Cyber security is a major concern in Australia. During 2022-2023, there were nearly 94,000 cyber security incidents reported to Australian law enforcement agencies.[1]
The Australian Signals Directorate has acknowledged that cybercrime ‘is a multibillion-dollar industry that threatens the wellbeing and security of every Australian.’[2] In 2022-2023, the average cost of cybercrime per report for small and medium businesses was $46,000 and $97,200 respectively.[3] The same period saw the personal information of millions of Australians compromised through significant data breaches.[4] Isolation and remediation of these data breaches may cost millions of dollars with losses due to reduced productivity, legal action and reputational damage.[5]
With these figures and issues in mind the Australian Government called out cyber security as ‘an urgent national problem’[6] and on 22 November 2023 released its 2023-2030 Australian Cyber Security Strategy. On 9 October 2024, the Australian Government introduced a suite of cyber security legislative reforms into the Parliament. These reforms include the Cyber Security Bill 2024 (CSB), Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024, and the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024.
Notably the reforms increase compliance and reporting requirements for Australian businesses.
Statements of compliance with new security standards
One aspect of the CSB is that it strengthens regulation of smart devices. These are devices that are not traditionally computer hardware but can connect to the Internet or a network. Examples of smart devices include smart TVs, smart watches and baby monitors. The policy concern with smart devices is that, despite being used to collect significant volumes of personal information, they aren’t subject to mandatory cyber security standards or regulations requiring built-in security features.[7]
The CSB permits the relevant Minister to mandate security standards as Ministerial rules for smart devices. As currently drafted, the CSB requires that manufacturers of smart devices must comply with these security standards if they could there are reasonable expectations that the device will be acquired in Australia. Manufacturers and suppliers must also provide statements of compliance for devices manufactured for or supplied to the Australian market. The CSB also establishes an enforcement notice regime for manufacturers and suppliers that includes compliance notices, stop notices and recall notices.[8]
Mandatory reporting for ransomware and cyber extortion payments
The reform legislation doesn’t define ‘ransomware’ or ‘cyber extortion’. However, the Explanatory Memorandum to the CSB notes that:[9]
Ransomware is a malicious software designed to cripple digital infrastructure by encrypting devices, folders and files, rendering essential computer systems inaccessible unless a ransom is paid. Cyber extortion occurs where or when cybercriminals infiltrate commercially sensitive or personal data from victims, threatening sale or release if extortion demands are not met.
The CSB establishes a mandatory reporting obligation for entities who pay money or provide a benefit in connection with a cyber security incident. The concern is that ransomware and cyber extortion attacks are significantly underreported in the current voluntary reporting regime and the Government wants improved visibility of the economic and social impacts.[10]
The mandatory reporting obligation applies to all Australian businesses that meet a turnover threshold worked out under the Ministerial rules. It also applies to all responsible entities for critical infrastructure assets to which the Security of Critical Infrastructure Act applies. Within 72 hours of making a ransomware payment, entities must give the designated Commonwealth Government body a report that complies with the CSB. This includes reporting the cyber security incident, the payment and communications with the extorting entity.[11]
Other features of the cyber security legislative reforms relevant to business
The reforms establish a ‘limited use’ obligation restricting how reported cyber security incident information can be on-shared and used by the Australian Government and regulators. That is, the information provided must only be used for permitted cyber security purposes. The intent is to encourage industry engagement with the Australian Government when they require help managing a cyber security incident.
The CSB also establishes a Cyber Incident Review Board. This Board is to conduct post-incident reviews of significant cyber security incidents. It has some information gathering powers to obtain information from entities involved in cyber security incidents.
Finally, the reforms introduce further measures to better protect critical infrastructure under the Security of Critical Infrastructure Act.
For more information on the Australian Government’s cyber security reforms, please contact Coleman Greig’s Privacy and Data Protection experts.
[1] Australian Government Australian Signals Directorate, ASD Cyber Threat Report 2022-2023 1-2.
[2] Ibid 33.
[3] Ibid 2.
[4] Ibid 45.
[5] Ibid 45.
[6] Australian Government, 2023-2030 Australian Cyber Security Strategy 4.
[7] Explanatory Memorandum, Cyber Security Bill 2014 2.
[8] Cyber Security Bill 2014 pt 2.
[9] Explanatory Memorandum, Cyber Security Bill 2014 4-5.
[10] Explanatory Memorandum, Cyber Security Bill 2014 5.
[11] Cyber Security Bill 2014 pt 3.
