Opinion

Australia’s Cyber Security Legislative Package 2024: Deadline for submissions

Published Date
Oct 17 2024
Related people
Ross Phillipson, a partner in our Australia Privacy and Cyber practice, and Denise Kara, a Senior Associate in our Australia Privacy and Cyber practice discuss the Australian Government’s proposed changes to the Security of Critical Infrastructure Act 2018 (Cth) and the introduction of the new Cyber Security Bill and put out a call to action for organisations intending to make a submission to a parliamentary committee by October 25, 2024.  

On October 9 2024, the Australian Government introduced into Parliament the Cyber Security Legislative Package to implement several initiatives under the 2023-2030 Australian Cyber Security Strategy, which includes the landmark Cyber Security Bill 2024 (Cyber Security Bill) and Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024 (SOCI Amendment Bill) (together, the Bills). Organisations regulated by the SOCI Act and/or who may fall within scope of the new Cyber Security Bill should consider whether they would like to make a submission to the parliamentary committee about the Bills.  

The deadline for submissions is Friday October 25, 2024 (and the deadline for providing notice that you intend to make a submission is Friday October 18, 2024) so organisations affected by these new or amended obligations should get in touch if you would like assistance in doing so.  

Set about below is a high-level summary of the key reforms introduced by the Bills:

  1. Mandatory ransom payment reporting requirements: The Cyber Security Bill proposes a ransom payment reporting obligation for reporting entities. According to the proposal, the reporting entity will be required to make a report to the Department of Home Affairs and the Australian Signals Directorate within 72 hours of making or becoming aware of the ransom payment. Reports must include the details of the ransom payment and certain other information relating to the incident and communications with the threat actor. Interestingly, the reporting entity will still have an obligation to report even if it is not itself subject to the demand or makes the payment but is aware another entity has received a demand or has made the payment on its behalf. This requirement should be assessed by multinational corporations where cybersecurity is handled offshore from the Australian operations and result in local reporting obligations for decisions made overseas.   
  2. Mandating minimum cyber security standards for smart devices: The Cyber Security Bill mandates security standards for Internet connected devices (such as smartphones, home assistants, wearables, and smart doorbells) to address concern that Internet of Things (IoT) devices continue to be used by cyber threat actors to target consumers. The Government sees an opportunity to improve the security of IoT devices in line with international approach, including the UK (with its Product Safety and Telecommunications Infrastructure Act 2022). The rules once published will set security standards for relevant connectable products acquired in Australia (which intentionally brings overseas manufacturers within scope). Supply of products in Australia must be accompanied by a statement of compliance. Non-compliance may result in the issuance of a compliance notice, stop notice, and/or recall notice. While the standards and definitions applied draw upon international standards, companies whose devices may be in scope should review the requirements and consider whether their products are, directly or indirectly, supplied to Australia. 
  3. Expansion of scope of critical infrastructure asset under the Security of Critical Infrastructure Act 2018 (SOCI Act) to include data storage systems:  The definition of a critical infrastructure asset (CIA) under the SOCI Amendment Bill has been broadened to include a data storage system: (a) that is owned or operated by the responsible for the CIA, and is used in connection with the asset; (b) stores or processes business critical data; and (c) in respect of which, a hazard that has a material risk of impacting the data storage system also carries a material risk of causing a relevant impact on the asset. As a consequence, such data storage systems will be subject to other parts of the SOCI Act applicable to the CIA, including registration of ownership and CIRMP, infrastructure risk management plans, and incident notification requirements. Responsible entities for CIAs should consider the impact of the proposed reforms on their assets and associated registration information, operational information, and risk management programs. 
  4. Limited use obligation for information provided to the National Cyber Security Coordinator (Coordinator): The Cyber Security Bill implements a framework for the voluntary disclosure by an impacted entity of information to the Coordinator (Voluntary Information) in relation to significant cyber security incidents. The Cyber Security Bill introduces ‘limited use’ provisions that only allow the Coordinator to use or disclose Voluntary Information to assist the impacted entity in managing the incident or for a set of permitted cyber security purposes (as prescribed in the Cyber Security Bill). Notably, the Coordinator cannot use or disclose Voluntary Information to investigate or enforce a breach of law (other than criminal offences) by the impacted entity. Organisations should consider whether the limited use regime is applicable to them and assess the impact on incident response plans notification processes. 
  5. Enhanced security and notification obligations for responsible entities of critical telecommunications assets: The SOCI Amendment Bill sets out the enhanced security obligations and notification obligations for responsible entities of critical telecommunications assets. The changes include significant obligations on designated entities to advise regulators of changes to infrastructure where it may have a material adverse impact on the entity’s capacity to comply with asset security requirements. While currently limited in effect to telecommunications, the enhanced security requirements should be of interest to all critical infrastructure operators as they likely presage future requirements from government in relation to effective control over certain infrastructure asset classes and sectors. 
  6. Cyber Incident Review Board (CIRB): The Cyber Security Bill establishes the CIRB, a new independent statutory advisory body within the Department of Home Affairs, to conduct post-incident reviews of significant cyber security incidents in Australia. The CIRB will provide recommendations to industry and the Government about actions that could be taken to prevent, detect, respond to, or minimise the impact of, cyber security incidents. The CIRB has the authority to compel production of documents from entities subject to ‘limited use’ restrictions similar to those proposed in relation to ransom payment reporting and Voluntary Information. Questions remain regarding the jurisdictional limits of the proposed CIRB’s powers, the process it will use to conduct the review and the rights of entities subject to the review process.