Out-Law Analysis

Australia’s new Cyber Security Act: what businesses need to know


Australia has its first standalone Cyber Security Act.

The legislation, which has now received Royal Assent, forms part of Australia’s cybersecurity law package 2024 and will impose new obligations on businesses, which must now prepare to meet the new obligations by building their understanding of the new measures introduced – such as security standards for smart devices, rules on the reporting of ransomware payments, and new procedures and mechanisms for cyber incident response – as well as how they will impact their organisation.


Hear Mike Harvey and Veronica Scott discuss this story on The Pinsent Masons podcast here or wherever you get your podcasts.

 

Overview of key measures 

The objective of the Cyber Security Act is to provide a clearer legislative framework to address contemporary, whole-of-economy, cybersecurity issues, positioning the Australian government to identify and respond to new and emerging cybersecurity threats. The Act comprises four parts which: 

  • create a framework for the government to establish mandatory security standards for consumer smart or IoT devices; 
  • introduce mandatory reporting of ransomware payments: private sector entities subject to certain thresholds and those responsible for critical infrastructure assets must report ransomware payment to the Department of Home Affairs; 
  • establish limitations on cyber incident sharing: there will be a ‘limited use’ obligation that restricts how information provided to the National Cyber Security Coordinator (NCSC) during a cybersecurity incident can be used and shared with other government agencies, including regulators; and  
  • establish the Cyber Incident Review Board: this will be an independent advisory body that can conduct ‘no fault’ post incident reviews of significant cybersecurity incidents. 

Security standards for smart devices 

Smart devices or Internet of Things (IoT) devices are defined in the Act as ’relevant connectable products’ (products). The Act mandates the implementation of security standards for these products, which will be specified in rules to be developed by the government minister administering the Act. Those rules may apply to all products, or be limited to a subset, type, or class of product. The obligations in the standards would come into force within 12 months, which is December 2025, though the Act includes a mechanism to enable the obligations to come into force sooner.

Manufacturers and suppliers of the products will be required to ensure that their products comply with the security standards if they are aware, or could reasonably be expected to be aware, that the products will be acquired in Australia.

The rules-based model aims to enable a flexible approach, allowing the government to adapt the regulations to evolving technology and respond to emerging cybersecurity threats by updating the standards as needed. 

While the specific scope and application of the standards will be detailed in the rules, the previous consultation the government held on the reforms which were proposed in Australia’s 2023-2030 cybersecurity strategy, offers some clues as to what products the rules will focus on – which will largely be consumer products such as home security cameras, smartphone-controlled appliances, and baby monitors.

According to the explanatory memorandum published with the Bill, the rules-based approach will enable Australia to align with existing international standards, such as the UK’s approach in the Product Security and Telecommunications Infrastructure Act 2022, covering for example, unique password requirements, security update information, introducing a statement of compliance regime and risk assessment requirements on manufacturers. This will ensure Australia remains in step with international markets, help protect Australians from cybersecurity vulnerabilities via compromised or exploited smart devices, and reduce the burden on industry operating across jurisdictions. 

Enforcement and compliance regime

The Act establishes an enforcement and compliance regime that will apply to the new standards, giving the secretary of home affairs the authority to issue notices to entities, including: 

  • compliance notices, to require the recipient to take specified steps or actions to address an identified issue of non-compliance;
  • stop notices, to require the recipient to stop or refrain from performing a particular action; and
  • recall notices, to require the recipient to take specified steps to arrange for the return of the product to the entities or the manufacturer.
Key impacts

To prepare for these changes, entities will need to:

  • understand how the obligations will apply to them: they should identify what consumer smart devices are involved across their supply chain that could be a product within scope of the new standards and how - whether through their production, supply or use; and assess if these products meet current relevant international security standards, such as ETSI EN 3030 645 (Europe) and the UK PTSI (UK), and what gaps may be need to be addressed to prepare to comply with the obligations in the standards;
  • establish internal monitoring processes: they should consider what internal processes they have for monitoring product compliance with security standards and whether they need to be uplifted to comply and respond to any compliance notice that could be issued. This includes having clear protocols for regular audits and checks and accountability for these steps and outcomes; and
  • engage with reforms: they should stay informed about the development of the specific rules and the products they apply to so they can adapt to meet new requirements promptly.

Mandatory reporting for ransomware payments

The Act introduces mandatory reporting obligations for entities affected by cyber incidents involving ransomware or extortion payments, to enhance threat intelligence and response. It does not prohibit the payment of a demand but rather imposes reporting obligations if a payment is made.

The reporting obligations will come into force within six months of the Cyber Security Act receiving Royal Assent, though there is also a mechanism to enable the obligations to come into force sooner.

Thresholds for reporting

Reporting is required when:

  • a cybersecurity incident, as defined in the Act, has occurred, is occurring, or is imminent and has had, is having, or could reasonably be expected to have, a direct or indirect impact on a 'reporting business entity';
  • an extorting entity makes a demand of the reporting business entity, or a third party, directly related to the incident impacting them, in order to benefit from the incident or its impact; and 
  • the reporting business entity provides, or is aware that another entity directly related to it has provided, a payment or benefit to the extorting entity that is directly related to the demand. 

The obligation applies to private sector entities carrying on a business in Australia, with an annual turnover equal to or greater than the amount prescribed by rules that will be made. The explanatory memorandum indicates the threshold is likely to be at least AUD$3 million (US$1.94m), which aligns with the small business exemption threshold in the Privacy Act 1988 (Cth). 

The obligations will also apply to entities responsible for critical infrastructure assets that are already regulated under the Security of Critical Infrastructure (SOCI) Act (Cth). 

