On November 25, Australia officially passed its pioneering Cyber Security Act, ushering in a range of measures aimed at fortifying the nation’s defenses. One key stipulation entails that entities must inform the authorities if they make ransom payments to cybercriminals — a practice that has grown widespread internationally.
The Cyber Security Act is a direct outcome of Australia’s Cyber Security Strategy 2023-2030, a strategic initiative designed to position Australia as a frontrunner in cyber resilience. Anticipated measures within the legislation include the appointment of a National Cyber Security Coordinator responsible for overseeing a unified national cyber response.
In a statement released by Australia’s Minister for Cyber Security Tony Burke, the Act was described as a “cornerstone in our endeavor to shield Australians from cyber threats” and is positioned as “an integrated legislative resource enabling Australia to progress with clarity and confidence amidst an ever-evolving cyber terrain.
Experts recommend that IT and security leaders update their incident response protocols in light of the new legislative adjustments, necessitating novel methods of communication with the government during the chaotic circumstances of a cyber security incident or emergency.
Impact of Australia’s cutting-edge cyber security law on organizations
Two significant changes affecting Australian entities include the compulsory mandate to report all ransom payments and the introduction of a voluntary reporting framework for cyber incidents.
Mandatory disclosure of ransom payments
Organizations above a certain scale will be compelled to disclose ransom payments. Although the specific scale cutoff is yet to be determined, local law firm Corrs Chambers Westgarth anticipates the criterion applying to enterprises with a turnover exceeding AUD $3 million.
Incidents of ransom payments must be reported to the Department of Home Affairs and the Australian Signals Directorate within 72 hours. Failure to report these payments could result in a civil penalty amounting to AUD $93,900, as per Corrs.
SEE: The concerning state of data breaches in Australia in 2024
Corrs underscores that despite this mandatory requirement, the government maintains its stance that entities should abstain from paying ransoms. Policy makers argue that ransom payments merely bolster the criminal operations of cyber gangs, with no assurance that data restoration or confidentiality will be honored.
Voluntary reporting of fresh cyber incidents
The Act has introduced an avenue for voluntary reporting of cyber incidents. The framework aims to facilitate more open exchange of information following cyber assaults to benefit other organizations in the private and public sectors, as well as the general populace.
Managed by the NCSC, any business operating in Australia may report incidents while enjoying some level of protection under a “limited usage” clause, restricting the NCSC’s capacity to leverage the information.
For instance, informing about a significant cyber security incident will empower the NCSC, under the regulations, to leverage the information to prevent or mitigate threats to critical infrastructure or national security and to support intelligence or law enforcement agencies, as outlined by Corrs.
Additional provisions encompassed in Australia’s latest legislation
IT and security professionals will be influenced by several other stipulations integrated into the legislative arrangements.
Emphasis on IoT device security
The Australian government has acquired authority to prescribe security standards for Internet of Things devices. Once these standards are outlined in statutory directives, global suppliers must conform to them to sustain their supply to the Australian market, as explained by Corrs.
Establishment of Cyber Incident Review Board
Significant cyber incidents in Australia will now undergo scrutiny by a newly empowered Cyber Incident Review Board. The CIRB will conduct neutral post-incident reviews, furnish recommendations, and possess the ability to mandate entities to provide information.
Expansion of cyber security legislation
Comprising part of a wider legislative package, the Cyber Security Act involves revisions to Australia’s Security of Critical Infrastructure Act 2019. Updates to the SOCI Act include the categorization of data storage systems housing critical business data as critical infrastructure assets, among other modifications.
Call for IT and security assessment of cyber incident response strategies
IT and security teams should evaluate their incident response procedures, integrating necessary adjustments to align with the new mandatory ransom payment reporting requirements and collaboration with the National Cyber Security Coordinator.
SEE: Australian government proposes mandatory guardrails for AI
The new regulatory obligations mandate organizations to adapt their strategies for compliance. Chief Information Security Officers and security teams will play a crucial role in adapting protocols and embedding these changes into future cyber security simulation exercises. Corrs highlighted that organizations are mandated to report a ransom payment upon payment itself, rather than upon receiving demands, affecting decision-making processes and communication timelines.
Entities might also face overlapping reporting prerequisites with differing timelines under Australia’s data privacy laws and the SOCI Act if they are designated as critical infrastructure entities. Furthermore, listed companies on the Australian Stock Exchange must adhere to continuous disclosure responsibilities.
About Author
