Cyber reforms: Cyber Security Legislative Package 2024
Australian businesses continue to be the target of malicious cyber attacks, and the number of reported data breaches increases each year. Against this threat landscape, the Australian Government has introduced the Cyber Security Bill 2024 (Bill) to Federal Parliament to provide a legislative framework to help address broad, whole-of-economy cyber security issues and to better position the Government as it responds to new and emerging cyber security threats.
This update provides a snapshot of the proposed Bill and what it means for organisations. Click the links below to navigate to each section.
- Key features of the Bill
- Mandatory security standards for smart devices
- Mandatory reporting for ransomware and cyber extortion payments
- Coordination of significant cyber incidents by the National Cyber Security Coordinator (NCSC)
- Cyber Incident Review Board to be established
- Key takeaways
Key features
The Bill:
- grants ministerial powers to mandate security standards for smart devices (Part 2 of the Bill)
- introduces mandatory reporting of ransomware and cyber extortion payments (Part 3 of the Bill)
- introduces a limited use obligation on cyber incident information voluntarily reported to the National Cyber Security Coordinator (Part 4 of the Bill)
- establishes a Cyber Incident Review Board to conduct post-incident reviews into significant cyber security incidents (Part 5 of the Bill).
Mandatory security standards for smart devices
Currently, smart devices are not subject to mandatory cyber security standards. In 2021, the Australian Government released a voluntary Code of Practice "Securing the Internet of Things for Consumers". However, research revealed low levels of adoption of the Code by manufacturers. The Australian Government recognises that smart device security is currently "fragmented and insufficient".
Summary
The Bill provides the Minister with powers to mandate security standards as ministerial rules for smart devices that will be acquired in Australia. The security standards specified by the Minister in the rules will apply to devices that meet the definition of "relevant connectable product", or be limited to a subset, type or class of devices. A "relevant connectable product" is a product that is capable of connecting directly or indirectly to the internet.
If the rules provide that a security standard applies to a smart device, manufacturers will be required to manufacture those smart devices for the Australian market in accordance with the requirements of the security standard.
Further, an entity must not supply a smart device in Australia that was not manufactured in compliance with the requirements of the security standard for that device.
Entities that manufacture or supply smart devices must provide a statement of compliance for the devices they manufacture or supply to the Australian market. The requirements of the statement of compliance will be specified in the rules.
Failure to comply with these statement of compliance obligations may attract enforcement action.
Implications
Once the ministerial rules are released, smart device manufacturers should review the rules to assess whether they apply to the devices they manufacture. If mandatory security standards apply, manufacturers should:
- assess whether they are manufacturing smart devices in accordance with the security standards and modify their manufacturing processes if needed; and
- prepare a statement of compliance for the smart devices they manufacture, as prescribed by the rules.
Suppliers of smart devices subject to mandatory security standards should request a statement of compliance from their manufacturer for their own records. According to the Explanatory Memorandum, if a supplier is unable to obtain a statement from the device manufacturer, the supplier can get the device tested and a statement of compliance prepared by a verified third party.
Mandatory reporting for ransomware and cyber extortion payments
The Bill will establish a mandatory reporting obligation requiring entities that meet a specified threshold to report to the Department of Home Affairs if they make a ransomware or cyber extortion payment of money, or an in-kind benefit, in connection with a cyber security incident.
Summary
When does an entity need to submit a mandatory report?
An entity must submit a mandatory report when:
- a cyber security incident has occurred, is occurring or is imminent and has had, is having or could reasonably be expected to have a direct or indirect impact on the entity;
- an extorting entity makes a demand of the reporting business entity, or some third party directly related to the incident impacting the reporting entity, in order to benefit from the incident or the impact on the entity; and
- the entity provides, or is aware that another entity directly related to the entity has provided, a payment or benefit to the extorting entity that is directly related to the demand.
Who is subject to the mandatory reporting obligation?
Entities subject to this mandatory reporting obligation must:
- be carrying on a business in Australia with an annual turnover for the previous financial year that exceeds the turnover threshold for that year;
- not be a Commonwealth body or a State body; and
- not be a responsible entity for a critical infrastructure (although an entity that is a responsible entity for a critical infrastructure asset to which Part 2B of the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act) applies must comply with this mandatory reporting obligation).
The turnover threshold will be specified in rules, and is likely to be an annual turnover of greater than $3 million.
What is the reporting timeframe?
Entities will have 72 hours after making a ransomware payment or becoming aware a ransomware payment has been made to submit a ransomware payment report to the Department of Home Affairs, through an online portal administered by the Australian Signals Directorate.
Failure to comply with this reporting obligation will attract a maximum civil penalty of 60 penalty units (currently $18,780).
How will information be protected?
Information supplied to the Department of Home Affairs in accordance with this mandatory reporting obligation will be protected by the "limited use obligation". This limited use obligation is not intended to be a "safe harbour" to shield a reporting entity from legal liability. Instead, information supplied may only be used and disclosed for limited permitted purposes specified in the Bill. Further, the Department of Home Affairs must not use or disclose the information in relation to investigation or enforcement action under another law.
