A first look at the Australian Cyber Security Bill 2024

On 9 October 2024, the Australian Federal Government introduced into Parliament a Cyber Security Legislative Package 2024 comprising the:

• Cyber Security Bill 2024 (the Bill);
• Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024; and
• Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024.

If passed, the Bill would become the country’s first standalone piece of legislation targeted specifically at cybersecurity. Together with amendments to the Security of Critical Infrastructure Act and Intelligence Services Act, the package introduces significant reforms designed to strengthen the country’s cyber resilience through several measures proposed in the 2023-2030 Australian Cyber Security Strategy.

The following is a summary of the core components of the Bill and its implications for businesses and organisations operating in Australia.

1. Mandatory ransomware payment reporting

A prominent feature of the Bill is the 72-hour mandatory reporting of ransomware payments, which seeks to provide the government with better insights into ransomware trends and the economic impact of cyber extortion. The reporting obligation requires all businesses operating in Australia with an annual turnover exceeding $3 million, as well as entities responsible for critical infrastructure, to report ransomware payments to the Australian Signals Directorate and the Department of Home Affairs within 72 hours of the payment being made or an entity (including a third party) becoming aware that such payment has been made. Failure to comply with this reporting requirement may result in a civil penalty.

2. Limited use protections for disclosed information

To provide some assurance to businesses that their compliance with the reporting requirements would not expose them to additional regulatory scrutiny, the Bill ensures that information disclosed under mandatory or voluntary reporting obligations is restricted to specific uses and purposes, largely related to incident response and public safety. For example, data provided in ransomware payment reports can only be used for managing the cyber incident and assisting affected entities. It cannot be used for unrelated civil or regulatory actions, although criminal investigations can still proceed if relevant.

3. Cyber Incident Review Board (CIRB)

Modelled after the US Cyber Safety Review Board, the Bill introduces the CIRB, who would be responsible for investigating and analysing significant cyber incidents in Australia without attributing fault. The board will function independently in conducting reviews and publishing findings with the aim of providing the government and industries with actionable recommendations to prevent, detect, respond to or minimise the impact of similar cyber incidents in the future.

The CIRB would have authority to compel entities to share incident-related information and documents as part of its review, and non-compliance with the CIRB’s information request may attract a civil penalty. Although such information would be protected by limited use protections mentioned above, it is yet unclear whether the document protection requirement would extend to legally privileged material.

4. Mandatory security standards for Internet of Things (IoT) devices

To address the vulnerability of IoT technology to cybersecurity risks, the Bill empowers the Cyber Security Minister to mandate minimum cybersecurity standards for “connectable products” such as smart phones, security cameras, motor vehicles and smart home devices. Manufacturers and suppliers of such products, both local and foreign, may be required to issue a statement of compliance confirming compliance with those standards and setting out prescribed information. In the event of non-compliance, the Secretary of Home Affairs is empowered to issue non-compliance, stop or recall notices.

Implications for businesses

The Bill requires all organisations in Australia to adapt to a higher standard of cyber risk management and reporting. Key actions that businesses should consider and start preparing for include:

• Updating incident response plans: Given the 72-hour ransomware reporting obligation, businesses will need to integrate this requirement into their incident response protocols to ensure timely compliance. Documentation should clearly outline the steps to be taken following a ransom payment, including data collection, internal notifications, and external reporting procedures;
• Compliance with IoT Standards: Companies involved in the production, import, or supply of IoT devices must adhere to new cybersecurity standards. This will require investment in secure design and regular auditing to meet the mandated standards and avoid the risk of recalls;
• Engagement with the CIRB: Organisations impacted by significant cyber incidents should be prepared for potential CIRB investigations. Businesses should also aim to strengthen their own cybersecurity measures based on the board’s published findings and industry-wide recommendations.

The Bill and the balance of the Cyber Security Legislative Package 2024 set a new benchmark for digital security in Australia, imposing reporting obligations and standards aimed at safeguarding the nation against cyber threats. In this landscape, early engagement with government bodies like the Australian Signals Directorate and the National Cyber Security Coordinator will be crucial for companies looking to navigate regulatory expectations effectively.

If you would like to discuss any of the above or require assistance with cybersecurity measures generally, please contact our Cheryl Sun (csun@mphlawyers.com.au) or Nigel Pakes (npakes@mphlawyers.com.au) by email or telephone (08) 9221 0033.