With the release of the 2023-2030 Australian Cyber Security Strategy in November last year, the Australian Government confirmed its plans to strengthen cybersecurity requirements across all sectors of the Australian economy and improve coordination between industry and government on threat detection and incident response.
The Cyber Security Bill 2024 (the Cyber Security Bill) and the related Intelligence and Other Legislation Amendment (Cyber Security) Bill 2024 (together, the Cyber Security Reforms) take the next step in this process by introducing a package of targeted reforms that:
- require organisations to:
- notify the Government within 72 hours of acquiescing to a cyber extortion demand (eg by paying a ransom); and
- ensure that smart devices (and other Internet- or network-connectable devices) comply with minimum cyber security standards;
- introduce new safeguards to encourage organisations to voluntarily cooperate and share information with:
- the Australian Signals Directorate (ASD), which is the lead technical authority responsible for providing cyber security advice and assistance to Australian Government departments, businesses and individuals; and
- the National Cyber Security Coordinator (NCSC), whose role is to co-ordinate the whole-of-Government response for cyber security incidents of national significance; and
- establish a new independent advisory body called the Cyber Incident Review Board (CIRB) that will conduct no-fault post-incident reviews of novel or nationally significant cyber security incidents.
The Cyber Security Bill is also structured to have extra-territorial application, which gives it important implications for multinational corporate groups, foreign businesses operating in Australia, and Australian organisations utilising offshore technology services.
While the Cyber Security Bill will form Australia’s first piece of standalone cyber security legislation if passed, the new measures it implements are designed to build on and work together with (rather than displace) the existing regulatory regimes that form Australia’s legislative framework for cyber security.
This article explores these new measures and considers the targeted uplifts that your organisation can make to its existing policies and procedures to prepare for these changes.
Voluntary co-operation with the ASD and the NCSC – Limited Use Protections
The ASD (which houses the Australian Cyber Security Centre (ACSC)) is Australia’s lead technical authority in providing cyber security advice and assistance.
The ASD works closely with industry to prevent, detect and respond to cyber security incidents, including by:
- providing advance warning of potential threats;
- receiving reports of cyber attacks through the ACSC’s online reporting portal and the Australian Cyber Security Hotline;
- providing technical incident management advice and assistance to entities affected by a cyber security incident; and
- mitigating harms in early stages of cyber incidents through aggregating information derived from diverse sources.
The Cyber Security Reforms will introduce certain safeguards (the Limited Use Protections) that apply to information which organisations voluntarily share with the ASD (or permit the ASD to generate or collect from third party sources) in connection with cyber security incidents.
| Safeguard | Summary |
|---|---|
| Restrictions on disclosure | ASD may only disclose the information to third parties for certain permitted purposes, which generally include: • assisting the impacted organisation with the incident response; • liaising with other Commonwealth and State / Territory bodies on the incident response; and • performing the ASD's other functions. |
Prohibition on use for regulatory investigations or enforcement | The information cannot be shared (or used) to investigate or enforce the contravention of laws by the impacted entity, other than criminal offences. |
| Bar on admissibility in proceedings | With limited exceptions, the information is not admissible in most types of civil and criminal proceedings (including civil penalty proceedings) against the organisation that provided the information. |
| Preservation of legal professional privilege | With limited exceptions, the provision of the information does not otherwise affect a claim of legal professional privilege that anyone may make in any of the specified proceedings. |
The Cyber Security Reforms also establishes similar protections to facilitate information sharing in other areas of the new cyber security ecosystem, such as where an organisation:
- voluntarily shares information with the NCSC in the event of significant (or potentially significant) cyber security incidents;
- submits a ransomware payment reports under the new mandatory reporting scheme; or
- provides information to the new Cyber Incident Review Board.
In the context of the ASD, the Limited Use Protections are intended to combat a recent decline in the quality, quantity and timeliness of proactive engagement with ASD, and provide organisations with greater confidence to engage the ASD early and openly during the incident response process. They also complement the ASD’s existing exemptions under the Privacy Act 1988 (Cth) and the Freedom of Information Act 1982 (Cth).
However, they do not constitute a comprehensive “safe harbour” mechanism that fully shields the impacted obligation from regulatory enforcement action or other legal liability. Importantly, they do not preclude law enforcement or regulators from obtaining information using their own existing powers (including compulsory information gathering powers).
Rather, they seek to reinforce that the ASD’s role (which focuses on providing technical advice and assistance) is structurally separate from the investigation and enforcement functions of other Commonwealth, State and Territory agencies. As noted in the explanatory memorandum, “ASD does not have a function to assist in the investigation or enforcement of any regulatory action.”
How to prepare
Assuming that the Cyber Security Reforms are implemented in the form currently proposed, organisations may wish to consider updating their information sharing posture and incident response plans to account for the ASD’s unique role, and to prioritise the establishment of clear and open lines of communication with the ASD early on during the incident response. In addition, given the steps taken to reassure organisations about the safety of sharing information with the ASD, we expect that regulators and enforcement agencies will expect organisations to engage early and openly with the ASD as part of their incident response.
Ransomware (and other cyber extortion) payments
The Cyber Security Bill will introduce ransomware payment notification obligations for:
- private sector entities that carry on business in Australia which meet an annual turnover threshold (which will be confirmed later, but is expected to be $3 million); and
- “responsible entities” for critical infrastructure assets that are required to notify the ASD of cyber security incidents under Part 2B of the Security of Critical Infrastructure Act 2018 (SoCI Act).
Organisations captured by this new scheme must notify the ASD (or such other Government agency specified in the rules) within 72 hours of:
- providing a payment or benefit that is directly related to the cyber extortion demand; or
- becoming aware that another party (for example, the organisation’s cyber security advisor, insurer or cloud service provider) has done so on the organisation’s behalf.
The obligation to notify is only triggered at the time when the payment or benefit is provided (and not when the demand is received). However, in many cases, the organisation will already be in contact with the ASD during the early stages of a cyber-attack due to the ASD’s functions in receiving cyber-attack reports and providing technical advice and threat intelligence.
The receipt of a cyber extortion demand (and the subsequent investigation of and remediation of the cyber-attack) may also trigger notification obligations under other regulatory schemes, such as the Privacy Act 1988 (Cth) and Part 2B of the SoCI Act.
The notice to the ASD (or other specified agency) must be given in a form prescribed by the rules and must include the following information:
- the contact and business details of the entity that made the payment (whether this is the organisation itself, or the third party that acted on the organisation’s behalf);
- details of the cyber security incident, including its impact on the entity;
- details of the demand made by the threat actor;
- details of the ransomware payment;
- details of any communications with the extorting entity relating to the incident, the demand and the payment; and
- any other details required by the rules.
Failure to comply may result in a civil penalty of up to $93,900 for bodies corporate (based on current civil penalty rates).
Ransomware reports are protected by limited use protections that are largely similar to those that apply to other information which is voluntarily provided to the ASD (as described above).
While the legislation uses the term “ransomware payment”, the rules are drafted broadly and are not limited to traditional “ransomware” attacks (where the threat attacker obtains unauthorised access to the organisation’s systems and installs malware that locks / encrypts the organisation’s data until a ransom is paid). The scheme applies broadly to any scenario where an organisation is impacted by a cyber-attack and the attacker is leveraging the incident to make a demand for payment or other benefit. This includes where:
- the organisation is impacted by an attack on a third party (such as the organisation’s cloud service provider);
- the demand is made by an entity other than the attacker;
- the benefit demanded by the attacker is non-monetary; or
- the attacker has obtained information via mere interception and there has been no direct access to the organisation’s computer or computer systems.
How to prepare
Organisations should ensure that their cyber risk posture and incident response plans clearly address how the organisation will respond to ransomware and other cyber extortion demands. As the Cyber Security Bill does not prohibit the payment of ransoms, Australian organisations will continue to grapple with the difficult choices presented by a cyber extortion demand.
Organisations can consider structuring their incident response plans to include a specific escalation and decision-making process that applies when a cyber extortion demand is received. This will help to ensure that the organisation’s decision-making process (and any associated notification obligations) can be tracked and managed as a discrete workstream within the broader incident response procedure.
The release of the Cyber Security Bill has also been accompanied by the publication of various additional resources to support businesses in planning for ransomware and other cyber extortion threats, such as the Government’s recently launched Ransomware Playbook.
Cyber security standards for smart devices
The Minister for Cyber Security will receive the power to set minimum security standards for:
- internet-connectable products, which are devices that can connect to the internet and devices that can send and receive data over the internet (eg, laptops and phones); or
- network-connectable products, which are devices that cannot directly connect to the internet but are able to connect to an internet-connectable product (eg, through a Bluetooth connection such as vehicles and home assistants).
While these definitions give the Minister scope to regulate a broad range of products, the rules are initially expected to focus on Internet-of-Things (IoT) / smart devices such as security cameras, home assistant devices, sensors, appliances and motor vehicles.
Where a security standard is specified, manufacturers and suppliers must ensure that each device complies with those standards and is supplied together with a statement of compliance that contains certain prescribed information. The standards are expected to leverage and align with international standards where possible.
“Manufacturer” has the same meaning as the Australian Consumer Law and will include an entity that imports the device into Australia if the manufacturer does not have a place of business in Australia.
There are no civil penalties for non-compliance, but the Secretary of Home Affairs will have the ability to issue various types of enforcement notices to manufacturers and suppliers, including notices requiring a mandatory recall of the non-compliant products from sale in Australia.
How to prepare
Manufacturers and suppliers of smart devices should monitor the passage of the Cyber Security Bill and consider whether the terms of their existing manufacturing and supply contracts that deal with product liability and certification requirements need to be updated to account for this new regime.
