Cybersecurity law package 2024 passed by the Australian parliament

The measures are contained in three separate Bills– the Cyber Security Act 2024, the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Act 2024 (SOCI Amendment Act), and the Intelligence Services and Other Legislation Amendment (Cyber Security) Act 2024 – which together make for a comprehensive package of reforms.

The package covers a wide range of initiatives, from establishing mandatory security standards for smart devices to clarifying the legal framework for critical infrastructure protection. The legislative action forms part of the 2023-2030 Australian cyber security strategy. 

The package, introduced following consultation, was introduced to Australia’s parliament on 9 October and subsequently referred to the Parliamentary Joint Committee on Intelligence and Security. Following its review, the Committee released an advisory report on 18 November recommending the passage of all three bills, which has now happened. 

Veronica Scott, a cyber and data law expert at Pinsent Masons in Melbourne, said: “A key aim of these Acts is to enhance the understanding of cyber incidents to better respond to cyber threats. These reforms mark the next step in the expanding regulatory obligations and expectations in relation to cybersecurity. Organisations must be ready not only for these immediate changes but also to continuously adapt and respond to evolving regulations over time.” 

The Cyber Security Act has four aspects: it creates a framework for the government to establish mandatory security standards for smart devices; introduces mandatory reporting of ransomware payments within 72 hours, but does not prohibit payments, with a civil penalty regime; establishes a ‘limited use’ obligation that restricts how information provided to the National Cyber Security Coordinator during a cybersecurity incident can be used and shared with other government agencies, including regulators; and establishes the Cyber Incident Review Board – an independent advisory body able to conduct ‘no fault’ post-incident reviews which meet any of the criteria of significant cybersecurity incidents.

The SOCI Amendment Act clarifies that the SOCI Act applies to data storage systems that form part of a critical infrastructure asset and establishes a more effective government assistance framework to respond to all types of incidents, not limited to cyber-related incidents. In addition, the definition of ‘protected information’ and the operation of the disclosure provisions are amended by the legislation, to allow greater cross-industry collaboration and intra-government sharing, including in response to major incidents.

The SOCI Amendment Act also empowers regulators to compel a critical infrastructure responsible entity to remedy a seriously deficient risk management program where there is a risk to national security or the defence of, or the social or economic stability of, Australia.

Further changes incorporate elements of the Telecommunications Sector Security Reforms (TSSR), including security and notification obligations, from Part 14 of the Telecommunications Act 1997 (Cth) into the SOCI Act. These obligations include enhancements to align the regulatory frameworks and clarify telecommunications-specific obligations, including through delegated legislation. Direct interest holders have also been removed from reporting obligations associated with systems of national significance in an amendment intended to reduce administrative burdens without compromising security. 

Under the Intelligence Services and Other Legislation Amendment (Cyber Security) Act 2024 there will be a new limited-use obligation on the Australian Signals Directorate (ASD) to protect the information voluntarily provided to, or acquired or prepared by, the ASD during a cybersecurity incident. As a result, the ASD can only on-share this information for a permitted purpose and recipients can only use that information for a permitted purpose. This obligation is intended to complement the ‘limited use’ obligation applicable to the National Cyber Security Coordinator (the Coordinator) under the Cyber Security Bill 2024.

The legislation further amends the Freedom of Information Act 1982 (Cth) to include an exemption from freedom of information (FOI) requests for a document given to, or received by, the Coordinator for the purposes set out under Part 4 of the Cyber Security Act 2024. It is also intended to provide industry with the legal assurance that they can engage and provide information to the various agencies the government has established to help them prepare for, and respond to, cybersecurity incidents. However, the amendments do not create a ‘safe harbour’ for industry and will not exempt an organisation from complying with existing legal obligations. 

Scott said there are things organisations can do to prepare for the expanded cybersecurity regulations and more robust obligations in the new legislation, to enhance their overall cyber resilience and ensure compliance.

She said businesses should build their understanding of the new and amended legal obligations and their impact, and monitor for the release of new guidelines and the regulations that will be made under the new legislation, to help them better understand the requirements and align their internal policies with best practices and regulatory expectations. As an example, Scott noted the ASD had recently released its Ransomware Playbook.

Scott added that businesses should ensure their cyber risk posture and incident response plans address how they respond to ransomware and cyber extortion demands and include a clear escalation and decision-making process for handling these demands, to help meet payment reporting obligations as part of their incident response.

She also noted that while businesses can already have a range of reporting obligations following a cyber incident, including under the SOCI Act, they should expect to be asked for more potentially sensitive information and to cooperate in post-incident reviews so should consider how they will respond. But, she added, the key objective was to have comprehensive risk management plans in place that address both cyber and physical threats, regular cyber incident exercises which test the plans, and promote a culture where security is a shared responsibility across the organisation.