputational damage, undermining trust and potentially impacting stakeholder confidence

The Public Governance, Performance and Accountability Rule 2014 (PGPA Rule) complements the Act by translating its broad principles into actionable guidelines. While not explicitly cybersecurity-focused, these detailed provisions offer valuable direction for strengthening governance, performance, and accountability measures that directly affect cyber defense strategies.

1. Risk Management: Requires entities to identify, assess, and manage risks—cyber threats included. Integrating cybersecurity into the enterprise-wide risk management framework ensures ongoing monitoring and mitigation of emerging digital risks.

2. Information Management: Stresses the importance of safeguarding sensitive information. Entities must employ robust controls to protect against unauthorized access, data loss, or tampering.

3. Performance & Accountability Reporting: Mandates annual reporting that can encompass cybersecurity performance, including how well entities manage cyber threats and maintain system resilience.

4. Auditing: Requires both internal and external audits of financial and performance statements. Cybersecurity measures and compliance can also be audited, providing assurance that policies are effective and properly implemented.

The PGPA Act complements existing Australian cyber regulations by establishing a governance environment that supports robust cybersecurity practices. For example, it enhances the implementation of:

• Security of Critical Infrastructure (SOCI) Act 2018: Focuses on safeguarding critical systems and infrastructure.

• Australian Government Information Security Manual (ISM): Offers guidelines for securing government information and systems.

• Protective Security Policy Framework (PSPF): Provides a scalable policy framework to safeguard people, information, and physical assets.

By promoting a culture of accountability and continuous risk management, the PGPA Act encourages the integration of cybersecurity best practices. The result is a more resilient cybersecurity infrastructure, as organizations must not only comply with explicit cyber regulations but also embed these measures into their core governance and performance frameworks.

While primarily centered on governance, performance, and accountability, the PGPA Act 2013 and the supporting PGPA Rule 2014 significantly influence cybersecurity strategies across Commonwealth entities. By emphasizing risk management, transparent reporting, and sound governance, the PGPA framework drives a more proactive and integrated approach to securing digital assets.

Organizations that align their cybersecurity programs with the PGPA Act not only meet compliance obligations but also build a strong defense against evolving cyber threats—ultimately ensuring the integrity, reliability, and trustworthiness of their operations.