Organisations that deploy IoT / smart devices (but which are not involved in the supply chain) will not have direct obligations under the regime. However, they should still be aware of the new requirements and should update their sourcing, procurement and risk management frameworks to ensure that only compliant devices are purchased and used.
The use of non-compliant devices (which, by definition, do not meet the minimum security requirements mandated by the Government) is likely to breach the organisation’s cyber security obligations under legislation (such as privacy laws), contract and the common law. The cost and disruption of replacing non-compliant devices may be significant, particularly given that many IoT use cases involve the deployment of a significant number of devices.
Cyber security incidents of national significance
New measures will be introduced to strengthen Australia’s capacity to respond to cyber security incidents of national significance (referred to as “significant cyber security incidents” in the legislation).
These are any cyber security incidents where there is a material risk that the incident could reasonably be expected to:
- seriously prejudice the social or economic stability of Australia or its people, the defence of Australia, or Australia’s national security; or
- otherwise be “of serious concern to the Australian people“.
The explanatory memorandum provides the 2022 and 2023 Optus data breaches as examples of incidents that would be “of serious concern” to the Australian people due to the volume of personal information that was compromised.
NCSC’s role in leading the incident response
In the event of a significant cyber security incident, the Cyber Security Bill confirms the NCSC’s role in leading the whole-of-Government response, including by coordinating and triaging the actions taken to contain and respond to the incident.
This role reflects the NCSC’s functions in supporting the Minister for Cyber Security to coordinate national cyber security policy, responses to major cyber incidents, whole of government cyber incident preparedness efforts and strengthening Commonwealth cyber security capability.
The Cyber Security Reforms do not provide the NCSC with any new compulsory information gathering powers.
However, the Cyber Security Reforms do introduce limited protections for entities who choose to voluntarily provide information to the NCSC (including the National Office of Cyber Security (NOCS) and the Cyber Security Response Coordination Unit, which support the NCSC). This includes information that is provided voluntarily on the entity’s own initiative, or in response to a request from the NCSC.
Any such voluntarily-provided information will be subject to the limited use protections discussed above. The Bill also includes provisions to confirm that these protections will apply to information provided to the NCSC even if it subsequently turns out that the incident did not meet the severity threshold for a “significant cyber security incident” (given that this may not always be clear at the outset of an incident).
Cyber Incident Review Board’s role in post-incident review
The Cyber Incident Review Board will be established as an advisory body to conduct no-fault, post-incident reviews of nationally-significant or novel cyber security incidents that are referred to it by:
- the Minister for Cyber Security;
- the NCSC;
- an entity impacted by the incident; or
- a member of the Board (the Board will consist of a Chair and up to 6 other standing members).
The Board is independent of Government and will have complete discretion in the performance of its functions. The Cyber Security Bill provides the Board with various compulsory and non-compulsory information gathering powers.
Following the review, the Board will publish its findings and make recommendations to government and industry about actions that could be taken to prevent, detect, respond to or minimise the impact of cyber security incidents of a similar nature in the future.
Given the advisory nature of the Board:
- information provided to the Board is protected by limited use protections, and cannot be used to assist an investigation or enforcement of a breach of any laws by the entity that provided it (other than criminal offences or a breach of Part 5 of the Cyber Security Bill, which establishes the Board);
- the Board is required to redact certain types of sensitive information from its final report; and
- the Board is prohibited from using the final report to apportion blame, provide a means for determining liability, or drawing adverse inferences from the fact that an entity is the subject of the review.
However, the Bill contemplates that information published in the Board’s final report may still be used by other parties (other than the Board) as the basis for inferring blame or liability or drawing adverse inferences.
Next steps
As at the date of this article, the Cyber Security Reforms are currently before the Parliamentary Joint Committee on Intelligence and Security for inquiry and report. Public submissions on the draft legislation close on Friday, 25 October 2024.
The Cyber Security Reforms follow on from other related initiatives, including reforms to Australia’s privacy laws, consultation on a new artificial intelligence regulatory framework, the introduction of legislation for Australia’s new Digital ID system, and reforms to the Security of Critical Infrastructure Act 2018.
The release of the Cyber Security Reforms package provides an opportunity for organisations to revisit their cyber security and incident response processes with a clearer understanding of what Australia’s new whole-of-nation cyber security ecosystem will look like. It may also require an uplift to the organisation’s sourcing, procurement and vendor governance models, and a recalibration of the organisation’s information sharing posture.
The implications of the Cyber Security Act become clearer when these new measures are viewed together with legislative reforms that being made in other areas (such as reforms to increase enforcement powers and penalties under regulatory regimes such as the Privacy Act) and the increased focus on cyber security issues by regulators including ASIC, APRA and the ACCC.
One clear implication is that organisations will need to start prioritising participation in Australia’s broader cyber security ecosystem. The risks associated with maintaining a siloed, closed and low-engagement stance are now greater than ever.
This article was written by Matthew Craven, Partner, Tim Lee, Special Counsel, and Kimberly Chen, Solicitor.