Timing and method of reporting

Reports must be made to the Department of Home Affairs within 72 hours of making a payment or becoming aware of such a payment, through a portal available on cyber.gov.au that will be administered by the Australian Cyber Security Centre (ACSC). 

Critical infrastructure asset owners and operators with mandatory cyber security incident reporting obligations under Part 2B of the SOCI Act already have reporting obligations to the ACSC through the existing ‘Report’ portal and they should be familiar with these similar reporting processes. 

Enforcement and compliance

Failure to comply with these reporting obligations may result in civil penalties of 60 penalty units. currently worth AUD$18,780 (US$12,169).

Where the information in a ransomware payment report is provided to a designated Commonwealth body, to safeguard the confidentiality of the reporting entities, it can only be used for purposes outlined in the Cyber Security Act, including to: 

  • help the reporting entity and others involved to respond to, mitigate, or resolve the cyber security incident; 
  • perform functions or exercise powers under the relevant parts of the Act, including those of Commonwealth and State bodies and the NCSC dealing with cyber incidents, such as enforcing the obligations in the Act; and 
  • issue legal proceedings relating to the provision of false or misleading information to a Commonwealth entity or obstructing a Commonwealth public official. 
Limitation on use of reported information

The Act restricts Commonwealth and State agencies from using the information in a ransomware payment report to investigate or litigate civil claims or enforce penalties or sanctions, except for criminal offences. This protects reporting entities against their report being used against them in civil or regulatory actions, although it can still be used as evidence in criminal cases.  

Existing mechanisms enforcing regulatory obligations that apply to cyber incident and data breach reporting will remain in place, such as the notifiable data breach scheme in the Privacy Act. The reporting will also interact with other ‘limited use’ provisions that will be introduced, as explained below. 

Key impacts

To prepare for these new reporting obligations, entities will need to review, with their boards, their policy on payment of ransomware and other cyber extortion demands and consider their:

  • cyber risk posture:  to ensure their cyber risk posture and incident response plans specifically address responses to ransomware and cyber extortion demands, noting the Cyber Security Act does not prohibit ransomware payments. 
  • incident response structure: to structure incident response plans so they include a clear escalation and decision-making process for handling ransomware and cyber extortion demands to help track and manage decision making processes and notification obligations as part of their incident response. This should include tracking the release of guidance and resources by the government to inform the development of these plans and keeping up to date with regulator expectations – for example, the ‘Ransomware Playbook’ recently released by the Australian Signals Directorate (ASD). 

Other measures in the Cyber Security Act – response improvement 

The Act also introduces additional measures aimed at the government better understanding, informing, and improving responses to cybersecurity incidents.

Limited use provisions 

The limited use obligation on cyber incident information restricts how cyber incident information provided to the NCSC or the ASD voluntarily during a cyber incident can be shared with other government agencies, including regulators.

This restriction aims to encourage timely and transparent reporting by providing assurances to entities on how reported information can be used. These provisions intersect with the amendments that will be made by another part of the cybersecurity law package 2024 – the Intelligence Services and Other Legislation Amendment (Cyber Security) Act 2024 (ISOLA Act).

The ISOLA Act aims to legislate a limited use obligation on the ASD to protect the information voluntarily provided to, or acquired or prepared by, the ASD during a cyber security incident. This means that the ASD can only disclose this information for a permitted cybersecurity purposes and recipients can only use that information for a permitted cybersecurity purposes. 

Permitted cybersecurity purposes include, but are not limited to, the performance of: the ASD’s functions under the ISOLA Act, informing the minister of a cybersecurity incident that may potentially occur; a Commonwealth or State body’s functions in responding, mitigating or resolving the cybersecurity incident; or the National Cyber Security Coordinator’s functions under Part 4 of the Cyber Security Act 2024. 

This obligation is intended to complement the ‘limited use’ obligation applicable to the National Cyber Security Coordinator Act 2024.

The ISOLA Act also amends the Freedom of Information Act 1982 (Cth) to include an exemption from freedom of information (FOI) requests for a document given to, or received by, the National Cyber Security Coordinator for the purposes set out under Part 4 of the Cyber Security Act 2024. That measure is intended to provide industry with the assurance that they can engage with and provide information to the various agencies the government has established to help them prepare for, and respond to, cybersecurity incidents. 

The new FOI provisions do not create a ‘safe harbour’ for industry, and will not exempt an entity from complying with existing legal obligations. They also will not restrict law enforcement or regulators from gathering this information through exercising using their own existing powers and using it for regulatory or law enforcement purposes.  

Cyber Incident Review Board 

A significant feature of the Cyber Security Act is the creation of a Cyber Incident Review Board. This independent advisory body will conduct ‘no fault’, post-incident reviews of significant cybersecurity incidents, similar to the review conducted by the National Office of Cyber Security on the HWL Ebsworth cybersecurity incident. The Board will analyse vulnerabilities and the effectiveness of responses, providing recommendations to both the government and industry to enhance Australia’s cyber resilience.

The structure and functions of the Board will be modelled on similar bodies in other jurisdictions, and it will have the authority to mandate reviews and gather information about incidents. 

A review by the Board will be triggered if any of the following three criteria are met in relation to an incident, or series of incidents:

  • it has significantly harmed, or is likely to significantly harm, the social or economic stability of Australia or its citizens, the defence of Australia, or national security; 
  • it involved innovative or complex methods or technologies and conducting a review would lead to insights and recommendations that could greatly enhance Australia’s cyber resilience; 
  • it raises serious concerns for the Australian public: the explanatory memorandum states that “the extraordinary threshold of the review denotes the significance of the review and the incident subject to the review”  and provides the example of the Optus data breaches
We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.