The Cyber Security Legislative Package was passed by Parliament on Monday. Announcing the passage of these legislative reforms, Minister for Cyber Security Tony Burke said they marked
an important step in bringing Australia’s cyber laws into the 21st century”, forming a “cohesive legislative toolbox for Australia to move forward with clarity and confidence in the face of an ever changing cyber landscape.
A recap of what the reforms cover
The Cyber Security Legislative Package was first introduced in October and consists of bills that will introduce:
Australia’s first standalone cyber security statute (the Cyber Security Act) which we covered in a recent article.
Amendments to the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act) which we covered in a separate article.
Amendments to the Intelligence Services Act 2001 (Cth) (IS Act) and the Freedom of Information Act 1982 (Cth) (FOI Act) intended to give entities confidence to voluntarily share information with government during a cyber security incident, which:
Establish a limited use obligation to protect certain information voluntarily provided to, or acquired or prepared by, the Australian Signals Directorate (ASD), when an entity is engaging with it in relation to potential or actual cyber security incidents (complementing the limited use obligations that will be applicable to the National Cyber Security Coordinator under the Cyber Security Act, which we discuss here). This has been identified as critical to the ASD’s ability to perform its role, as the lead technical authority in providing cyber security advice and assistance to Australian Government departments, businesses and individuals.
Similarly, broaden exemptions under the FOI Act for information given to, or received by, the National Cyber Security Coordinator under Part 4 of the Cyber Security Act (discussed below).
What your business needs to know now
The reforms are expected to receive Royal Assent within the next couple of weeks. Some reforms will commence immediately after receiving Royal Assent, so are expected to be in effect before the end of this year. The most notable of these are:
Amendments relevant to the National Cyber Security Coordinator, under Part 4 of the Cyber Security Act, which:
Provide that entities impacted by certain cyber security events may voluntarily provide information to the National Cyber Security Coordinator.
Provide that the National Cyber Security Coordinator’s role includes leading the coordination and triaging of action in response to ‘significant cyber security incidents’, across the whole of government; and
Establish limitations on when and for what purposes, the National Cyber Security Coordinator can record, use and disclose information provided to it voluntarily under the Act, which reinforce the intention of encouraging entities to engage with the National Cyber Security Coordinator during a cyber incident, while being assured the information can only be recorded, used or disclosed in limited ways (as discussed in our recent article).
The changes to the IS Act as summarised above (some being directly relevant to the National Cyber Security Coordinator amendments).
Other immediate changes are technical, administrative or consequential in nature, such as providing for the making of rules and other processes and clarifying the operation of the new legislation or existing legislation which is impacted by it.
Preparing your business for changes in 2025
The remainder of the reforms will come into effect within the next 6 to 12 months (depending on whether dates of commencement are proclaimed). Businesses impacted by the balance of the reforms will need to start planning now for any actions required to ensure compliance. The key legislative changes set to commence next year include the following.
Within the next 6 months:
Mandatory ransomware reporting requirements, within 72 hours, for businesses that pay ransoms (or give other benefits to threat actors) in connection with cyber security incidents (as discussed in more detail here).
Increased obligations in relation to data storage systems for entities responsible for ‘critical infrastructure assets’ under the SOCI Act, as discussed in more detail in our article, these systems will need to be considered holistically, as part of a critical infrastructure entity’s SOCI Act obligations (including reporting to the Register of Critical Infrastructure Assets and covering data storage systems in Critical Infrastructure Risk Management Programs).
Expansion of the existing government assistance framework under the SOCI Act, with government having broader scope to intervene and give directions to businesses, following significant incidents affecting critical infrastructure assets, even where those incidents are not cyber-related. The Cyber Security Act also establishes a new body to be known as the cyber incident review board, to review cyber security incidents (on a no fault basis) and make recommendations to government aimed at increasing security and resilience of Australia’s cyber environment.
Within the next 12 months:
Requirements to comply with specified security standards for manufacturers or suppliers of certain devices (‘relevant connectable products’, including smart or IoT devices such as smart watches, televisions, speakers and door bells) (as discussed in more detail here).
Consolidation of telecommunications sector critical infrastructure obligations, which were previously incorporated into the Telecommunications Act 1997 (Cth), in the SOCI Act, following industry feedback. Telecommunications sector specific rules are expected to be developed in early 2025 through a co-design process with industry.