[widget id="surstudio-translator-revolution-3"]

About us
Locations
- Adelaide
  - Level 1
  - 333 King William Street
  - Adelaide SA 5000
  - GPO Box 949, Adelaide SA 5001
  - +61 8 8456 2433
  - +61 8 8456 2499
  - info.sa@gadens.com
  Location Map
- Brisbane
  - Level 11, ONE ONE ONE
  - 111 Eagle Street
  - Brisbane QLD 4000
  - GPO Box 129, Brisbane QLD 4001
  - +61 7 3231 1666
  - +61 7 3229 5850
  - info.qld@gadens.com
  Location Map
- Canberra
  - Level 1
  - 55 Wentworth Avenue
  - Kingston ACT 2604
  - GPO Box 2705, Canberra City ACT 2601
  - +61 2 6163 5050
  - +61 2 6163 5051
  - info.act@gadens.com
  Location map
- Melbourne
  - Level 13, Collins Arch
  - 447 Collins Street
  - Melbourne VIC 3000
  - GPO Box 48, Melbourne VIC 3000
  - +61 3 9252 2555
  - +61 3 9252 2500
  - info.vic@gadens.com
  Location Map
- Perth
  - Lavan (Associate office)
  - Level 20
  - 1 William Street
  - Perth WA 6000
  - PO Box F338, Perth WA 6000
  - +61 8 9288 6000
  - +61 8 9288 6001
  - info.wa@gadens.com
  Location Map
- Sydney
  - Level 29
  - 8 Chifley Square
  - Sydney NSW 2000
  - PO Box H332, Australia Square NSW 1215
  - +61 2 9231 4996
  - +61 2 9163 3000
  - info.nsw@gadens.com
  Location Map
International
Careers
News
Contact us

A tectonic shift – Australia’s first dedicated Cyber Security Act

10 October 2024

Dudley Kneller, Partner, Melbourne Sinead Lynch, Partner, Sydney Antoine Pace, Partner, Melbourne Raisa Blanco, Special Counsel, Melbourne

Hot off the heels of its first tranche of reforms to the Privacy Act, the Federal Government has released a raft of cyber security legislation to ‘achieve Australia’s vision of being a world leader in cyber security by 2030’,[1] including Australia’s first dedicated ‘Cyber Security Act.’

Minister for Cyber Security Tony Burke introduced the:

Cyber Security Bill 2024 (Cth) (Cyber Security Bill)
Intelligence Services and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024 (Cth) (Intelligence Services Reform Bill); and
Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024 (Cth) (SOCI Reform Bill), (together, the Cyber Security Reforms).

In this article, we highlight some of the key reforms in the Cyber Security Bill, setting out key operational and practical takeaways to help you prepare your business’ compliance strategy for when the Cyber Security Reforms pass into law. We also touch on some related amendments in the other Cyber Security Reforms.

The Cyber Security Act, in a nutshell

At a high level, the Cyber Security Bill is intended to apply to entities within and outside of Australia, and seeks to:[2]

improve the cyber security of internet connected products (including internet of things (IoT) devices such as vehicles, smart speakers, fridges, and even washing machines);
encourage disclosure of information related to ransomware attacks and payments;
facilitate Whole of Government responses to significant cyber security incidents, to be led by the National Cyber Security Coordinator;
establish a Cyber Incident Review Board to review incidents on a ‘no fault’ basis, and make recommendations to mitigate risks;
encourage information sharing with the Federal Government to help mitigate impacts of cyber security incidents; and
facilitate sharing certain information with State and Territory Governments regarding cyber security incidents for limited purposes.

So, what’s new?

If passed, the Cyber Security Bill would streamline a number of cyber security standards and reporting obligations and introduce several new penalties and regulatory powers for non-compliance with key obligations. As there is no monetary threshold for the application of these new laws, larger enterprises as well as small business will be affected equally, so entities of all sizes should prepare for a material uplift in their information security compliance processes and procedure to meet the new requirements.

