03 Dec 2024, 9:03 am
Australia has its first standalone Cyber Security Act.
The legislation, which has now received Royal Assent, forms part of Australia’s cybersecurity law package 2024 and will impose new obligations on businesses, which must now prepare to meet the new obligations by building their understanding of the new measures introduced – such as security standards for smart devices, rules on the reporting of ransomware payments, and new procedures and mechanisms for cyber incident response – as well as how they will impact their organisation.
Hear Mike Harvey and Veronica Scott discuss this story on The Pinsent Masons podcast here or wherever you get your podcasts.
The objective of the Cyber Security Act is to provide a clearer legislative framework to address contemporary, whole-of-economy, cybersecurity issues, positioning the Australian government to identify and respond to new and emerging cybersecurity threats. The Act comprises four parts which:
Smart devices or Internet of Things (IoT) devices are defined in the Act as ’relevant connectable products’ (products). The Act mandates the implementation of security standards for these products, which will be specified in rules to be developed by the government minister administering the Act. Those rules may apply to all products, or be limited to a subset, type, or class of product. The obligations in the standards would come into force within 12 months, which is December 2025, though the Act includes a mechanism to enable the obligations to come into force sooner.
Manufacturers and suppliers of the products will be required to ensure that their products comply with the security standards if they are aware, or could reasonably be expected to be aware, that the products will be acquired in Australia.
The rules-based model aims to enable a flexible approach, allowing the government to adapt the regulations to evolving technology and respond to emerging cybersecurity threats by updating the standards as needed.
While the specific scope and application of the standards will be detailed in the rules, the previous consultation the government held on the reforms which were proposed in Australia’s 2023-2030 cybersecurity strategy, offers some clues as to what products the rules will focus on – which will largely be consumer products such as home security cameras, smartphone-controlled appliances, and baby monitors.
According to the explanatory memorandum published with the Bill, the rules-based approach will enable Australia to align with existing international standards, such as the UK’s approach in the Product Security and Telecommunications Infrastructure Act 2022, covering for example, unique password requirements, security update information, introducing a statement of compliance regime and risk assessment requirements on manufacturers. This will ensure Australia remains in step with international markets, help protect Australians from cybersecurity vulnerabilities via compromised or exploited smart devices, and reduce the burden on industry operating across jurisdictions.
The Act establishes an enforcement and compliance regime that will apply to the new standards, giving the secretary of home affairs the authority to issue notices to entities, including:
To prepare for these changes, entities will need to:
The Act introduces mandatory reporting obligations for entities affected by cyber incidents involving ransomware or extortion payments, to enhance threat intelligence and response. It does not prohibit the payment of a demand but rather imposes reporting obligations if a payment is made.
The reporting obligations will come into force within six months of the Cyber Security Act receiving Royal Assent, though there is also a mechanism to enable the obligations to come into force sooner.
Reporting is required when:
The obligation applies to private sector entities carrying on a business in Australia, with an annual turnover equal to or greater than the amount prescribed by rules that will be made. The explanatory memorandum indicates the threshold is likely to be at least AUD$3 million (US$1.94m), which aligns with the small business exemption threshold in the Privacy Act 1988 (Cth).
The obligations will also apply to entities responsible for critical infrastructure assets that are already regulated under the Security of Critical Infrastructure (SOCI) Act (Cth).
Reports must be made to the Department of Home Affairs within 72 hours of making a payment or becoming aware of such a payment, through a portal available on cyber.gov.au that will be administered by the Australian Cyber Security Centre (ACSC).
Critical infrastructure asset owners and operators with mandatory cyber security incident reporting obligations under Part 2B of the SOCI Act already have reporting obligations to the ACSC through the existing ‘Report’ portal and they should be familiar with these similar reporting processes.
Failure to comply with these reporting obligations may result in civil penalties of 60 penalty units. currently worth AUD$18,780 (US$12,169).
Where the information in a ransomware payment report is provided to a designated Commonwealth body, to safeguard the confidentiality of the reporting entities, it can only be used for purposes outlined in the Cyber Security Act, including to:
The Act restricts Commonwealth and State agencies from using the information in a ransomware payment report to investigate or litigate civil claims or enforce penalties or sanctions, except for criminal offences. This protects reporting entities against their report being used against them in civil or regulatory actions, although it can still be used as evidence in criminal cases.
Existing mechanisms enforcing regulatory obligations that apply to cyber incident and data breach reporting will remain in place, such as the notifiable data breach scheme in the Privacy Act. The reporting will also interact with other ‘limited use’ provisions that will be introduced, as explained below.
To prepare for these new reporting obligations, entities will need to review, with their boards, their policy on payment of ransomware and other cyber extortion demands and consider their:
The Act also introduces additional measures aimed at the government better understanding, informing, and improving responses to cybersecurity incidents.
The limited use obligation on cyber incident information restricts how cyber incident information provided to the NCSC or the ASD voluntarily during a cyber incident can be shared with other government agencies, including regulators.
This restriction aims to encourage timely and transparent reporting by providing assurances to entities on how reported information can be used. These provisions intersect with the amendments that will be made by another part of the cybersecurity law package 2024 – the Intelligence Services and Other Legislation Amendment (Cyber Security) Act 2024 (ISOLA Act).
The ISOLA Act aims to legislate a limited use obligation on the ASD to protect the information voluntarily provided to, or acquired or prepared by, the ASD during a cyber security incident. This means that the ASD can only disclose this information for a permitted cybersecurity purposes and recipients can only use that information for a permitted cybersecurity purposes.
Permitted cybersecurity purposes include, but are not limited to, the performance of: the ASD’s functions under the ISOLA Act, informing the minister of a cybersecurity incident that may potentially occur; a Commonwealth or State body’s functions in responding, mitigating or resolving the cybersecurity incident; or the National Cyber Security Coordinator’s functions under Part 4 of the Cyber Security Act 2024.
This obligation is intended to complement the ‘limited use’ obligation applicable to the National Cyber Security Coordinator Act 2024.
The ISOLA Act also amends the Freedom of Information Act 1982 (Cth) to include an exemption from freedom of information (FOI) requests for a document given to, or received by, the National Cyber Security Coordinator for the purposes set out under Part 4 of the Cyber Security Act 2024. That measure is intended to provide industry with the assurance that they can engage with and provide information to the various agencies the government has established to help them prepare for, and respond to, cybersecurity incidents.
The new FOI provisions do not create a ‘safe harbour’ for industry, and will not exempt an entity from complying with existing legal obligations. They also will not restrict law enforcement or regulators from gathering this information through exercising using their own existing powers and using it for regulatory or law enforcement purposes.
A significant feature of the Cyber Security Act is the creation of a Cyber Incident Review Board. This independent advisory body will conduct ‘no fault’, post-incident reviews of significant cybersecurity incidents, similar to the review conducted by the National Office of Cyber Security on the HWL Ebsworth cybersecurity incident. The Board will analyse vulnerabilities and the effectiveness of responses, providing recommendations to both the government and industry to enhance Australia’s cyber resilience.
The structure and functions of the Board will be modelled on similar bodies in other jurisdictions, and it will have the authority to mandate reviews and gather information about incidents.
A review by the Board will be triggered if any of the following three criteria are met in relation to an incident, or series of incidents: