By: Kieran Doyle, Nicole Gabryk and Rakhee Dullabh
At a glance
- The new Act strengthens safeguards for individuals, businesses, and critical infrastructure, enhancing Australia’s resilience to cyber threats.
- Businesses must report significant cyber incidents, including ransomware demands and payments, ensuring improved visibility and coordinated responses.
- The act updates standards for IoT devices, expands critical infrastructure definitions, and introduces a new Cyber Incident Review Board to prepare Australia for emerging challenges in a rapidly evolving threat landscape.
This week the Cyber Security Act 2024 (Cth) was passed into law. This Act will grant additional protections to people and businesses and improve Government’s visibility of the current cyber threat environment. At the same time, amendments to the Intelligence Services Act 2001 (Cth) and Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act) have also been passed which seek to give effect to the legislative reforms under Shield 4 of the 2023-2030 Australian Cyber Security Strategy.
Measures introduced
- The development of security standards for smart or IOT devices, i.e. products that can directly or indirectly connect to the internet. A manufacturer of these products is expected to comply with these requirements, and a supplier is required to only supply products which are accompanied by a statement of compliance.
- Creating a mandatory reporting obligation for all entities who meet a certain turnover threshold (amount still to be determined) who:
- are affected by a cyber security incident (whether such an incident has occurred, is occurring or is imminent and other requirements are met) and such incident is having or could reasonably be expected to have, a direct or indirect impact on the entity
- receives a ransom demand or a third party directly related to the incident receives a ransom demand, and
- makes a ransom payment or gives a benefit in connection with a cyber security incident.
- Such reports are to be made to the Department of Home Affairs and the Australian Signals Directorate (ASD) (if no other Commonwealth body is designated) within 72 hours of payment being made or becoming aware of a payment made. The report must include (i) the contact and business details of the entity who made the payment and the reporting entity, (ii) details of the cyber security incident and the impact it has on the entity, (iii) the ransomware demand made, (iv) the ransomware payment, and (v) communications between the entity and threat actor relating to the incident, demand and payment. This reporting obligation will commence from the earlier of a date fixed by Proclamation, or 6 months after the Cyber Security Act receives royal assent.
- A “limited use” obligation restricting the sharing of incident information by the National Cyber Security Coordinator (NCSC) to other government agencies and regulators. This obligation will be complemented by an amendment to the Intelligence Services Act 2001 (Cth). Essentially, information disclosed in a ransomware payment reports can be used by a designated Commonwealth body for a permitted purposes, which enables the entity/Commonwealth body/State body/NCSC/Ministers to respond, mitigate or resolve a cyber security incident. Any information made available cannot be used to investigate or enforce a contravention by the entity making the report, except a contravention of this Bill or contravention by the reporting entity of a law that imposes a criminal offence.
- Establishment of a Cyber Incident Review Board (CIRB) to conduct post-incident reviews into significant cyber security incidents. The CIRB must conduct reviews where incidents are referred to it by the Minister, NCSC, an entity impacted by the incident or a member of the CIRB. A review can only take place where (i) the incident seriously prejudiced the social or economic stability of Australia or its people, the defence of Australia, or national security, (ii) the incident involves novel or complex methods/technologies and an understanding of if will improve Australia’s preparedness, or (iii) the incident is of serious concern to the Australian people.
Amendments to the SOCI Act
In addition, the SOCI Act is amended which:
- expands the definition of critical infrastructure assets to include secondary assets which hold ‘business critical data’ and relate to the functioning of the primary asset
- introduces ‘last resort’ directions power for the Secretary of the Department of Home Affairs, for managing multi-asset incidents and the consequences thereof
- enables greater intra-government sharing of protected information and cross-industry collaboration
- create a directions power for the Secretary of the Department of Home Affairs or the relevant Commonwealth regulator which is exercisable where it has been identified a critical infrastructure risk management program is seriously deficient, and
- including security and notification obligations for critical telecommunications assets.