In summary, these include:

Reform	Summary	Key takeaways
Security standards for smart devices [3]	New standards are proposed for relevant connectable products that are newly manufactured or supplied after these provisions come into force (likely within 12 months of the Cyber Security Bill itself passing into law). These will include: • internet-connected products – being those that are ‘capable of connecting to the internet…to send and receive data’; and • network-connectable products – being those that are not internet-connected products, but are otherwise capable of sending or receiving data. Compliance Manufacturers of these kinds of products, which could include everything from phones, to laptops, vehicles, solar batteries, and other IoT devices, would need to ensure their products are manufactured to comply with security standards relevant to their class of product. The draft proposed confirms that, broadly, both manufacturers and suppliers of relevant products have obligations under the new regime. Any manufacturer, or supplier, of the relevant connectable products will be in breach if and where it is determined that: • such products do not comply with the new applicable standards; or • each manufacturer and supplier does not provide a ‘statement of compliance’ as required by the Cyber Security Act for supply along with the product. The Department of Home Affairs would have the power to order an independent examination of relevant entities’ compliance with these obligations. Entities in breach may be subject to the following enforcement procedures. Enforcement Similar to existing obligations under the Australian Consumer Law, non-compliant manufacturers or suppliers could be issued with: • compliance and stop notices – requiring remedial action; and • recall notices – requiring recall of non-compliant products to the relevant manufacturer.	Manufacturers will have ultimate responsibility for ensuring their goods and products are manufactured in accordance with the new applicable standards. This will require a detailed technical analysis of the relevant standards (once released), as well as the preparation of statements of compliance by product manufacturers in the first instance. Suppliers will also have obligations, and be required to ensure they are able to provide relevant statements of compliance to their customers. Ultimately, suppliers caught by these new standards should note that their obligations will be in addition to - and distinct from - those of the product manufacturers, and it may be insufficient for a supplier to rely solely on a compliance statement provided by the applicable manufacturer. Practically speaking, suppliers are likely to look to obtain warranties from manufacturers that their products comply with all relevant standards to ensure there is a contractual recourse for damages if a manufacturer does not comply with the relevant standards.
Ransomware Reporting Obligations 4	Entities that: • carry on a business in Australia (other than certain government entities) whose turnover exceeds the annual turnover thresholds, which are yet to be finalised and disclosed; or • have existing cyber incident reporting obligations under the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act), will be required to report any ransomware payments they make (or that someone makes on their behalf) within 72 hours after making the payment or becoming aware that the payment was made. Reports must be made to the ‘designated’ body (being, by default, the Department for Home Affairs and Australian Signals Directorate (ASD) – unless other bodies are specified). Report Contents A ransomware report will be required to include a range of details, including details of: • the entity that made the payment (whether it is the reporting entity itself, or another entity who made the payment on their behalf); • the cyber security incident; • the payment; and • communications with the party that made the demand for a ransomware payment. Penalties Failure to provide a ransomware report (or providing a report that does not include all required details as summarised above) carries with it the risk of a maximum civil penalty of up to 60 penalty units, which is currently $18,780.00. Liability will be reduced for good faith non-compliance with reporting obligations. Use of ransomware reports Only designated Federal Government bodies (and certain related bodies) will be permitted to use the details set out in a ransomware report and only for limited purposes, such as assisting in mitigating adverse impacts arising out of the relevant cyber security incident, bringing certain criminal charges (e.g. against the perpetrator), or assisting Australian intelligence agency functions. Ransomware reports will not be able to be used to investigate a reporting entity, other than in respect of non-compliance with their ransomware reporting