The Australian Government has introduced sweeping changes to strengthen the national cyber security posture through a landmark Cyber Security Legislation Package, enacted on the 25th of November. These reforms aim to protect critical infrastructure, enhance collaboration between businesses and government, and improve incident response.
These reforms were fast-tracked based on recommendations from the Parliamentary Joint Committee on Intelligence and Security (PJCIS). Key changes include mandatory reporting of ransomware payments, an amendment to government powers under the Security of Critical Infrastructure Act 2018 (SOCI Act), and new frameworks for voluntary information sharing.
New Laws Passed
- Cyber Security Act 2024: Establishes key frameworks, including mandatory ransomware reporting and voluntary information sharing.
- Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Act 2024: Expands critical infrastructure protections, including data storage and broader government response powers and consolidates the existing network secutity and incident notification obligations from the Telecommunications Act 1997.
- Intelligence Services and Other Legislation Amendment (Cyber Security) Act 2024: Introduces protections for information shared during significant cyber incidents.
Key Highlight - Mandatory Ransomware Reporting
- Reporting Timeline: Organisations must report any ransomware payment to the Department of Home Affairs and ASD within 72 hours. The reporting obligation is triggered only upon payment, not upon receipt of ransomware demand or discovery of an attack.
- Who is Required to Report: This applies to critical infrastructure entities and business with an annual turnover above A$3 million. Penalties for non-compliance can include A$93,000 (60 civil penalty units).
- Critical Infrastructure Organisations: For organisations regulated under the SOCI Act, the government now has powers to direct an entity to pay or not to pay the ransom (Refer to 'Enhanced SOCI Act Powers').
- Legality of Paying the Ransom: The cyber security legislation packaging has not made paying random illegal. However, the Government's policy strongly discourages paying ransoms, emphasising that payment does not guarantee data recovery or data confidentiality. Additionally, if payment is in breach of laws outside of this package, such as sanction laws, further investigations or enforcement actions may be taken.
Cyber Security Legislation Package - Overview
- Voluntary Information Sharing: Any organisation operating in Australia can share cyber incident data with the National Cyber Security Coordinator (NCSC). Shared information is protected from use in regulatory enforcement or litigation (except for criminal investigations). While this reporting scheme does provide organisations with greater comfort when disclosing cyber incidents, it is not get-out-of-jail-free-card and if a ransomware payment is in breach of sanction laws further investigation or enforcement actions may be taken. Additionally, cyber incident notifications under the SOCI Act are not captured within the protections of this reform.
- Strengthened Internet of Things (IoT) Security: The Cyber Security Act empowers the Minister to mandate security standards for IoT devices. These standards, outlined in legislative rules, will require suppliers to provide a compliance statement for devices sold in the Australian market. This means that IoT device suppliers must ensure their products meet specified security requirements before entering the market, thereby enhancing consumer protection and reducing vulnerabilities to cyber threats. It also promotes accountability within the supply chain and drives innovation towards more secure development.
- Cyber Incident Review Boards (CIRB): CIRB established to review major incidents and provide no-fault recommendations to prevent recurrence. The board has received powers to compel information sharing from organisations if voluntary cooperation fails.
- Enhanced SOCI Act Powers: Incident response powers have been expanded beyond cyber incidents, such as any incident affecting critical infrastructure and enables the government powers to direct an entity to take, or not to take specific actions. Notification obligations are now extended to protect networks and facilities from unauthorised interference or access, meaning responsible entities must now consider hazards other than cyber incidents.
What Do You Need to Do?
Organisations should carefully review and understand the introduced acts and amendments to evaluate their potential impact. If these changes are relevant to your organisation, there are several steps you can take to address them, including:
- Review and Update Policies: Ensure cyber security response plans align with mandatory ransomware reporting.
- Engage with Authorities: Develop documentation and processes for engaging with the NCSC and CIRB under the new voluntary reporting regime.
- Update Playbooks and Test Your Response: Incorporate these legislative changes into incident response strategies, and conduct tabletop exercises to validate decision-making frameworks, including handling ransomware payments.
Where Can We Help?
If you’re looking for expert support in reviewing and updating documentation, creating compliant contact with authorities processes, or developing effective incident response plans and procedures, our team is ready to help.