On 25 November 2024, the Cyber Security Act 2024 (Cth) (the Act) was passed by the Federal Parliament as part of the cyber security legislative package designed to help the Australian government achieve its vision of becoming a global leader in cybersecurity by 2030. The Act will come into force once it receives Royal Assent.

The key takeaways for this new legislation are as follows:

1. Mandatory reporting of ransomware payments for critical infrastructure assets or businesses with over $3m in revenue;

2. Minimum cyber security standards for smart devices will be mandated (manufacturers and suppliers of smart devices, connected devices, internet of things (IoT) devices to be on alert for legislated rules and the requirements for compliance statements to be given);

3. Voluntary reporting to the National Cyber Security Coordinator;

 4. Establishment of a Cyber Incident Review Board; and

5. Limited use provisions.

1. Mandatory reporting of ransomware payments

If an organisation which is a critical infrastructure asset, or has revenue of over $3m, makes a ransomware payment it has 72 hours following the making of the payment, or upon becoming aware that such a payment has been made, to report the payment to the Australian Signals Directorate (ASD). 

This obligation will not apply to Commonwealth or State bodies or entities under the turnover threshold, which is to be determined by the manner prescribed by the rules (currently $3m). Critical infrastructure asset owners and operators with mandatory cyber security incident reporting obligations under Part 2B of the SOCI Act already have reporting obligations to the ASD through the Report Cyber portal.

A ransomware payment report must include:

• if the reporting business entity made the payment, its contact and business details;

• if another entity made the payment, that entity's contact and business details;

• details around the cyber security incident, including its impact on the reporting business entity (noting that the Act lists circumstances where an incident is presumed to be a cyber security incident);

• the ransomware payment sum; and

• communications with the extorting entity relating to the incident, demand and payment.

An entity which fails to make a ransomware payment report may be liable to a civil penalty of up to $19,800.

Whilst the payments of ransoms are not expressly prohibited, the requirement to provide details around the cyber security incident and the impact to the business continues to put pressure and a spotlight on a businesses' decision making process if it decides to make a payment. This reporting indirectly crystalises the Australian government's position on discouraging the making of ransomware payments.

The anticipated benefits of mandated reporting include enhancing the Federal Government’s collection of ransomware and cyber extortion demands and payments, to inform government efforts to assess the overall ransomware threat, provide assistance to law enforcement, and, hopefully, disrupt and break the ransomware business model. 

2. Security standards for relevant connected products

It is intended that through the regulations, there will be security standards for the IoT, specifically for 'relevant connectable products'  such as internet-connectable or network-connectable products. Examples include 'smart' whitegoods (e.g., connected ovens, fridges, etc), network connected baby monitors, and robot vacuum cleaners. 

Manufacturers and suppliers should be aware that where security standards are imposed on a connectable product:

• the product must be manufactured in accordance with the security standards if they are aware (or ought to be aware) that the product will be sold in Australia;

• the product must be supplied with a statement of compliance;

• that product must not be supplied in Australia if it was not manufactured in compliance with the security standards; and 

• must comply with any requirements of the relevant security standard.

The Secretary of the Department of Home Affairs (Secretary) can commission independent audits to ensure compliance. Where there has been a failure to comply, the Secretary can issue a compliance notice, a stop notice, or a recall notice which may be published publicly. 

Manufacturers and suppliers will have significant obligations under this reform. 

For manufacturers, distributors and suppliers of smart devices, the new legislation will require a close review of the standards imposed on relevant connected products and preparation for compliance statements. Going forward, suppliers may look to incorporate warranties for compliance in agreements with manufacturers and distributors.  

The Government's key message is that we need to ensure these IoT devices have basic security standards, just as we do for cars and baby seats. 

3. Voluntary reporting to the National Cyber Security Coordinator

An entity impacted by a significant cyber security incident may voluntarily provide information to the National Cyber Security Coordinator (NCSC),whose role is to lead the coordination and triaging of responses to a significant cyber security incident.

A cyber security incident is a 'significant cyber security incident' if:

• there is a material risk that the incident has seriously prejudiced, is seriously prejudicing, or could reasonably be expected to prejudice the social or economic stability of Australia or its people, the defence of Australia or national security; or

•  the incident is, or could reasonably be expected to be, of serious concern to the Australian people.

4. Cyber Incident Review Board

A Cyber Incident Review Board (Board), an independent body, has been established to review cyber security incidents to: 

• identify contributing factors to the incident; 

• make recommendations to government and relevant industries about actions relating to the prevention, detection, response to and minimising the impact of future incidents; 

• publish a report on the review; and

• perform any further functions which may be conferred on the Board under the Act or regulations. 

Reviews may only be conducted by the Board if it is satisfied that the incident meets the prescribed criteria, after the incident and the immediate response has ended, and once the Minister has approved the terms of reference for the review.

Importantly, the Board has powers under the Act to request information from entities, Commonwealth or State bodies or employees, or to compel entities to produce certain documents, for the purpose of conducting a review. Restrictions are imposed on information provided to the Board for the purpose of a review. Provision of such information does not waive legal professional privilege in relation to that information, and such information is not admissible in evidence against the providing entity in certain legal proceedings.

5. Limited use 

In conjunction with the ransomware payment reporting to the ASD, the introduction of the Board and voluntary reporting to the NCSC is the introduction of a limited use provision. This limitation is intended to address resistance amongst businesses to share information concerning cyber security breaches. 

The key message being knowledge is power and these provisions will allow businesses to share information with the ASD, NCSC and the Board to assist businesses with responding to incidents without the fear that the information being used will be used against them.

The past six months, and the next twelve  months will see significant legislative evolution in cyber, digital governance and privacy. These changes will push businesses to keep pace with the changes which are wide reaching, and will require businesses to review and update their trading terms and product documentation, cyber policies and incident response procedures to ensure compliance with the new obligations. 

If you have a query about how these proposed reforms may impact you or your business, please contact any of our Digital Governance, Cyber & Privacy team.