Australia's Cyber Security Act

On November 25, 2024, the Albanese government passed Australia's first standalone Cyber Security Act as part of the 2023–2030 Australian Cyber Security Strategy. 

After a series of devasting cyber incidents impacting millions of Australian citizens, such as the attacks on Optus, Medibank and Latitude, this landmark legislation aims to bolster the security and resilience of Australia's cyber environment and critical infrastructure – and the emphasis seems to be on visibility across impacted entities, as opposed to punitive measures. 

Key provisions of the Act

1. Mandatory cyber security standards for smart devices
The Act enables the Minister for Cyber Security to prescribe mandatory security standards for smart devices, ensuring that the devices Australians purchase are secure and do not pose cyber risks. Similar legislation coming into the US and Europe is driving an international standard. From a business perspective, this will no doubt start to impact buying patterns across industries towards adopting more secure internet of things (IOT) devices. 

Choosing secure smart devices now has other benefits too. One is that it eliminates a growing ‘security debt’, and secondly, it is a signal to vendors that Australia doesn’t want them dumping less secure or outdated models in our market, given other industrialised nations are also mandating for greater security in IOT-dependant industries.

The problem that will remain is that there are tens of millions of IOT devices and billions of dollars of investment into the current assets, and so there won't be an upgrade cycle to secure products across industry for, possibly, some years. But you have to start somewhere, right?

2. Mandatory reporting of ransom payments
Certain businesses, such as those with critical infrastructure assets or businesses with over $3m in revenue, are now required to report ransom and cyber-extortion payments. This measure helps cyber experts build a better understanding of the threat landscape and develop more effective responses. 

Ransomware and extortion incidents have been an issue in Australia, with both the number of incidents and the payouts growing bigger over the past few years. The challenge is that a lot of activity is currently invisible at government and regulatory level. Companies are quietly making payments to make the problem go away. There is no visibility of just how severe the impact of ransom payments is at a financial level nor in terms of Australia’s overall resilience to cyberattacks.

This is a good approach for getting more visibility of malicious actors so the government can put a preventative plan in place while also monitoring its effectiveness.

Regulation and prosecutions across jurisdictions do not really work at reducing cybercrime, but if you can stop the payments from the source, you can impact cybercriminal’s stream of revenue and their ROI.

While Australia hasn’t gone as far as banning ransom payments, if you can start with reporting on those payments and other incidents, the government can begin to develop strategies at a national level to both track and limit such payments. That may be one of the few ways to deter those threat actors – by cutting their source of income off and increasing their visibility to financial, globally, which will effectively put them out of business.

3. Limited use obligation
The Act introduces a 'limited use' obligation for the National Cyber Security Coordinator and the Australian Signals Directorate (ASD). This ensures that information shared during a cyber security incident is used solely for incident response and not for other regulatory purposes.

What the Act is attempting to do here is set a tone of good faith – that if you engage with the government on incident response, that information won’t be shared with other regulators or bodies who may fine or otherwise penalise the organisation. 

At present, there would be a certain resistance to sharing information openly with any branch of government. For example, if a publicly-listed company starts sharing data about a ransomware attack, that can really impact investor confidence. Plus, there is the concern that another body, such as the ATO, ASIC, APRA or ACSC may get involved and issue fines or enforceable undertakings. 

There are also some regulations in Australia around transactions to sanctioned countries or entities. So, if you're a business paying ransomware into one of those countries, like Russia, that immediately puts you foul of a law, so you wouldn’t necessarily want to share that. 

The ‘share without blame’ type of scenario may allow an organisation to be more transparent about the impacts of a cyber crisis while potentially reducing downstream impact, such as compromised personal details enabling banking fraud, for example.

4. Cyber Incident Review Board 
A new Cyber Incident Review Board will conduct no-fault, post-incident reviews of significant cyber security incidents. 

The board will make recommendations to improve the prevention, detection, response and minimisation of future incidents. We are yet to get more details about who would sit on this Board and the extent to which they will review incidents. 

It’s been stated that the objective that the CIRB won't be for law enforcement, so it probably implies that it won't have much representation from Australian Signals Directorate or Federal Police. Subject matter experts from a security, law or privacy perspective, who can provide a suitable technical review, are who I’d like to see on this board.

There has been discussion that the CIRB might function more like the Air Traffic Safety Bureau, which takes a traveller safety, passenger safety perspective, rather than a regulatory or enforcement perspective.

While it is an investigative board, there's no sense at the moment that it would have powers to demand information about incidents from an organisation, so it will be interesting to see how this develops.

5. Reforms to the Security of Critical Infrastructure Act 2018 (SOCI Act):
The original SOCI Act provided the government with powers to manage impacts of all hazards and incidents on critical infrastructure. One point to note is how the Act now extends beyond the obligation to protect networks and facilities from unauthorised interference or access. Responsible entities must consider hazards other than cyber incidents, such as software bugs and defects in the network.

The reforms also simplify information sharing across industry and government and integrates telecommunications security regulation into the SOCI Act.

Under Australian law some industries already had their own requirements around cyber security, so the Act strengthens and facilitates critical infrastructure response.

This really addresses a gap that was apparent in the aftermath of the Optus and Medibank cyberattacks, where we saw massive data privacy breaches. In both these cases, the government’s official role was somewhat limited because the existing law only gave it powers if there is an incident impacting designated critical infrastructure assets.

Significance for New Zealand and Kiwi businesses operating in Australia

Australia has been putting serious efforts into bolstering its cyber security posture at a national level, with a vision to be a global leader in cyber security by 2030. This Act follows other initiatives, such as the creation of a Minster for Cyber Security back in 2022. 

For businesses operating in Australia, there may be some process changes needed to ensure they can confidently report and respond to these requirements during a cyber incident. Most notably, the reporting requirements around ransom payments for businesses required to under the Act may require businesses to review and update not only their policies but also their plans and playbooks around incident response.

Certainly, boards and executives must be clear about what their new obligations and rights are under this Act so expect more legal involvement during cyber incidents.

As the Act comes into force, it will be interesting to see how this flows through into tangible outcomes – and whether similar laws will be passed in New Zealand.