ARTICLE
16 December 2024

Bits, Bytes and Boards: Australia's New Cyber Security Act 2024

GC
Gilchrist Connell

Contributor

Gilchrist Connell, a top Australian insurance law firm with five offices, distinguishes itself through its innovative legal services approach. Their 'Listen – Engage – Solve' mantra ensures thorough understanding of client issues, effective stakeholder engagement, and timely, customized solutions at fair prices.
Laws to safeguard Australia's national security and economic interests against the evolving cyber threat landscape.
Australia Privacy

On 25 November 2024, the Federal Parliament passed the Cyber Security Act 2024 (Cth) (Act), establishing a robust framework to safeguard Australia's national security and economic interests against the evolving cyber threat landscape. The legislation is one of many steps the Government intends to take to achieve its ambition of making Australia a world leader in cyber security by 2030.

What does it do?

The Act will introduce the following:

  • powers to set minimum security standards for certain smart devices
  • mandatory reporting of ransomware and cyber extortion payments for qualifying businesses
  • greater protections for entities voluntarily sharing information with the National Cyber Security Coordinator (NCSC) and
  • the establishment of a new Government Cyber Incident Review Board.

New minimum security standards for certain smart devices

The Act will empower the Government to establish minimum security standards for certain smart devices, including devices that connect to the internet directly and indirectly. Once these standards are in force, designated devices will have to be accompanied by a statement of compliance to be sold in Australia. To enforce these standards, the Secretary of the Department of Home Affairs will be handed a suite of supervisory powers, among them, the authority to issue binding compliance notices, stop notices, and recall notices.

The Act appears to draw inspiration from comparable UK regulations introduced in 2023, which mandates security requirements such as advertised minimum update periods, non-default passwords, and security reporting systems. We can expect that the standards imposed under Australia's Act may be of a similar nature.

Australia's implementation of the standards will need to balance robust security measures against compliance burdens that could potentially impede innovation. The compliance process associated with any new standards will need to be carefully managed in this respect.

While the compliance burden of these new standards remains unclear, the standards will impact all businesses involved in the manufacture, import or sale of smart devices.

Organisations should:

  • closely monitor the release of the standards; and
  • ensure that either the business or its suppliers can issue compliance notices.

Mandatory reporting for ransomware and cyber extortion payments

From 29 May 2025 (or earlier if determined by the Government), businesses must report any payments or benefits given in response to ransomware extortion demand within 72 hours to the Department of Home Affairs (DHA) and Australian Signals Directorate (ASD).

This obligation will apply to businesses with an annual turnover in excess of a specified amount (yet to be determined, although we expect it will be AUD3M in line with the small business exemption under the Privacy Act), and 'responsible entities' under the Security of Critical Infrastructure Act 2018 (Cth).

While the content of a mandatory report is still to be finalised, it will include details of:

  • the entity which made the payment, including its contact and business details
  • the cyber security incident, as well as its impact on the reporting business
  • the demands made by the extorting entity
  • the ransomware payment and
  • communications with the extorting entity relating to the incident, the demand and payment.

Significantly, the mandatory reports may only be used to assist the reporting entity in its response to the incident, and to mitigate the harm that occurs as a result. This reinforces the Government's indications that these obligations are intended to be supportive, rather than coercive, in nature.

We also look forward to observing how the new reporting obligation may ultimately tie in with the purpose and functions of the newly formed Cyber Incident Review Board.

Organisations will need to update their existing incident response plans and strategies to incorporate the new obligations.

Organisations should also consider their posture towards to an extortion demand and the robustness of backup procedures in place that will allow a business to recover from a ransomware attack.

Limited use obligations on reported cyber incident information

The Act is also looking to promote industry cooperation and greater information disclosure by ensuring that information about significant cyber security incidents that are voluntarily reported to the NCSC by affected entities is not used for investigatory or prosecutorial purposes, restricting its use to:

  • assisting the affected entity
  • coordinating government response and
  • where necessary, informing the Minister.

These protections aim to encourage greater reporting by ensuring that affected entities are not disadvantaged or otherwise prejudiced for their transparency. This in turn will enable the NCSC to have greater visibility over the cyber landscape and better coordinate national cybersecurity responses alongside the organisations it serves to protect.

Organisations should:

  • develop information sharing protocols that leverage the NCSC's limited use obligations, ensuring shared information qualifies as relating to a significant cybersecurity incident, and
  • ensure that current and future contracts of the business allow for the sharing of cyber incident information with the government.

Cyber Incident Review Board

The Act establishes a Cyber Incident Review Board to examine significant cyber incidents that threaten Australia's socio-economic stability or public interest or reveal insights for future resilience.

Consistent with the theme of 'limited use' obligations above, information provided as part of the Cyber Incident Review Board's review would not be admissible in Court and does not affect a legal professional privilege claim.

Implications

The Act introduces significant compliance obligations for Australian businesses. Smart device manufacturers, importers, and sellers must prepare for new minimum-security standards. Larger businesses and critical infrastructure entities face mandatory ransomware reporting requirements. While these new obligations require operational changes, the Act's supportive approach, including protections for voluntary information sharing, demonstrates the Government's focus on improving Australia's cyber resilience.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More