The Australian Government has introduced its first standalone cyber security legislation.
Purpose of the law
The legislation aims to enhance the security and resilience of Australia’s cyber environment and critical infrastructure and addresses the proposals set out in the 2023 – 2030 Cyber Security Strategy further outlined in our January 2024 market update found here.
The new Cyber Security Legislation comprises the:
- Cyber Security Act 2024(Cyber Security Act);
- Intelligence Services and Other Legislation Amendment (Cyber Security) Act 2024;
- Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Act 2024 (SOCI Amendment Act).
The major changes under the new legislation are:
- The introduction of smart device standards and stronger security for IoT devices
- Mandatory reporting of ransomware payments for many businesses
- Regulations allowing for cyber incident sharing with the government (for limited use)
- The establishment of the Cyber Security Incident Review Board (the ‘CIRB’)
- Frameworks setting out cyber security requirements for business-critical systems
- The expansion of government powers allowing for assistance with critical infrastructure during cyber incidents.
Security Standards for Smart Devices
The new legislation includes mandatory security standards for smart devices or Internet of Things Devices (IoT) devices. IoT devices refer to the network of physical objects that are embedded with sensors, software, and other technologies for the purpose of connecting and exchanging data with other devices and systems over the internet. In this hyperconnected world, smart devices can now range from standard household items to sophisticated industrial tools and our reliance on them is growing year on year.
Despite this there are currently no enforceable security standards in relation to how information collected, is used and disclosed by manufacturers of such devices.
The Australian Signals Directorate (the ‘ASD’) acknowledges IoT devices are easy targets for cyber criminals, often collecting not only personal information (through voice recording functionality or otherwise) but other highly sensitive information that can assist in the facilitation of crimes.
There have been several well reported examples within the media over the last 24 months documenting smart devices being exploited for malicious purposes. For example, doorbell cameras recording when you leave your home, and more recent reports of Apple Air Tags not being used to track your belongings but instead, enabling the harassment and stalking of people.[1]
To prepare for the changes, manufacturers and businesses involved in the production or distribution of smart devices should review their statements of compliance.
Businesses should ensure relevant disclaimers and liability provisions are in place to protect themselves in the event of a smart device being found in breach of the applicable security standards.
Ransomware payments
The introduction of the mandatory reporting of ransom payments is expected to have the most immediate impact on organisations.
Ransomware attacks are rising, accounting for 11% of all cyber incidents responded to by the ASD in 2023-2024, (up from 8% in the previous year) and 71% of all extortion-related cyber security incidents.
Whether the Government should prohibit the payment of ransomware was an issue of serious debate right up until the release of the Cyber Act. The Government maintains its messaging that organisations should not pay ransoms as this does not guarantee the recovery or confidentiality of stolen data and it can encourage the proliferation of cybercrime.
The new legislation only requires some organisations to report ransomware payments. It applies to any organisation that:
- holds responsibility for a critical infrastructure asset; or
- an organisation with an annual turnover of circa $3 million AUD.
Once a payment is made, the organisation has 72 hours to report it to the ASD. Failure to comply could result in a civil and financial penalty.
To prepare for this change, organisations should review their cyber incident response plan and current approach to preparing for, and responding to, ransomware attacks.
The Cyber Incident Review Board
Part of the changes include the establishment of the CIRB, to conduct post incident, no-fault reviews and produce public findings. The CIRB will make recommendations about actions that could be taken to prevent, detect, respond to, or minimise the impact of cyber security incidents of a similar nature in the future.
A review may only be conducted in cases where the incident or incidents:
- has seriously prejudiced the social or economic stability of Australia or it’s people, the defence of Australia or national security;
- has involved novel or complex methods or technologies; or
- could reasonably be of serious concern to the Australian people.[2]
Further to this, an entity impacted by a significant cyber security incident may voluntarily provide information to the National Cyber Security Coordinator (NCSC). The role of the NCSC is to lead the coordination and triaging of responses to a significant cyber security incident.
To encourage and support an organisations’ decision to report a cyber threat, the government has included a Limited Use Provision. This provision aims to encourage businesses to share information concerning cyber security breaches without the fear that the information being shared will be used against them.
To conclude
The rollout of the 2023-2030 cyber strategy aims to be “the roadmap that will help realise the Australian Government’s vision of becoming a world leader in cyber security by 2030”[3]. It is expected that many organisations will be affected by the changes introduced by the new cyber security legislation and organisations should brace themselves for further changes still to come.
For further information on the changes or to understand how the changes may impact your business, the reader can contact a Bellrock Advisor here.
[1] ABC News. “Apple AirTags causing major security concerns amid reports of stalking.” ABC News.
[2] Australian Government Department of Home Affairs. “Cyber Security Strategy – Cyber Incident Review Board Factsheet.” Department of Home Affairs, 2023.
[3] Australian Government Department of Home Affairs. “2023-2030 Australian Cyber Security Strategy.” Department of Home Affairs, 2023.