SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Australia
Guides
#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware
Search
Story image
#
Data breach
#
Parliament
#
ASX

Cyber Security Act passed into law

Today
By Dan Pearce, General Counsel, Holding Redlich

The Cyber Security Act and related bills have been passed by the Parliament, following review by the Parliamentary Joint Committee on Intelligence and Security. That Committee recommended a number of relatively minor changes, and with effect from six months after royal assent, once formal approval is granted by the Governor General, most businesses will be required to report ransomware payments.

The information that now must be provided to the Australian Signals Directorate (ASD), or that may be voluntarily provided to the National Cyber Security Coordinator under a parallel voluntary scheme, can only be utilised for certain purposes. However, any such notification does not mean that the organisation is completely free of legal obligations. Any decision to pay a ransom should also consider the broader legal requirements.

For instance, a director's general duty to act in the best interests of their company means the director must consider whether making the payment (and obtaining an initial release from the incident) will necessarily provide any certainty that information obtained during the incident stays out of nefarious hands, and whether it might make the company a target for future attacks. Depending on the circumstances, a ransom payment may put the organisation at risk of being penalised under counter-terrorism and anti-money laundering laws.

The reporting regime under the new Act also does not replace the ongoing reporting obligations under the Privacy Act (where personal data is involved, and there is an eligible data breach), the Security of Critical Infrastructure regime, and ASX and APRA requirements for entities that are subject to those regulators. Accordingly, each organisation should consider the broader framework of regulation that applies to it as it prepares itself for this latest legislative change.

Initiatives expected to have the most immediate impact on organisations

Mandatory 72-hour reporting obligation for ransom payments
Organisations other than small businesses must report any payments made in response to a cyber ransom event to the ASD within 72 hours.
The obligation also recognises that there will be circumstances where making a payment could be justified and seeks to preserve the legal rights of the disclosing entity, for instance, by excluding waiver of privilege. While the government has not pursued a complete ban on payments, they strongly advise against payments to make Australia a less attractive target for ransomware attacks.

Security standards for smart devices

New security requirements will apply to smart devices that form part of the Internet of Things (IoT). Manufacturers and suppliers of internet-connected products, such as televisions, speakers, watches and doorbells, will now need to meet the security standards for those devices. These may be in the form of secure default settings, unique device passwords, regular security updates and encryption of sensitive data. The details of the relevant standards and how they will interact with other existing product regulations are yet to be finalised.

Regulated use of information submitted to National Cyber Security Coordinator
There will be rules in place to govern how organisations use information submitted to the National Cyber Security Coordinator to ensure such information is used appropriately. However, this does not extend to the full 'safe harbour', a legal provision that affords protection from prosecution to individuals or organisations from liability or penalties, despite it being called for in many submissions made during the government's consultation process.
Instead of granting an organisation total immunity for the information it provides to the authorities after a cyber incident, the proposed rules will reassure them that the information can only be used and shared for prescribed purposes, such as assisting with incident response. Similar restrictions will apply to the ASD when it receives such information under the Intelligence Services and Other Legislation Amendment (Cyber Security) Act 2024. 

New Cyber Incident Review Board
A new Cyber Incident Review Board will be established to review how cyber incidents are dealt with, including by compelling entities to produce information. Its role will be to review and assess major cyber incidents that impact Australia's defence or cause public severe concern. It will have the authority to request information from affected entities, allowing it to examine how incidents were handled and provide findings that help prevent future occurrences. While the Board may share its findings with government and industry, any public reporting will not assign fault or prejudice legal rights. Through these reviews, the Board aims to improve understanding and prevent similar incidents in the future.

SOCI Act extends to data systems associated with a critical infrastructure asset
Amendments to the Security of Critical Infrastructure Act 2018 (SOCI Act) extend the legislation to cover data systems associated with a critical infrastructure asset. The digital networks supporting essential services, such as utilities, healthcare, and finance, are increasingly vulnerable targets in cyber warfare. By expanding the Act's reach, the government will have greater regulatory authority over data systems associated with critical infrastructure warfare that, if compromised, could disrupt national security or public safety. Additionally, these changes grant regulators a new power to address significant weaknesses in an entity's risk management program when national security is at risk. For organisations, this means new obligations to protect these systems and respond to regulatory requirements.

Implications for organisations and how to prepare
These new cyber security laws introduce new requirements for organisations, especially those managing data systems related to critical infrastructure. To prepare, organisations will need to review and strengthen their cyber security measures to ensure they meet these requirements, such as the new 72-hour deadline for reporting ransomware payments to the ASD. This may involve assessing internal security measures, reviewing incident response plans, and preparing for increased regulatory requirements. By staying informed of these changes, organisations can better position themselves to comply with the legislation and manage potential cyber threats.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
PMT Security unveils new division for data centre solutions
Nozomi uncovers critical flaws in Advantech networks gear
Ransomware payments rise to AUD $1.35m for Australian firms
Australian firms embrace AI to bolster cybersecurity efforts
Obsidian Security completes IRAP assessment for SaaS
Top stories
AI in enterprise shifts focus to practical applications
Balancing AI advances with cybersecurity risks & caution
AI's dual role in future cybersecurity: threat & ally
Exclusive: How Aus3C is strengthening data security through new framework initiative
Five Eyes endorse Semperis’ Purple Knight for cyber defence