By Simon Liu and Sascha Hess

On 2 October 2024, the Australian Government announced its first standalone Cyber Security Bill as part of a package of reforms in critical infrastructure and national security to bring Australia in line with international best practice on new and emerging cyber security threats. The Cyber Security Legislative Package includes the Cyber Security Bill 2024 as well as amendments to the Intelligence Services Act 2001 and the Security of Critical Infrastructure Act 2018 (SOCI Act).

The proposed regulatory framework forms part of the government’s vision of becoming a world leader in cyber security by 2030, according to its 2023-2030 Australian Cyber Security Strategy, and specifically to build the government’s awareness of the ransomware threat, which continues to grow and raise risk for all organisations.

IIS welcomes the four key measures this bill introduces.

Set up a response and learning framework for cyber incidents

Three initiatives work together to systematically enhance Government and Industry’s ability to respond to, and learn from, cyber security incidents:

• Providing data

• Lowering barriers to information sharing with the Government, and

• Creating a ‘no-fault’ cyber incident review board.

These efforts align with existing industry practices and common sense – sharing data fosters an informed, coordinated response, while conducting blameless post-mortems helps embed lessons for future incidents.

The bill does this by:

1. Introducing mandatory ransomware reporting for certain businesses to report ransom payments

Introducing a mandatory reporting obligation for entities who are affected by a cyber incident, within 72 hours of making the ransomware payment or becoming aware that the ransomware payment has been made. The two categories of entities that have ransomware reporting obligations are:

• Category 1

  • Entities that carry on business in Australia with an annual turnover for the previous financial year that exceeds the turnover threshold (which is likely to be $3 million, yet to be confirmed);

  • Not a Commonwealth body or a State body; and

  • Not defined as a responsible entity for critical infrastructure asset under the SOCI Act.

• Category 2

  • Responsible entities for a critical infrastructure asset to which the SOCI Act applies. In other words, all responsible entities will be ransomware reporting obligations even where their annual turnover does not exceed the turnover threshold (which is likely to be $3 million, yet to be confirmed), or where they are a Commonwealth or State body.

2. Introducing a ‘limited use’ obligation for the National Cyber Security Coordinator and the Australian Signals Directorate (ASD)

Introducing a ‘limited use’ obligation that restricts how cyber security incident information provided to the National Cyber Security Coordinator during a cyber security incident can be used and shared with other government agencies, including regulators.

3. Establishing a Cyber Incident Review Board

Establishing a Cyber Incident Review Board to conduct post-incident reviews into significant cyber security incidents.

Set up a minimum security baseline for ‘smart devices’

Smart devices are becoming a common feature in Australian homes and businesses. From home security systems and video doorbells to keyless entries and voice assistants, who doesn’t enjoy the added convenience and peace of mind? However, like any software, internet-connected devices have security vulnerabilities that require proper securing and regular patching.

4. Introducing a minimum set of cyber security practices for smart devices

The bill marks the first step in establishing a minimum-security baseline in Australia and follows the lead of the UK in April 2024.

Ready, Steady, Go

The legislation, if enacted, will become Australia’s first standalone cyber security legislation to strengthen protections for and enforcement measures against businesses from the increase in cybercrime.

Businesses will need to adapt to stricter security standards for smart devices and embed their new reporting requirements into their incident response plans.

Please contact IIS to have a confidential chat on how we can support your business to become compliance ready.

If you are interested to understand the impacts of a real major cyber security incident and a serious data breach, see our whitepaper on “What businesses need to know about the Optus 2022 cyber attack and lessons learned from the Service NSW 2020 Data Breach”.