Cyber Security Legislative Package: Strengthening Australia’s cyber security framework

October 14, 2024

On 9 October 2024, the Cyber Security Bill 2024 (Cyber Security Bill), the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024 (SOCI Bill) and the Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024 (IS Bill), (together, the Cyber Security Legislative Package) were introduced into the Australian Federal Parliament. The Parliamentary Joint Committee on Intelligence and Security has commenced an inquiry into the Cyber Security Legislative Package, with submissions from government, civil society and corporate stakeholders due by 25 October 2024. If passed, these Bills will implement reforms indicated in the 2023-2030 Australian Cyber Security Strategy and the related Consultation Paper.

Key takeaways

1. As it appears likely the Cyber Security Legislative Package will have bipartisan support, organisations should take action now to prepare for the impact of these changes. For example, organisations should consider updating their cyber incident and data breach response plans to cover:

1. the 72-hour mandatory reporting obligation for entities who make a ransomware payment in connection with a cyber security incident;
2. guidance about the information that should be shared and how this information should be reviewed prior to disclosure in the course of providing voluntary notifications to the National Cyber Security Coordinator and mandatory notifications to the Cyber Incident Review Board; and
3. as applicable, procedures to respond to directions from the government under its expanded intervention power under the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act).

2. Businesses may take some comfort in that they will not be vulnerable to investigation and enforcement by other regulators simply because the organisation complied with its mandatory ransomware payment reporting obligations under the Cyber Security Bill. Commonwealth bodies are only permitted to use and disclose the mandatory ransomware payment reports made under the Cyber Security Bill for limited purposes associated with responding to the cyber security incident. These bodies are not permitted to use or disclose the ransomware payment report to assist with the investigation or enforcement of civil or regulatory action not related to the Cyber Security Bill. However, regulatory bodies will not be prevented from gathering information about cyber security incidents using their own existing powers.

3. Organisations regulated by the SOCI Act that are currently required to have a risk management program in place should start expanding their risk management programs to address the critical data storage systems that hold business critical data.

Cyber Security Bill

Summary of changes

The key features of the Cyber Security Bill include:

1. Mandatory Ransomware Reporting: the Cyber Security Bill introduces a mandatory 72-hour reporting obligation on businesses which are affected by a cyber security incident, receive a ransomware payment demand, and make a payment or give benefits in connection with the cyber security incident.

2. Limited Use Obligation: Commonwealth bodies receiving ransomware payment reports will be subject to a 'limited use obligation'. This obligation restricts the use or disclosure of ransomware reporting information to managing the incident and prevents such information being handed over to another Commonwealth body to assist its investigation or enforcement of a civil or regulatory matter not related to the Cyber Security Bill.

3. Cyber Incident Review Board: the Cyber Security Bill establishes an independent board to review significant cyber security incidents and provide recommendations.

4. Security Standards for Smart Devices: while the Cyber Security Bill does not set out technical security standards for smart devices, it provides a general rule-making power for such standards to be prescribed in regulations. Entities which intend to supply or manufacture a product to which the rule applies must comply with the prescribed security requirements.

Understanding the proposed changes and their impact

1. Mandatory Ransomware Reporting

The Cyber Security Bill imposes a mandatory reporting obligation on businesses affected by a cyber security incident. Currently, voluntary reporting mechanisms are underutilised, therefore, ransomware and cyber extortion attacks remain significantly underreported. This obligation aims to improve the government's visibility and response to ransomware incidents. Organisations must make a report within 72 hours to the Department of Home Affairs via an online portal managed by the Australian Cyber Security Centre if:

• a cyber security incident has occurred, is occurring, or is imminent, and is expected to impact the organisation;
• an extorting entity makes a demand on the organisation or a related third party to gain a benefit from the incident or make an impact on the organisation; and
• the organisation, or a directly related party, makes a ransomware payment or provides a benefit in response to the demand.

Failure to comply with this reporting obligation may attract a civil penalty of AU$19,800.

Businesses should consider implementing robust incident response protocols to ensure accurate and timely reporting, should the Cyber Security Bill be enacted.

2. Limited Use Obligation

The Cyber Security Bill proposes a 'limited use obligation' whereby information collected through cyber security incident reports may only be used and disclosed for the purpose of managing the incident. Importantly, information provided under this obligation cannot be used in civil or regulatory proceedings against the entity, other than those relating to the entity contravening their ransomware payment reporting obligations. This may alleviate some concerns for businesses that such reports would be circulated among government agencies and regulators, leading to potential regulatory or legal consequences. By limiting the use of this information, the Cyber Security Bill encourages businesses to engage with the government promptly and transparently during a cyber security incident without fear of future repercussions. This in turn promotes the purpose of the Cyber Security Bill in allowing the government to gain critical insights from cyber security incidents.

However, this provision is not intended to be a 'safe harbor' and will not shield businesses from legal liability as government agencies retain the ability to gather information via other means using their existing legal powers.

3. Cyber Incident Review Board

The Cyber Security Bill introduces an independent board modelled on similar international bodies, such as the U.S. Cyber Safety Review Board, and aims to enhance cyber resilience by conducting no-fault assessments and issuing recommendations to both the government and industry. The Cyber Incident Review Board (Board) will review incidents after the initial response mechanisms have been completed. At the conclusion of a review, the Board will issue a report detailing its findings and recommendations. The report will not assign blame or determine liability for a cyber security incident, and it will exclude personal, confidential or commercially sensitive information, as well as data that could compromise national security or international relations.