obligations. Legal professional privilege will not be affected by the reporting, and the reporting will be inadmissible as evidence, other than with respect of any breach of the reporting obligation, or certain criminal offences (including provision of a false or misleading report, or obstruction of Commonwealth officials). [5]	Advice and guidance to date from the Australian Cyber Security Centre’s (ACSC) (including as set out in ransomware guidance) confirms that, as a matter of principle, ransom payments should never be made due to the likelihood that payment may not result in an attack being withdrawn, and/or that the malicious actors involved (and others) may be encouraged to repeat the attacks on entities, where there is a prospect of receiving payment. This new reporting obligation looks to further discourage ransomware payments, but does not go as far as to prohibit the making of such payments (as some commentators had anticipated or demanded indeed to be the case). The aim of the reporting obligations under the new proposed laws is stated to provide visibility for Government and key cyber security agencies on when and if such payments are made and the surrounding circumstances that have led to payment (or not). The ACSC advises that this information may be used to further calibrate legislative controls and cyber security responses by Government and applicable regulators. It remains to be seen whether this information, once gathered, would be used to inform a future prohibition on the making of such payments – as the desired avenue and approach from legislators in this space. From an operational perspective, the ACSC encourages businesses to contact them and other relevant agencies as soon as practicable and seek tailored advice in relation to any ransomware attack. If, following such a consultation, the business makes a determination that a ransomware payment would be made, it would need to comply with these new notification obligations within the 72-hour time frame. Entities will need to review their business continuity and disaster recovery plans to ensure they account for these mandatory reporting requirements.
Coordination of Cyber Security Incidents [6]	Voluntary Notification Entities can, on a voluntary basis, report a significant cyber security incident – described as those that pose material risks to Australia’s national security or social or economic stability (or could reasonably be expected to be of serious concern to Australians) to the National Cyber Security Coordinator (NCSC). Coordinator of response The NCSC will lead a whole-of-government response to any significant cyber security incident, including assisting impacted entities in responding to the incident or, where the incident is not significant, proposing other services that may assist. Use of disclosed information The NCSC will not be able to use disclosed information for any investigation or enforcement other than as relevant to the impacted entity’s compliance with the Cyber Security Act or another criminal offence. The circumstances in which secondary disclosures to other Government entities may be made will similarly be limited. Legal professional privilege will not be affected by reporting, and the reporting will be inadmissible as evidence, other that with respect of criminal offences in relation to any breach of the reporting obligation, the provision of a false or misleading report, or obstruction of Commonwealth officials. [7]	The NCSC will be an additional avenue for businesses requiring assistance for particularly serious or complex cyber security incidents. Entities will need to (at a minimum) review their business continuity and disaster recovery plans to ensure they account for potential voluntary notification to (and other engagement with) the NCSC in the case of applicable cyber security events.
Cyber Incident Review Board [8]	Mandatory reviews A newly established Cyber Incident Review Board (CIRB) will be required to conduct reviews of cyber security incidents that are referred to it by: • the Minister of Home Affairs; • the NCSC; • affected entity/ies; or • members of the CIRB, where the incident in question, in the CIRB’s view: • has posed (or could have posed) a serious risk to Australia’s security or social or economic stability; • was a novel or complex incident, a review of which would help Australia’s preparedness for similar incidents; or • is (or could have been) of serious concern to the Australian people. Reviews would be conducted on a ‘no fault’ basis – meaning the CIRB would not apportion blame or liability. CIRB Structure The CIRB will be an independent body that will consist of a chair and standing members appointed by the Minister of Home Affairs, and an ‘expert panel’ convened by those members. The CIRB’s primary function will be to conduct independent reviews into cyber security incidents to: • identify the root cause of the incident; • make recommendations to Government and industry about how similar incidents can be mitigated; and • report publicly on its review. Disclosure of information and documents For incidents referred to it, the CIRB will have a right to compel disclosure of certain information or documents, with entities to receive reasonable compensation from the Commonwealth Government to cover their cost of compliance with such mandatory disclosure requests. Failure to disclose documents or information in accordance with the new rules would attract a maximum civil penalty of up to 60 penalty units, which is currently $18,780.00, save for caveated conditions (e.g. unless non-disclosure was due to certain national security-related considerations). Similar penalties would apply to entities that inappropriately disclose information provided to them by the CIRB. Legal professional privilege will not be affected by the provision of information to the CIRB. Information the CIRB receives would generally only be able to be used by the CIRB to perform its functions under the Cyber Security Act, other than with respect to criminal offences relating to the provision of false or misleading reports or obstruction of Commonwealth officials. Review reports The CIRB would prepare a draft review report setting out preliminary findings for review by the Minister. The draft report could be shared with other entities in the CIRB’s discretion. Any improper disclosure of the draft review report by those entities could attract a maximum civil penalty of up to 60 penalty units, which is currently $18,780.00. The draft legislation indicates that the CIRB’s published final review report would: • be required to take into account the Government’s input into the draft review report and otherwise set out key findings and recommendations based on their review; • not apportion blame or liability for the incident; and • not identify individuals without their consent, or allow adverse inferences to be drawn from the fact an entity had been the subject of a review. Some information may also be redacted. Certification of involvement Subject to relevant conditions set out, the chair of the CIRB would be able to issue certificates confirming the identities of CIRB staff or members, or witnesses appearing in a review, that had been involved in the review. This certification would prevent those persons from being compelled to provide evidence in a Federal, State or Territory court about matters specified in the certificate (i.e. certain matters that were the subject of the CIRB’s review).	The new proposed laws and obligations restrict how the CIRB and related Government Agencies can use information provided to them by businesses and industries affected by cyber security incidents. They aim to encourage organisations to more openly share information on serious incidents – such as with the CIRB operating on a ‘no fault’ basis. However, concerns of self-incrimination, reputational and brand risks and legal professional privilege issues remain to be assessed as the application of this new Board and its review processes are rolled out. Yet again, proactively reviewing and updating key cyber security and information management strategies, processes and procedures will help to mitigate the initial risk (and impact of) a cyber security incident.
Regulatory Powers [9]	Injunctions, infringement notices and enforceable undertakings In addition to the civil penalties set out above, the Secretary of Department of Home Affairs (or their delegate) would have the power to apply under the Regulatory Powers Act 2014 (Cth) for: • injunctions to compel or prohibit certain acts related to those civil penalty provisions; • infringement notices (i.e. fines) for non-compliance with those civil penalty provisions; and • enforceable undertakings (i.e. court orders) to compel certain acts related to those civil penalty provisions or related to compliance with the product security standards (and compliance notice) provisions. Monitoring and investigation powers The Secretary of the Department of Home Affairs (or their delegate) would also have the power to monitor and investigate compliance with civil penalty provisions and the product security standards (and compliance notice provisions) in accordance with Parts 2 and 3 of the Regulatory Powers Act.	While enforcement provisions will only be enlivened in cases of breach of the Cyber Security Act, businesses should ensure they maintain strong cyber security practices even when they are not subject to potential monitoring or investigation by the relevant regulatory authorities. Compliance activities should include reviewing key internal policies to ensure compliance with new security and reporting obligations – noting that it would be too late to address these once a cyber security incident has already occurred.

