Australia’s already complex regulatory framework for cyber security risk management is set to be further complicated by an additional regulatory layer with the Australian Government’s proposed Cyber Security Bill 2024 (Bill). In rationalising the purpose of the Bill, Minister for Cyber Security, Tony Burke, has stated (in his second reading speech):
“We need a framework that enhances protections for victims of cyber incidents and encourages them to engage with government, and we need a framework that enables us to learn lessons from significant cybersecurity incidents so that we can be better prepared going forward. The Cyber Security Bill provides this framework under one holistic piece of legislation.”
The Bill proposes to introduce two new substantive obligations for businesses operating in Australia, as well as introducing a range of administrative reforms and a new government body. At a high level, the Bill comprises the following:
A mandatory requirement for a ‘reporting business entity’ to notify the Department of Home Affairs and the Australian Signals Directorate (ASD ) if it pays a ransom to a cyber threat actor within 72 hours of making the payment.
‘Limited use’ obligations that restrict how cyber security incident information provided to the National Cyber Security Coordinator during a cyber security incident can be shared with and used by other Australian Government entities, including regulators.
A requirement for manufacturers and suppliers of internet connected devices to comply with cyber security standards as determined by the Australian Government from time to time.
Establishment of a Cyber Incident Review Board, to investigate significant cyber incidents.
Much of the detail of these reforms has been left to be later prescribed in the rules, but here’s what we know so far.
Mandatory Ransomware Reporting
The Bill mandates a requirement on certain ‘reporting business entities’ to report to the Department of Home Affairs and the Australian Signals Directorate when they pay a ransom (or give some other benefit) in connection with a cyber security incident. A ‘reporting entity’ is any entity carrying on business in Australia, except for those that fall below the revenue threshold (this amount will be set out in the rules and so it is not yet known). Regardless of revenue, the obligation will also apply to any responsible entity for a critical infrastructure asset, pursuant to the Security of Critical Infrastructure Act 2018 (Cth), which pays a ransom or gives a benefit.
Where a reporting entity pays a ransom or gives a benefit, it must report that fact within 72 hours of the payment being made. Reports will be made to the Department of Home Affairs through a portal available on cyber.gov.au , which is administered by ASD's Australian Cyber Security Centre.
The report must include details of the payment made, any third parties involved in the payment, the security incident which gave rise to the payment and details of the demand and other communications with the cyber threat actor. Failure to provide a report may result in a civil penalty and fines may apply (up to a maximum of $99,000 for a corporate under the new penalty unit which recently passed Parliament).
The Bill does not purport to provide any clarity to businesses as to the legality of the payment of a ransomware demand, so the law in this area remains the same.
'Limited use’ restrictions
In a move that is designed to give comfort to businesses, the Bill expressly sets out the purposes for which the Department of Home Affairs (which encompasses the National Cyber Security Coordinator and the National Office of Cyber Security) and the ASD may (and importantly, may not) use information contained in a ransomware report. Among other purposes, the permitted purposes include:
Assisting the reporting entity to respond to, mitigate or resolve the cyber security incident.
Responding to and performing government functions in relation to other cyber security incidents.
Intelligence functions.
Full details of the permitted purposes are set out in section 29 of the Bill.
Importantly, section 29(2) expressly prohibits the information in the report from being used against the reporting entity to investigate or enforce any contravention of Commonwealth, State or Territory civil or regulatory laws. The information can still be used to investigate a possible criminal offence which may have been committed by the reporting entity, however, the report itself will not be admissible as evidence (except where the trial is for the offences of providing false or misleading information to a government agency or for obstructing government officials).
In addition to the mandatory reporting of ransom payments, the Bill also contemplates the voluntary provision of information relating to significant cyber security incidents. If an entity provides such information, either at the request of the National Cyber Security Coordinator, or on its own initiative, that information will similarly only be used for narrow purposes and will not be used to investigate or enforce any contravention of Commonwealth, State or Territory civil or regulatory laws. The information will not be admissible as evidence against the entity which provided it (subject to the same exceptions mentioned above).
Another piece in the reporting puzzle
Australia already has a complex and overlapping landscape when it comes to reporting cyber security incidents. Depending on the type of incident or the entity that is affected, there are several reporting obligations which already exist, all with varying timeframes and information requirements. Rather than harmonising these existing obligations, the Bill adds another layer to these obligations. The table below sets out some of these:
Regulation | Application | Trigger | Agency | Timeframe |
---|---|---|---|---|
Cyber Security Bill (if passed) | Businesses operating in Australia (revenue threshold to be confirmed). | Payment of a ransom or provision of some other benefit in relation to a cyber security incident. | Department of Home Affairs and ASD | 72 hours |
Privacy Act 1988 (Cth) | Commonwealth Agencies and businesses with an Australian presence (other than small businesses). | Unauthorised access or disclosure of personal information, or loss of personal information which is likely to lead to access or disclosure.The access or disclosure is reasonably likely to result in serious harm to any individuals to which the information relates. | Office of Australian Information Commissioner | As soon as practicable from awareness. Entities have no more than 30 days to conduct an assessment upon forming a suspicion that an incident has occurred.Privacy Act Review Report recommenda-tions, however, propose 72 hours from awareness. |
ASX Listing Rules | Entities listed on the Australian Stock Exchange. | Continuous disclosure obligations require entities to notify ASX and the market upon becoming aware of information about itself that a reasonable person would expect to have a material effect on the price or value of the entity’s securities. | ASX | Immediately |
Security of Critical Infrastructure Act 2018 (Cth) | Responsible entities for critical infrastructure assets. | Cyber security incidents which have a significant impact on the availability of a critical infrastructure asset. | Australian Signals Directorate | 12 hours |
Security of Critical Infrastructure Act 2018 (Cth) | Responsible entities for critical infrastructure assets. | Other cyber security incidents having an impact on the availability, integrity, reliability or confidentiality of a critical infrastructure asset. | Australian Signals Directorate | 72 hours |
Privacy and Personal Information Protection Act 1998 (NSW) | NSW Government agencies | Arises in similar circumstances as the obligation under the Privacy Act. | Information and Privacy Commission (NSW) | Immediately |
CPS 234 | APRA-regulated entities (including banks, insurers, superannuation trustees). | An information security incident that materially affects, financially or non-financially, the entity or the interests of its clients. Or an incident which is notified to any other regulator in Australia or overseas. | Australian Prudential Regulation Authority | 72 hours |
Regulation
Application
Trigger
Agency
Timeframe
Cyber Security Bill (if passed)
Businesses operating in Australia (revenue threshold to be confirmed).
