On 25 November 2024, the Australian Government passed the Cyber Security Act 2024 (Cth) as part of a suite of cyber security legislation, including the Intelligence Services and Other Legislation Amendment (Cyber Security) Act 2024 and the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Act 2024.
While the Security of Critical Infrastructure Act 2018 (Cth) already imposed cyber security obligations on owners and operators of critical infrastructure, the Act is the first Australian law specifically designed to strengthen cyber security across the whole of the Australian public and private sectors.
The law introduces a series of measures which seek to strengthen cyber security in Australia, many of which are novel by international standards. The Act:
- mandates security standards for certain products sold in Australia that directly or indirectly connect to networks;
- requires entities making ransomware payments to report those payments to the Australian Signals Directorate within 72 hours;
- allows entities impacted by a cyber security incident to voluntarily share information about the incident with the National Cyber Security Coordinator, and encouraging information-sharing by providing that any such information may only be used and disclosed for limited purposes, and is not admissible as evidence in proceedings against the entity that provided it;
- facilitates the sharing of information about cyber security incidents by the Australian Government to State and Territory Governments for limited purposes; and
- establishes a Cyber Incident Review Board, which has the power to conduct reviews in relation to major cyber security incidents, and make recommendations to Government and industry about actions that can be taken to prevent, detect, respond to or minimise the impact of similar incidents in the future.
The dates that the various measures under the Act will come into effect are still to be announced.
Security standards for connectable products
The Act provides that the Minister may make rules which provide a security standard for a product which connects to the internet or a network (a “connectable product”) and is sold in Australia. This would include mobile phones and computing and networking equipment, but also other internet-connected devices such as security cameras, home assistant devices, sensors, appliances and motor vehicles.
If the rules provide a security standard for a connectable product:
- manufacturers must manufacture the connectable product in compliance with the requirements of the security standard, if they are aware, or ought to be aware, that the connectable product will be sold in Australia;
- a supplier must supply the connectable product with a statement of compliance;
- a supplier must not supply the connectable product in Australia if it does not comply with the security standard if they are aware, or ought to be aware, that the connectable product will be sold in Australia; and
- manufacturers and suppliers must comply with any other requirements of the security standard (for example, to publish information about the connectable product).
Connectable products that do not meet the security standards may be subject to mandatory recall from sale in Australia.
Ransomware payment reporting
The Act imposes a reporting obligation on an entity which is impacted by a ransomware attack, and who has made a ransomware payment, or is aware that another entity has made a ransomware payment on their behalf, to a threat actor.
The reporting obligation will only apply to entities with an annual turnover above a threshold which is yet to be determined.
The ransomware payment report must be made to the Australian Signals Directorate (or such other Government body specified in the rules) within 72 hours of the ransomware payment being made, and must include:
- the contact and business details of the entity that made the payment;
- details of the cyber security incident, including its impact on the entity;
- details of the demand made by the threat actor;
- details of the ransomware payment;
- details of any communications with the extorting entity relating to the incident, the demand and the payment; and
- any other details required by the rules.
A corporation which fails to notify a ransomware payment may be subject to a civil penalty of up to $99,000.
Voluntary reporting of information
The Act provides that an impacted entity may voluntarily report information to the National Cyber Security Coordinator in relation to “significant cyber security incidents”. A significant cyber security incident means there is a material risk that the incident has or could reasonably be expected to seriously prejudice the social or economic stability of Australia or its people, the defence or national security of Australia, or could reasonably be expected to be, of serious concern to the Australian people.
The National Cyber Security Coordinator is a recently established office within the Department of Home Affairs responsible for leading the coordination and triaging of cyber security incident response across the whole of the Australian Government.
Cyber Incident Review Board
The Act establishes the Cyber Incident Review Board, a body responsible for conducting reviews in relation to significant cyber security incidents (as defined above) or other cyber security incidents which involve novel or complex methods or technologies.
The Cyber Incident Review Board will have powers to compel entities to produce information and documents to assist a review.
Following a review, the Cyber Incident Review Board will publish its report and make recommendations to government and industry about actions that could be taken to prevent, detect, respond to or minimise the impact of, cyber security incidents of a similar nature in the future.
Limits on the use of reported information
The Act limits the purposes for which information provided under the Act - ransomware payment reports made the Australian Signals Directorate, information voluntarily reported to the National Cyber Security Coordinator in relation to a significant cyber security incident, and information provided to the Cyber Incident Review Board - may be used by the Australian Government. Permitted purposes include responding to, mitigating or resolving the incident, assisting the entity to respond to the incident, and conducting criminal proceedings. The accompanying Intelligence Services and Other Legislation Amendment (Cyber Security) Act 2024 (Cth) limits the purposes for which the Australian Signals Directorate may on-share information it receives under the Act.
The Act also provides that information provided by entities under the Act:
- may not be used for the purposes of investigating or enforcing any contravention by the reporting entity of a Commonwealth, State or Territory law;
- is not admissible in evidence in most criminal and civil proceedings against the reporting entity; and
- does not constitute a waiver of any legal professional privilege in that information.
These provisions aim to make entities more willing to share information in relation to cyber security incidents by reducing the risk that such information will be used against them in any way.