Hack to the future: your plan to navigate Australia's new Cyber Security Legislative Package
Amid a flurry of legislative activity last week, the Parliament passed the Australian Government’s package of legislation aimed at implementing key milestones under the 2023-2030 Australian Cyber Security Strategy. With the Cyber Security Legislative Package coming into law, it’s clear the Government wants to be “in the room where it happens” when organisations experience a cyber incident.
Key takeaways for organisations
Under the Cyber Security Legislative Package, organisations will be required to report to Home Affairs within 72 hours when they make a payment (or other benefit) to a cyber extorting entity. The Government is focused on improving visibility and intelligence over the impact of ransomware on the Australian economy. While it is yet to be clarified which organisations the mandatory reporting obligation will apply to (with a turnover test to be prescribed by yet-to-be released rules), the new Cyber Security Act will include a possible fine of up to $18,780 for organisations who do not comply with the reporting obligations.
The ‘limited use’ obligations control the way that information can be recorded, used and disclosed by the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) and the National Cyber Security Coordinator (NCSC) to incentivise voluntary information sharing by organisations experiencing a cyber incident. Similar restrictions on the way information can be used also apply to Home Affairs with respect to the mandatory ransomware payments reporting regime.
As a key incentive, the limited use obligation prevents any information shared voluntarily from being used against an entity by a regulatory agency. While this measure is aimed to give comfort to organisations that they can share information with the Government during an incident to receive Government support, it is not a ‘safe harbour’ that shields organisations from legal liability – regulators can still use their powers to gather any information relating to a cyber incident if breaches of the law are suspected. This is particularly important given the recent developments in regulatory activity, namely:
- ASIC’s public statements on current investigations of directors over potential breaches of duties relating to cyber security;
- the memorandum of understanding facilitating the sharing of information between the OAIC and ASIC; and
- the civil penalty proceedings commenced against Medibank by the OAIC.
Cyber Security Legislative Package: what you need to know (and what we still don’t know)
The Cyber Security Legislative Package which has passed through parliament includes:
- the Cyber Security Bill – which once entered into law, will become Australia’s first standalone Cyber Security Act;
- the Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024 (Cth) (ISOLA Cyber Act), which will amend the Intelligence Services Act 2001 (Cth) and Freedom of Information Act 1982 (Cth); and
- the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024 (Cth) (SCIOLA Bill), which will amend the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act).
As part of this article, we focus on the new Cyber Security Act and the ISOLA Cyber Act.
The risk of cyber threats is higher than ever before
Cyber Security Legislative Package has been passed at a time where organisations continue to face a complex and high risk landscape.
The ACSC’s Annual Cyber Threat Report 2023-2024 makes it clear that the threat landscape is the highest it has ever been, among increased geopolitical challenges for Australia.
Key findings include:
- 12% more calls to the ACSC’s hotline;
- a report every 6 minutes (which is same as last year);
- ransomware now compromises 11% of all incidents, up 3% from 2022-2023;
- increases in global state-sponsored activity;
- innovations in attack types and vectors by threat actors, including:
- the use of artificial intelligence;
- credential stuffing (use of stolen credentials to access other accounts via automated logins); and
- quishing (malicious manipulation of QR codes to gain unauthorised access); and
- a continued focus on the cyber risks within supply chains – particularly the risks posed by SaaS and web hosting providers.
Mandatory reporting of ransomware payments
To improve the Government’s visibility over ransomware in Australia, certain entities impacted by a cyber security incident must report ransomware payments to the Minister of Home Affairs through cyber.gov.au. The report must be made within 72 hours of the payment and must include details of the incident, demand and payment. Failure to comply may result a civil penalty of up to $18,780 (as at the date of publishing).
This obligation will commence, at the latest, 6 months after the Cyber Security Act receives royal assent, or at an earlier date set by proclamation.
These reporting obligations are in addition to other mandatory obligations such as mandatory data breach obligations under the Privacy Act.
Operation of the reporting obligation
The Cyber Security Act defines a ‘reporting business entity’ as an entity carrying on business in Australia with an annual turnover that exceeds the turnover threshold for that year. The threshold is not yet available as it is to be defined in associated Rules. This is likely to be a contentious issue given the recent pushback from industry in relation to the anticipated removal of the small business exemption from the Privacy Act. Government bodies are excluded from reporting. While the Government proposed a reporting threshold which captures entities with an annual turnover of at least $3 million (as well as entities regulated under the SOCI Act) – it remains to be seen whether this will actually make its way into the rules, or whether a higher threshold of an annual turnover greater than $10 million (which the Government is also considering) will be implemented.