Payment of a ransom or provision of some other benefit in relation to a cyber security incident.
Department of Home Affairs and ASD
72 hours
Privacy Act 1988 (Cth)
Commonwealth Agencies and businesses with an Australian presence (other than small businesses).
Unauthorised access or disclosure of personal information, or loss of personal information which is likely to lead to access or disclosure.
The access or disclosure is reasonably likely to result in serious harm to any individuals to which the information relates.
Office of Australian Information Commissioner
As soon as practicable from awareness. Entities have no more than 30 days to conduct an assessment upon forming a suspicion that an incident has occurred.
Privacy Act Review Report recommenda-tions, however, propose 72 hours from awareness.
ASX Listing Rules
Entities listed on the Australian Stock Exchange.
Continuous disclosure obligations require entities to notify ASX and the market upon becoming aware of information about itself that a reasonable person would expect to have a material effect on the price or value of the entity’s securities.
ASX
Immediately
Security of Critical Infrastructure Act 2018 (Cth)
Responsible entities for critical infrastructure assets.
Cyber security incidents which have a significant impact on the availability of a critical infrastructure asset.
Australian Signals Directorate
12 hours
Security of Critical Infrastructure Act 2018 (Cth)
Responsible entities for critical infrastructure assets.
Other cyber security incidents having an impact on the availability, integrity, reliability or confidentiality of a critical infrastructure asset.
Australian Signals Directorate
72 hours
Privacy and Personal Information Protection Act 1998 (NSW)
NSW Government agencies
Arises in similar circumstances as the obligation under the Privacy Act.
Information and Privacy Commission (NSW)
Immediately
CPS 234
APRA-regulated entities (including banks, insurers, superannuation trustees).
An information security incident that materially affects, financially or non-financially, the entity or the interests of its clients. Or an incident which is notified to any other regulator in Australia or overseas.
Australian Prudential Regulation Authority
72 hours
Connected Device Standards
Part 2 of the Act deals with compliance with security standards. Any manufacturer or supplier of ‘relevant connectable products’ will be required to ensure that those devices comply with applicable security standards, which the Australian Government can specify in the rules. This allows the requirements to be updated as new standards emerge. When supplying the products, the manufacturer or supplier must also provide written confirmation of the products’ compliance with the applicable standards.
The new requirements will apply to ‘relevant connectable products’, which is defined to mean either:
A product that is capable of connecting to the internet using the internet protocol (IP)
A product that can otherwise send or receive data by means of electrical or electromagnetic transmission.
The rules may exclude products or classes of products from the application of this requirement. This definition is broad, and will capture any product which is capable of connecting to the internet, whether wirelessly or not and including where it connects through a separate device. It appears that the definition is intended to capture all smart or IoT devices, including smart watches, televisions, speakers and door bells (just to name a few).
The term ‘relevant connectable products’ is defined in the same terms as apply under the United Kingdom’s Product Safety and Telecommunications Infrastructure Act 2022 . In the explanatory memorandum, the government states its ambition that this will reduce the regulatory burden on global manufacturers and suppliers of such products. It remains to be seen whether suppliers and manufacturers will be required to meet the same standards as under the UK laws.
If suppliers or manufacturers fail to comply with the relevant standards or provide the statement of compliance, there are a range of enforcement steps which the government can take. These range from issuing a compliance notice requiring the supplier or manufacturer to demonstrate its compliance with the rules, through to forcing the supplier or manufacturer to issue a recall of products that do not meet the applicable standard.
Cyber Incident Review Board (CIRB)
The legislation also establishes a new body to be known as the cyber incident review board. The CIRB will be required to conduct reviews into cyber security incidents which:
Posed (or could have posed) a serious risk to Australia’s security or social or economic security.
Was a novel or complex incident, for which a review would assist Australia’s preparedness for similar attacks.
Is (or could have been) of serious concern to the Australian people.
The purpose of the CIRB review is to identify factors that contributed to an incident and then make recommendations to the Australian Government and industry about actions that could be taken to prevent, detect, respond to, or minimise the impact of, similar incidents in the future. The reviews are intended to be conducted on a no fault basis, and the CIRB will not seek to apportion blame or liability in respect of incidents.
Next steps
On 10 October 2024, the Cyber Security Bill was referred to the Parliamentary Joint Committee on Intelligence and Security for consideration.
The Australian Government’s full legislative package to reform cyber security laws also included amendments to the Security of Critical Infrastructure Act 2018 (Cth). See our article which assesses those changes.