The Board will have limited information-gathering powers but will have authority to request and require relevant documents from entities, if voluntary cooperation is unsuccessful. Non-compliance with an information request may attract a civil penalty.

While the Board operates independently, the Minister for Cyber Security retains oversight of appointments, dismissals and the approval of Terms of Reference for individual reviews. However, the Board will otherwise be independent and is not subject to direction from any person or body in the performance of its functions.

4. Security Standards for Smart Devices

Under the Cyber Security Bill, the relevant Minister will have the authority to mandate security standards for internet or network connectable devices. At present, smart devices (that is, Internet of Things or IoT devices) are not subject to mandatory cyber security standards, which is concerning given that smart devices, such smart TVs, smart watches, home assistants and baby monitors, are now common in Australian homes and businesses and play a significant role in everyday transactions, communication, work and leisure. By not prescribing technical security standards within the proposed legislation and instead authorising the mandating of regulations, the Cyber Security Bill ensures that the law can keep up to date with technological advancements. This agility serves to better protect Australians from cyber security threats as new risks emerge.

The Cyber Security Bill will impose a requirement on manufacturers and suppliers of smart devices to the Australian market to produce statements of compliance to confirm the smart device meets the mandated security standards. The Cyber Security Bill also establishes an enforcement and compliance regime, granting the Secretary of Home Affairs the power to issue enforcement notices to responsible entities if they fail to provide a statement of compliance or if the claims in the statement cannot be verified. Enforcement actions may include compliance notices, stop notices and recall notices.

Manufacturers and suppliers of smart devices should evaluate current processes of internal product audits and quality assurances to ensure adequate processes are in place to be able to produce compliance statements.

SOCI Bill

Summary of changes

The key features of the SOCI Bill include:

1. Data storage systems that hold business critical data would be regulated as critical infrastructure assets under the proposed reforms.

2. New government consequence management powers under which the government may direct an entity to take action to respond to incidents more broadly than just cyber incidents.

3. New definition of 'protected information' that includes a harms-based assessment and a non-exhaustive list of relevant information plus clarifications as to when protected information can be shared or used for other purposes.

4. New power for the regulator to issue directions to a responsible entity to address any serious deficiencies that are identified in a critical infrastructure risk management program.

Understanding the proposed changes and their impact

1. Data storage systems that hold business critical data

Under the proposed reforms, data storage systems that hold business critical data will be part of a critical infrastructure asset if:

• a responsible entity for a critical infrastructure asset owns or operates the data storage system;
• the data storage system is used in connection with the critical infrastructure asset;
• the system stores or processes business critical data; and
• the critical infrastructure asset could be impacted by a material risk of a hazard occurring to the data storage system.

In practice, this reform would mean that a broader range of assets will be regulated by the SOCI Act and therefore subject to the government assistance powers under the Act. Regulated entities should therefore consider their data storage systems in accordance with their SOCI Act obligations.

2. New government consequence management powers

If passed, the SOCI Bill will expand the current government assistance powers under the SOCI Act to apply more broadly to 'incidents' other than just 'cyber security incidents'. This expansion of assistance powers will only apply to information gathering and action directions where the incident has had, is having or is likely to have a relevant impact on one or more critical infrastructure assets. Intervention requests, however, will remain limited to cyber security incidents only.

3. New definition of 'protected information' and clarifications about permitted disclosure

The SOCI Bill proposes a new definition of 'protected information' which includes a harm-based assessment and a non-exhaustive list of 'relevant information'. The SOCI Bill authorises the use and disclosure of protected information where that use or disclosure is:

• by a relevant entity for a purpose related to the continued operation of the relevant critical infrastructure asset, or to mitigate a risk to the availability, integrity, reliability or security of a critical infrastructure asset; and
• for the purpose of an entity's business, professional, commercial or financial affairs, where the protected information was obtained, generated or adopted by the relevant entity for the purpose of complying with the SOCI Act.

4. New power for the regulator to issue directions

Amendments proposed under the Schedule 4 of SOCI Bill address gaps in the powers available to regulators to enforce critical infrastructure risk management obligations. This new power for the regulator to enforce critical infrastructure risk management program obligations on responsible entities of relevant critical infrastructure assets to address any serious deficiencies aims to assist the integration of preparation, prevention and mitigation activities into the day-to-day business of regulated entities. Failure to comply with such a direction from the regulator could attract civil penalties of AU$82,500.

IS Bill

The IS Bill would amend the Intelligence Services Act 2001 (Cth) to legislate a limited use obligation to protect the information voluntarily provided to, or acquired or prepared by, the Australian Signals Directorate during an impacted entity's engagement on a cyber security incident. The information protected by this obligation, referred to as 'limited cyber security information', complements the 'limited use' obligation applicable to the National Cyber Security Coordinator under the Cyber Security Bill.

Next steps to ensure compliance

Organisations should monitor the progress of the Cyber Security Legislative Package and, in the meantime, proactively update their cyber incident response plans and processes to ensure the continued compliance of their operations.

Organisations regulated by the SOCI Act that are currently required to have a risk management program in place should start expanding their risk management programs to address the critical data storage systems that hold business critical data.