Proposed new cyber security laws for Australian entities

In recent years, Australia’s national security has been threatened by several large-scale cyber security attacks. High profile data breaches, such as those suffered by Optus, Medibank and MediSecure, are increasing in frequency and sophistication and represent a significant cyber security threat to Australian businesses and citizens.

Earlier this month, the Commonwealth Government introduced the Cyber Security Bill 2024 (Cth) (the Bill) to address the current shortcomings of Australia’s cyber security framework. If passed, the Bill will enact the Cyber Security Act 2024 (Cth), which would implement some of the initiatives under the 2023 – 2030 Australian Cyber Security Strategy.

In this article, we summarise the four key measures proposed by the Bill, namely:

• the introduction of a mandatory 72-hour reporting obligation for certain entities who are affected by a cyber incident, receive a ransomware demand and elect to make a payment or give benefits in connection with that cyber security incident;
• the new powers to establish security standards for smart devices;
• the introduction of a ‘limited use’ obligation that restricts how cyber security incident information provided to the National Cyber Security Coordinator (NCSC) during a cyber security incident can be used and shared with other government agencies, including regulators; and
• the establishment of a Cyber Incident Review Board (CIRB) to conduct post-incident reviews into significant cyber security incidents.

The Bill has been referred to the Parliamentary Joint Committee on Intelligence and Security for inquiry and report. Submissions are invited by this Friday, 25 October 2024.

Mandatory reporting for ransomware and cyber extortion payments

The Bill proposes a mandatory reporting obligation for certain entities who make a ransomware payment in connection with a cyber security incident. Reporting business entities will include non-government Australian businesses with an annual turnover greater than the turnover threshold , and responsible entities for a critical infrastructure asset.²

The purpose of this new obligation is to provide the Australian Government with an enhanced understanding of ransomware threats facing the Australian community, and to allow the Government to improve their cyber security incident response. This is in light of recent reports by the Australian Institute of Criminology indicating only 1 in 5 victims of a ransomware attack currently report the attack.³

Reporting business entities will be required to make a report to the Department of Home Affairs (DOHA) if:

• a cyber security incident has occurred, is occurring or is imminent and has had, is having or could reasonably be expected to have, a direct or indirect impact on a reporting business entity;
• an extorting entity makes a demand of the reporting business entity in order to benefit from the incident or the impact of the reporting business entity; and
• the reporting entity provides, or is aware that another entity, directly related to the reporting entity, has provided a payment or benefit to the extorting entity that is directly related to the demand.⁴

Such a report must be made with 72 hours of the ransomware payment being made or the reporting business entity becoming aware of the payment.⁵ The ransomware payment report must contain:

• the contact and business details of the entity that made the payment;
• details of the cyber security incident, including its impact on the reporting business entity;
• details of the demand made by, and payment made to, the extorting entity and;
• communications with the extorting entity relating to the incident, the demand and the payment.⁶

Failing to meet this reporting obligation will be subject to a civil penalty up to $18,780.⁷

New powers to establish security standards

Smart devices are becoming increasingly prevalent in Australian households, with industry forecasts estimating an average of 33.8 connected smart devices per household by 2025.⁸ These smart devices can be used by manufacturers to collect significant volumes of sensitive data, with or without the users’ knowledge. Despite this, smart devices are not currently subject to mandatory cyber security standards, nor are there regulations requiring built-in security features.

If passed, the Bill will give the relevant Minister new powers to mandate security standards for smart devices.⁹ Smart devices will be defined as being products capable of connecting to the internet, or otherwise sending and receiving data by means of network transmission.¹⁰ This definition is consistent with the United Kingdom’s definition in order to reduce the burden on cross-jurisdictional industries.¹¹

On observation, the proposed definition for smart devices seems quite broad, and the Bill’s explanatory memorandum indicates it will capture smart TVs, smart watches, home assistants and baby monitors.¹² Though not explicitly stated in the Bill or explanatory memorandum, it appears common devices such as mobile phones, tablets and computers will also be captured by the definition.¹³

Furthermore, the security standards introduced by the Minister can apply to all smart devices, or alternatively be limited to particular subsets.¹⁴ This approach is intended to allow the government greater flexibility in adapting to evolving technology and responding to specific threats.

The Bill will additionally require manufacturers to provide a statement of compliance for the smart devices they manufacture or supply to the Australian market. Enforcement actions will be made available to the Secretary of Home Affairs in the event a manufacturer fails to provide the statement.