Intelligence Services Reform Bill

Bundled with the Cyber Security Act, the Intelligence Services Reform Bill will, when passed into law, impose obligations on the Australian Signals Directorate (ASD) to use information disclosed to it about cyber security incidents for only limited purposes.

Specifically, the Intelligence Services Reform Bill will amend the Intelligence Services Act 2001 (Cth) to ensure that information regarding cyber security incidents that has voluntarily been shared with the ASD by entities may only be on-shared by ASD to other entities for certain permitted cyber security purposes, including:

assisting ASD’s performance of its functions;
advising the Minister; and
supporting the performance of certain obligations under the Cyber Security Act.

ASD’s internal use of the information would not otherwise be affected.

SOCI Reform Bill

Completing this raft of new proposed legislation, the SOCI Reform Bill is intended to streamline a number of key provisions under the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act). At a high level, these proposed reforms deal with the following:

Reform	Summary	Key takeaways
Expanded definitions of ‘data storage systems’ [10]	Previous drafting of the SOCI Act led to ambiguity around the kinds of data storage systems that related to critical infrastructure and left many related (but essential) systems beyond scope. These new amendments clarify that critical infrastructure assets will include secondary assets which hold ‘business critical data’ and relate to the functioning of the primary critical infrastructure asset. Obligations will generally apply where the entity responsible for a critical infrastructure asset owns or operates the data storage system in question.	This reform may bring a number of new organisations within the scope of the SOCI Act. Businesses should review the data storage systems they own or operate and consider their connection to both critical infrastructure assets and critical business data. This is likely to require downstream discussions with third party supply chains and potentially also upstream with customers (as relevant) to understand the scope, and criticality, of information assets processed or stored via these systems.
A 'last resort' directions power’ [11]	This reform broadens the existing power for the Government to respond to serious incidents (as opposed to only cyber security incidents) by permitting the Secretary of the Department of Home Affairs to issue directions to entities following a relevant Ministerial authorisation. The Government identifies that this expansion is intended to enable it to more directly mitigate key risks, including in relation to multi-asset incidents. Exercise of this power is confined by existing limitations in relation to the ‘seriousness’ of the incident – i.e. by reference to situations related to Australian national security, or our social or economic stability.	This power is designed to address particularly serious events only, but it comes as a timely reminder that a number of competing obligations and reviews may arise during high pressure cyber security incidents. Businesses should again review key business continuity, disaster recovery and information security protections, including security, data breach policies and response protocols etc., to ensure they can rely on streamlined processes to manage these kinds of threats and the related regulatory obligations.
Streamlined protected information provisions’ [12]	Definitions of protected information and relevant information will be set out separately in a new section 5A. Relevant information would largely capture what had previously been considered ‘protected information’ under the SOCI Act – being information related to compliance with the SOCI Act. Protected information would then take a ‘harms-based’ definition, capturing relevant information that carries a particular risk upon disclosure (often by reference to some prejudice to national security). There will be a number of other information sharing provisions aimed to streamline information sharing between Commonwealth Government agencies and permitting entities to share less critical information related to the SOCI Act (i.e. some relevant information that would not otherwise be captured as ‘protected information’).	Affected businesses should assess the kinds of information they currently hold which may be governed by the SOCI Act and consider whether they will have additional (or lesser) obligations given the proposed distinction between ‘relevant’ and ‘protected’ information.
Directions to vary CIRMPs’ [13]	The Secretary of the Department of Home Affairs would be given the power to direct an entity to vary their Critical Infrastructure Risk Management Plan (CIRMP). Any such direction would be required to clearly specify any deficiencies in the CIRMP and the period within which rectification would be required to occur (being not less than 14 days).	This reform suggests the Government has been concerned by potential non-compliance with CIRMP obligations or unsatisfactory management practices. Businesses should take this opportunity to undertake a comprehensive review of their CIRMP to avoid further regulator engagement.
Consolidated telecommunications security provisions’ [14]	The Telecommunications Sector Security Reforms would be incorporated into the SOCI Act along with key security provisions from the Telecommunications Act 1997 (Cth). The goal here will be to consolidate and uplift existing provisions given the criticality of various telecommunications assets. The Government’s explanatory memorandum suggests various limitations on these new obligations will be set out in future subordinate legislation.	Although only addressed in this article at a high level, businesses operating telecommunications assets (including carrier and carriage services) should carefully review proposed amendments to understand how the scope of their obligations may change given greater interaction with the SOCI Act.

If you found this insight article useful and you would like to subscribe to Gadens’ updates, click here.

Authored by:

Antoine Pace, Partner
Dudley Kneller, Partner
Sinead Lynch, Partner
Raisa Blanco, Special Counsel
Chris Girardi, Lawyer

[1] https://www.abc.net.au/news/2024-10-09/cyber-laws-could-force-businesses-to-report-ransomware-payments/104446552

[2] Cyber Security Bill 2024 (Cth) s 3.

[3] Cyber Security Bill 2024 (Cth) Part 2.

[4] Cyber Security Bill 2024 (Cth) Part 3.

[5] Cyber Security Bill 2024 (Cth) ss 31-32.

[6] Cyber Security Bill 2024 (Cth) Part 4.

[7] Cyber Security Bill 2024 (Cth) ss 41-42.

[8] Cyber Security Bill 2024 (Cth) Part 5.

[9] Cyber Security Bill 2024 (Cth) Part 6.

[10] SOCI Reform Bill Schedule 1.

[11] SOCI Reform Bill Schedule 2.

[12] SOCI Reform Bill Schedule 3.

[13] SOCI Reform Bill Schedule 4.

[14] SOCI Reform Bill Schedule 5.

This update does not constitute legal advice and should not be relied upon as such. It is intended only to provide a summary and general overview on matters of interest and it is not intended to be comprehensive. You should seek legal or other professional advice before acting or relying on any of the content.

Get in touch

Dudley Kneller
Partner, Melbourne
+61 3 9252 7748
dudley.kneller@gadens.com

Sinead Lynch
Partner, Sydney
+61 2 9163 3064
sinead.lynch@gadens.com

Antoine Pace
Partner, Melbourne
+61 3 9612 8411
antoine.pace@gadens.com

Raisa Blanco
Special Counsel, Melbourne
+613 9617 8572
raisa.blanco@gadens.com