A cyber security incident borrows its definition from the SOCI Act to include an act, event or circumstance involving:
- unauthorised access to computer data or a computer program;
- unauthorised modification of computer data or a computer program;
- unauthorised impairment of electronic communication to or from a computer (including the ‘mere interception’ of any such communication); or
- unauthorised impairment of the availability, reliability, security or operation of a computer, computer data or a computer program.
Importantly, a ransomware payment occurs where an entity (the extorting entity) makes a demand of the reporting business entity (the victim entity) in order to benefit from the incident or the impact on the victim entity and the victim entity provides a payment or other benefit to the extorting entity.
Information on the ransomware payments will only be able to be used by Home Affairs for permitted purposes and includes restrictions against its use in a civil regulatory context. The provisions also protect claims of legal professional privilege over the reported information.
Limited use obligations on the NCSC and the ASD's ACSC
The Government recognises that organisations are hesitant to voluntarily share information with the Government when responding to a significant cyber security incident due to concerns that regulators may use this information against them during regulatory proceedings. The EM to the Cyber Security Bill highlights that organisations are treating the response and recovery from significant cyber incidents as legal issues and impeding Government assistance through communication only via legal counsel (fearing regulatory blowback).
To alleviate these concerns, the Cyber Security Act introduces a ‘limited use’ obligations on the NCSC when sharing information with other Government entities and regulators (including under the mandatory ransomware reporting regime). The ISOLA Cyber Act also inserts similar limited use obligations on the ASD.
The Cyber Security Act cements the role of the NCSC in coordinating the ‘whole of Government’ action in response to a significant cyber security incident and to engage with Government and industry to mitigate secondary harms that may result from the incident.
A cyber security incident is considered significant where there is a material risk that the incident can prejudice social or economic stability, defence or national security or where the incident is of serious concern to the Australian people. This will primarily concern entities subject to the SOCI Act.
Crucially, voluntary information provided to the NCSC or other Government bodies cannot be used against entities except to enforce a contravention of a criminal offence or the Cyber Security Act. Legal professional privilege will not be impacted by information being reported to the NCSC or ASD, and any information voluntary shared or reporting will be inadmissible as evidence (except for criminal offences relating to breaches of the reporting obligation, false or misleading information or obstruction of Commonwealth officials).
Mandatory security standards for smart devices
Currently, best-practice security guidelines on smart devices are contained in voluntary codes which are not widely adopted in Australia. To uplift standards, the Minister is granted powers to mandate security standards to apply to manufacturers of smart devices.
The mandatory standards will apply to devices that directly or indirectly (i.e. through other devices) connect to the internet. Examples include smart TVs, smart watches and home assistants.
While details of security standards have not yet been released, the Government has referred to UK laws in defining a smart device and in determining the content of a statement of compliance. This suggests the Government may also draw upon UK laws to determine the content of the security standards. Relevantly, the UK laws include references to:
- the European Standard on Cyber Security for Consumer Internet of Things: Baseline Requirements (ETSI EN 303 645); and
- ISO/IEC 29147:2018 Information technology - Security techniques - Vulnerability disclosure standard (2nd edition, 2018).
Accordingly, we may expect to see references to similar requirements in the security standards.
Manufacturers will be required to provide a statement of compliance to customers of the product which contains declarations that the product complies with the security standards. Non-compliance may result in the Secretary of Home Affairs issuing to the manufacturer or supplier a compliance notice, stop notice or recall notice.
These requirements will apply to relevant connectable products manufactured after the provisions receive royal assent.
Creation of the Cyber Incident Review Board (CIRB)
The Cyber Security Act establishes an independent advisory body to conduct ‘no-fault’ reviews of significant cyber security incidents in Australia and make recommendations to Government and industry to strengthen cyber resilience. This is modelled off the US Cyber Safety Review Board.
The CIRB will have the right to request documents from entities to which the review relates to. Failure to comply may result in civil penalties of $18,780 (as at the date of publishing).
While analogous limited use obligations will apply to the CIRB (including with respect to legal professional privilege), organisations are likely to remain wary of the operation of the CIRB, particularly given the significant reputational risks that cyber incidents carry. Notwithstanding any limited use obligations for any information provided to the CIRB and the ‘no fault’ findings, the public may form a different view on the published final review report.
