The Cyber Security Legislative Package 2024 is finally here!
27 November 2024The long-awaited Cyber Security Legislation Package has finally been passed. The Albanese Government passed the package just a week after the Parliamentary Joint Committee on Intelligence and Security (PJCIS) presented its advisory report. Senator Raff Ciccone, Chair of the PJCIS, remarked, “The Committee recognises that hardening Australia’s cyber resilience and implementing the 2023–2023 Australian Cyber Security Strategy is an urgent priority of the Government and this Parliament.”
Background
The Federal Government set the ambitious goal for Australia to become ‘a world leader in cyber security by 2030.’(See the 2023-2030 Australian Cyber Security Strategy)
On 9 October 2024, the Cyber Security Legislative Package was introduced to the PJCIS for inquiry and report. The focus of this inquiry was to address risks associated with smart devices and the Internet of Things (IoT) compulsory ransomware notifications. An Advisory Report was published on 18 November 2024 with 13 recommendations from the PJCIS.
The package introduces three (3) Acts:
- Cyber Security Act 2024 (the Act)
- Intelligence Services and Other Legislation Amendment (Cyber Security) Act 2024
- Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Act 2024
With the passage of the three Acts, new obligations are established for businesses, and the Government has stronger enforcement powers. Here’s what businesses need to know to prepare for the new legislation.
Cyber Security Act 2024
Smart Devices Standard
The Act grants the relevant Minister the authority to mandate security standards for devices defined in the Act as ‘relevant connectable products.’ These products include IoT devices such as smart TVs, smart watches, home assistants, and baby monitors. Manufacturers and suppliers of these ‘relevant connectable products’ will need to ensure their products meet the requirements that will be set out in the Standard and must provide a statement of compliance.
While the specific obligations in the Standard are yet to be determined, there is a clear move from Government to ease the burden on industries trading internationally and to align with international standards, such as the United Kingdom (UK).
Ransomware Payment Notification
New requirements will now mandate that businesses must report ransomware payments or benefits provided in response to a cybersecurity incident. A report must be submitted within 72 hours of any payment or benefit being given to the extorting entity. This reporting obligation also applies in circumstances where the reporting entity becomes aware that a related entity has made a similar payment. Affected businesses include owners of critical infrastructure asset and any non-government entity carrying on business in Australia with an annual turnover exceeding $3 million, which aligns with the threshold set out in Privacy Act 1988.
The revised Explanatory Memorandum provides that a transition period of six months will be provided before enforcement will take effect. Businesses should ensure that they have the appropriate procedures and measures in place to ensure compliance with the new reporting obligations as failure to comply will result in 60 penalty units, which currently equates to $19,800.
Cyber Incident Review Board
A new Cyber Incident Review Board (CIRB) will be established to conduct reviews following significant cyber security incidents. Businesses can be assured that these reviews will be conducted on a no-fault basis. The Board will have limited powers to gather information, only compelling organisations to respond if a voluntary request for information has not been successful.
‘Limited Use’ Obligations
Information shared to the National Cyber Security Coordinator (NCSC) regarding a cyber security incident will be protected and used solely for permitted cybersecurity purposes. While this information can be shared to other government agencies, however, it may only be used for the specific reason for which it was shared. Additionally, it is not admissible in regulatory proceedings and may not be used to initiate enforcement actions.
However, businesses should be aware that this arrangement does not provide a ‘safe harbour’ from legal liability. Law enforcement and regulatory bodies retain the authority to utilise their existing powers to gather information and conduct their own investigations.
Intelligence Services and Other Legislation Amendment (Cyber Security) Act 2024
The Intelligence Services and Other Legislation Amendment (Cyber Security) Act 2024 amends the Intelligence Services Act 2001. It introduces a 'limited use’ obligation for information that is voluntarily provided to the Australian Signals Directorate during a cybersecurity incident. This obligation mimics the ‘limited use’ obligation mentioned above when information is voluntarily shared with the NCSC.
Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Act 2024
Changes to the definition of asset
The definition of ‘asset’ has been expanded to include ‘business critical data’ and will also extend to the definition of ‘material risks.’ Businesses will need to ensure that their data storage systems, which contain this business-critical data are protected from threat actors.
New all-hazards power
New legislation has been introduced to grant management powers for significant incidents. These powers are authorised by the Minister and can only be enforced as a last resort. Under this authority, the Minister can direct critical infrastructure entities regarding a cybersecurity incident, authorise the disclosure of protected information, and gather information for consequence management in response to multi asset incidents. This information can be shared with other sectors of the economy, such as banks, to mitigate the flow on consequences of the cyber incident.
Stronger enforcement powers
Under the SOCI Act, regulators currently lack the authority to direct a responsible entity to address serious deficiencies in their Critical Infrastructure Risk Management Program (CIRMP). Responsible entities are required to develop and implement a CIRMP to ensure robust protections for their critical infrastructure assets. Recent changes have introduced stronger enforcement powers, allowing regulators to direct a responsible entity to rectify seriously deficiencies in their CIRMP.
Consolidation of Telecommunications Act 1997 into SOCI Act
Under the new reforms, existing obligations under Part 14 of the Telecommunications Act 1997 will be consolidated into the SOCI Act. The purpose of this reform is to streamline the obligations for telecommunication carriers and carriage service providers. The enhanced security regulations for critical telecommunications assets include:
- A ‘protect your asset’ obligation, requiring all providers to safeguard their assets from all hazards, as far as it is reasonably practicable.
- A notification obligation that mandates responsible entities to notify relevant parties of certain changes and proposed changes to their service or system.
- Authority to implement a Telecommunications Security and Risk Management Program (TSRMP).
Closing thoughts
Businesses must review and update their security policies and frameworks to comply with the new obligations, including reporting requirements for ransomware payments, to enhance resilience against cybersecurity risks and threat actors.