Implications
The mandatory ransomware payment reporting requirements proposed by the Bill stem from the current underreporting of ransomware payments and the Government's limited visibility over how much is being extorted from businesses through ransomware attacks.
The scope of this requirement, in its current form, will unlikely extend to small businesses that do not meet the annual turnover threshold. This would leave a significant gap in visibility of the amount of ransomware payments being reported.
The way in which the Cyber Security Bill is currently drafted means the reporting requirement would likely be triggered only upon the payment of a ransom or benefit to the extorting entity; there would be no mandatory obligation to report ransom demands received by an impacted entity. Considering that this reporting requirement was introduced specifically to enhance the government's understanding of ransomware threat and how much is being extorted from businesses through ransomware attacks, it is unclear how the reporting requirement as it is currently framed would enable the government to develop a holistic understanding of ransomware extortions made on Australian businesses.
Nonetheless, in anticipation of these reforms, it would be prudent for businesses that exceed the annual turnover threshold, or have cyber security incident reporting obligations under the SOCI Act, to update their incident and data breach response plans and ransomware playbooks to include the requirement to report ransomware payments within 72 hours of the ransom payment being made, or awareness that the ransom payment has been made.
Coordination of significant cyber incidents by the National Cyber Security Coordinator (NCSC)
The Cyber Security Bill seeks to affirm the role of the NCSC to coordinate whole-of-government cyber incident response efforts, and to increase trust and engagement between businesses and the government by limiting the circumstances under which the NCSC can use and share disclosed information.
Summary
Under the Bill, an entity may voluntarily provide information to the NCSC in respect of "significant cyber security incidents". Information provided to the NCSC may only be used and disclosed by the NCSC for limited permitted purposes specified in the Bill. Again, this "limited use obligation" is not intended to be a "safe harbour" to shield an entity from legal liability. The NCSC cannot use disclosed information for investigation and enforcement action. However, the Bill is not intended to restrict law enforcement or regulators from gathering the same information through their own existing powers and using this information for regulatory or law enforcement purposes against the entity. Further, reporting to the NCSC does not remove an entity's mandatory obligations to notify eligible data breaches to the Office of the Australian Information Commissioner (OAIC) or to report to other regulatory agencies.
Implications
It is unclear whether entities will be incentivised to voluntarily share information with the NCSC. While the Bill intends to encourage engagement between government and industry, it remains to be seen whether the "limited use obligation" will be sufficient to provide assurance to entities that the information it shares with the NCSC will not be used for regulatory and law enforcement action.
Cyber Incident Review Board to be established
The Bill will establish the Cyber Incident Review Board, an independent advisory body to conduct no-fault, post-incident reviews of "significant cyber security incidents" in Australia. The Board will disseminate recommendations to government and industry following a review to strengthen Australia's collective cyber resilience.
Summary
The Board may only conduct a review if an incident or series of incidents meet the following criteria:
- The incident or series of incidents have seriously prejudiced, or could reasonably be expected to seriously prejudice, the social or economic stability of Australia or its people, the defence of Australia, or national security;
- The incident or series of incidents involved novel or complex methods or technologies, an understanding of which will significantly improve Australia’s preparedness, resilience, or response to cyber security incidents of a similar nature; or
- The incident or series of incidents are, or could reasonably be expected to be, of serious concern to the Australian people. The Board will also have limited information gathering powers to compel information from entities involved in the cyber security incident.
Implications
There are clear benefits to establishing a Board to conduct post-incident reviews of significant cyber security incidents in Australia and make recommendations to government and industry on how to prevent, detect, respond to, or minimise the impact of similar cyber security incidents in future.
In circumstances where the findings and recommendations from reviews of large-scale cyber incidents have not previously been shared with industry, establishing a Board with a clear remit to conduct such post-incident reviews will allow entities to better understand how to improve their internal processes to prevent or respond to future incidents. It will also provide cyber insurers with better visibility of the key risks facing entities in large-scale cyber incidents.
Enabling industry and the country as a whole to learn from the lessons of large-scale cyber incidents is critical to uplifting cyber resilience in Australia.
Key takeaways
It is evident the Australian Government is focused on uplifting Australia's resilience and capability to respond to existing and emerging cyber security threats. The Bill seeks to improve the government's understanding of the cyber threat landscape by providing a range of information-gathering powers and imposing reporting obligations on certain entities.
The mandatory reporting of ransomware payments is expected to be the most critical feature of the Bill for Australian businesses. Consequently, we recommend that businesses with cyber security reporting obligations under the SOCI Act, or an annual turnover of over $3 million, familiarise themselves with the proposed ransomware payment reporting obligations.
Lander & Rogers is watching the development of cyber law in Australia with interest and will continue releasing updates on the passage of the Bill and other cyber-related reforms as developments arise.
For more information on the legal aspects of the Bill and how to prepare for impending changes, please contact our team of experienced cyber practitioners.
All information on this site is of a general nature only and is not intended to be relied upon as, nor to be a substitute for, specific legal professional advice. No responsibility for the loss occasioned to any person acting on or refraining from action as a result of any material published can be accepted.