Limited use obligation on cyber incident information

The Bill also seeks to encourage Australian entities to voluntarily provide information to NCSC.¹⁵ In doing so, the Bill proposes to establish a limited use obligation that restricts how cyber security incident information voluntarily provided to NCSC can be shared and used by other Government entities.¹⁶ This obligation is intended to promote collaboration with NCSC by Australian entities.

Under the limited use obligation, the Bill encourages Australian entities to voluntarily provide information to the NCSC by an entity during a cyber security incident in circumstances where the entity providing the information has been impacted, is being impacted or is likely to be impacted directly or indirectly by the cyber security incident. It also applies to information provided by an entity acting on behalf of the impacted entity, such as a cyber response firm.¹⁷

The NCSC will be restricted in its ability to record, use or disclose information voluntarily provided to it by Australian entities.¹⁸  Specifically, the NCSC must not make a record of, use or disclose the information for the purposes of investigating or enforcing, or assisting in the investigation or enforcement of, any contravention by the disclosing entity of a Commonwealth, state or territory law (except for those under Part 4 of the Bill, or those imposing criminal penalties).¹⁹

This limited use obligation is not intended to exclude existing cyber security incident reporting obligations under existing law.²⁰   Importantly, the limited use obligation is also not intended to be a ‘safe harbour’ to shield a reporting business entity from legal liability. Furthermore, law enforcement and regulators are not restricted from using their existing powers to gather the information and use it for their regulatory or law enforcement purposes against the entity.²¹

Establish a Cyber Incident Review Board

Finally, the Bill proposes a Cyber Incident Review Board (CIRB) as an independent, advisory body to conduct post-incident reviews of significant cyber security incidents in Australia.²² The Minister for Cyber Security will have an oversight role in appointing the Chair and standing members of the CIRB, as well as approving Terms of Reference for individual reviews. The CIRB will otherwise be independent.

It is intended that the CIRB will review a cyber security incident only after the incident has occurred, and if it meets the following criteria:

• the incident has seriously prejudiced, or could reasonably be expected to seriously prejudice, the social economic stability of Australia, Australian people, the defence of Australia or national security;
• the incident involves novel or complex methods or technologies, an understanding of which will significantly improve Australia’s preparedness, resilience, or response to cyber security incidents of a similar nature; or
• the incident is, or could reasonably be expected to be, of serious concern to the Australian people.

Reviews will be limited to individual cyber security incidents, or a series of incidents where there is a common element or theme (e.g., such as attack method). Furthermore, the CIRB will have limited information gathering powers to compel information from Australian entities involved in the cyber security incident under review, only where voluntary requests for information have been unsuccessful.

A report will be prepared by the CIRB at the end of each independent review. The report is to detail recommendations to government and industry about actions that could be taken to prevent, detect, respond to or minimise the impact of incidents of similar nature in the future, and ultimately improve the response to and minimise the impact of cyber security incidents. 

As such, each review will be conducted on a “no-fault” basis and will not apportion blame in relation to a cyber security incident.

1. NB: The turnover threshold has not yet been prescribed by the rules.

2. Cyber Security Bill 2024 (Cth) s 26(2); see also: Security of Critical Infrastructure Act 2018 Cth), pt 2B.

3. Explanatory Memorandum, pg. 5.

4. Cyber Security Bill 2024 (Cth) s 26(1).

5. Cyber Security Bill 2024 (Cth) s 27(1).

6. Cyber Security Bill 2024 (Cth) s 27(2).

7. Cyber Security Bill 2024 (Cth) s 27.

8. Explanatory Memorandum, pg. 2.

9. Cyber Security Bill 2024 (Cth) s 14; NB: Smart devices are referred to as “relevant connectable products” in the Bill.

10. Cyber Security Bill 2024 (Cth) s 13.

11. Explanatory Memorandum, pg. 3; Product Safety and Telecommunications Act 2022 (UK) s 5.

12. Explanatory Memorandum, pg. 2.

13. NB: The definition of smart devices is consistent with the current UK definition. Furthermore, the UK policy background states that smart devices may also include smartphones, smart speakers, security systems and connect alarm systems.

14. Cyber Security Bill 2024 (Cth) s 14.

15. Cyber Security Bill 2024 (Cth) s 33.

16. Cyber Security Bill 2024 (Cth) s 36.

17. Cyber Security Bill 2024 (Cth) s 36.

18. Cyber Security Bill 2024 (Cth) s 38.

19. Cyber Security Bill 2024 (Cth) s 38.

20. Explanatory Memorandum, pg. 7.

21. Explanatory Memorandum, pg. 68.

22. Cyber Security Bill 2024 (Cth) pt 5.

23. Cyber Security Bill 2024 (Cth) s 46.

24. Cyber Security Bill 2024 (Cth) s 49.