Revisiting the 2023-2030 Australian Cyber Security Strategy
The Cyber Security Legislative Package forms part of the 2023-2030 Australian Cyber Security Strategy, which the Government developed to position Australia as a world leader in cyber security by 2030. Minister for Cyber Security, Tony Burke states that “This [Cyber Security Legislative] Package forms a cohesive legislative toolbox for Australia to move forward with clarify and confidence in the face of an ever-changing cyber landscape”.
The Cyber Security Legislative Package implements seven initiatives under the Strategy aimed at plugging legislative gaps to bring Australian laws in line with international best practice.
The Strategy includes a number of non-legislative actions which the Department of Home Affairs and the Government has developed (or is developing), including:
- a ransomware playbook;
- additional information on cyber governance under current regulation;
- a single reporting portal for cyber incidents;
- expansion of the Digital ID program to reduce the need for people to share sensitive personal information to access services online;
- a voluntary labelling scheme to measure the cyber security of devices;
- a voluntary cyber security code of practice for app stores and app developers; and
- a review of the data brokerage ecosystem to explore options to restrict unwanted transfer of data to malicious actors.
Key actions checklist – what organisations can do to respond to the reforms
As the Cyber Security Legislative Package has now been passed through Parliament, the relevant amendments and introduction of the Cyber Security Act will come into force after receiving royal assent. Our checklist below sets out the steps organisations can take now to respond to these new obligations and to ensure cyber resilience.
Task |
Yes |
No |
Does your organisation have a separate Ransomware Policy governing the position, circumstances and approvals in respect of the payment (or non-payment) of a ransom? |
||
Review and update data breach response and business continuity plans to prepare for:
|
||
Test your data breach response and business continuity plans, using hypotheticals, simulation or tabletop exercises with your organisation’s leadership team. |
||
Have you conducted a data and systems mapping exercise, to understand what data you hold and what systems, including third parties store personal information and key organisational critical data across your IT environment. |
||
Review, and create a register of, notification obligations under third party agreements to ensure you know what your obligations are to third parties in an incident context. |
||
Ensure that you have monitoring in place over your IT environment, to ensure you are able to detect threats or suspicious activity. |
||
Benchmark your organisation’s Essential Eight maturity level, according to the Australian Cyber Security Centre’s ‘Essential Eight’ model. |
||
Train staff on cyber security risks, including on how to recognise and manage risks through exercises such as phishing tests. |
||
Ensure that your organisation has proper governance structures in place for managing cyber security risks, such as regular board training, board oversight and clear roles and responsibilities. |
||
Is your cybersecurity strategy and privacy management strategy integrated and is there collaboration or are these two areas siloed? |
||
Do you conduct security reviews and privacy impact assessments before implementing new projects or onboarding new suppliers/third party providers to ensure third party risks are mitigated and to take a privacy and security by design approach? |
||
If your business involves relevant connectable (i.e. internet or network connectable) products as a manufacturer, conduct a gap risk analysis between current security measures and those measures prescribed by ETSI EN 303 645 and ISO/IEC 29147:2018. |
||
If your business involves relevant connectable (i.e. internet or network connectable) products as a supplier, review contractual arrangements with manufacturers to ensure new mandatory obligations are adequately covered. |
-
Privacy Reforms
Double Trouble – First Tranche of Privacy Reforms also passed
In a busy final sitting for Parliament, the First Tranche of Privacy Act reforms also passed last week. One of the significant measures is that there are changes to Australian Privacy Principle 11, which regulates the security of personal information.
The new privacy laws will introduce a new requirement under APP 11 which clarifies that technical and organisational measures are required to reasonably secure personal information.
At the recent AFR Cyber Security Summit, Privacy Commissioner Carly Kind, spoke about this amendment and said the Regulator was seeing an overreliance on technical measures (IT security measures) but organisational measures were equally important, such as governance, board and executive oversight, training, education etc (in other words people).
It is critical for organisations to ensure they are taking a holistic, “whole of business” approach to the privacy and cybersecurity reforms and not considering them in isolation.
For more on the Privacy Act reforms see One small step for privacy reform - what the Government's new Privacy Bill does (and doesn't) cover
Maddocks Adapt
Find out more here
Key contacts
Keep up to date with our legal insights and events
Sign upRecent articles
What Victorian Government personnel need to know about ensuring privacy compliance with ChatGPT usage
Findings on practical uses of Generative AI (GenAI) in the Victorian Public Service.
FOGO is GO GO in NSW
The NSW Government has legislated local councils collect and transport food and garden organics waste from 1 July 2030.
Goldmate Reversed – The Public Purpose Must Be Authority Specific
Transport for NSW acquired part of a property owned by Goldmate Property Luddenham No 1 Pty Ltd
Partner
Sydney