The Cyber Security Act follows Australia’s Cyber Security Strategy 2023-2030. The strategy, designed to position Australia as a leader in cyber resilience, foresees a number of measures in the Act, including National Cyber Security Coordinator To oversee a coordinated national cyber response.
In a media releaseAustralia’s Minister for Cyber Security Tony Burke said the Act was “a key pillar of our mission to protect Australians from cyber threats” and that it “creates a coherent legislative toolbox for Australia to They can move forward with clarity and confidence in changing the cyber landscape.
Experts urge IT and security leaders to update their cybersecurity incident response plans to take into account legislative changes, allowing them to prepare for government confusion during a cybersecurity attack or crisis. May need to communicate in new ways.
How will Australia’s new cyber security law affect organisations?
Two key changes affecting Australian organizations are a mandatory obligation to report any ransomware payments and the creation of a new voluntary reporting system for cyber incidents.
Mandatory reporting of ransomware payments
The government will require organizations of a certain size to report ransomware payments. While the size limit is yet to be determined, Local Australian law firm Corrs Chambers Westgarth said the mandate would likely apply to businesses with a turnover of more than AUD$3 million.
Ransomware must be reported to the Department of Home Affairs and the Australian Signals Directorate within 72 hours of payment. If organizations fail to report these payments, they can be subject to a civil penalty, which Corrs said currently costs AUD $93,900.
See: The dangerous state of Australian data breaches in 2024
Corrs notes that, despite the new liability, government policy is still that organizations should not pay ransoms. The government believes that paying ransoms only feeds the business model of cybercrime gangs – and there is no guarantee that organizations will actually recover their data or keep it confidential.
Voluntary reporting of new cyber incidents
The new Act introduced a new framework for volunteers. Reporting of cyber incidents. The initiative is designed to encourage more free information sharing when parties face a cyber attack so that other private and public sector organizations and communities can benefit.
Under the NCSC’s oversight, any organizations doing business in Australia can report incidents with some degree of protection from the “restricted use” obligation, limiting what the NCSC can do with the information.
Corrs said, for example, reporting a significant cyber security incident requires, by law, the NCSC to share information to prevent or mitigate threats to critical infrastructure or national security and to support intelligence or law enforcement agencies. will allow to be used for purposes
There are more steps involved with Australia’s new laws.
Several other measures included in the legislative package will affect the IT and security professions.
IoT device security is in focus.
The Australian government will now have this power. Enforce security standards for any Internet of Things devices.. Corrs explained that once these standards are set out in legislative rules, any global suppliers must comply if they wish to continue supplying the Australian market.
Cyber Incident Review Board
Major cyber incidents in Australia are now likely to be reviewed by a newly-entitled Cyber Incident Review Board. The CIRB will conduct no-fault and post-incident reviews, make recommendations, and have the power to compel institutions to provide information.
Other Cyber Security Legislation
The Cyber Security Act is part of a wider legislative package, including updates from Australia. Security of Critical Infrastructure Act 2019. The SOCI Act has been updated to classify data storage systems that hold business-critical data as critical infrastructure assets, among other changes.
IT and security are urged to review cyber incident response plans.
IT and security teams should review their cybersecurity incident response plans and incorporate changes where necessary. This will accommodate new mandatory ransomware payment reporting obligations and engagement with the National Cyber Security Coordinator.
See: Australian government proposes mandatory guardrails for AI.
The new regulatory obligations will require organizations to adjust their plans to ensure compliance. CISOs and security teams will play a key role in adjusting plans and integrating these changes into future cyber security tabletop practices. Corrs noted that an organization’s motivation for reporting a ransomware payment is the payment itself rather than the receipt of a payment demand. This will impact both how organizations manage these cyber decisions and when they choose to communicate them.
Organizations may also have overlapping reporting requirements with different timelines under Australian privacy laws and the SOCI Act if they are designated critical infrastructure companies, continuous disclosure obligations if they are listed on the Australian Stock Exchange. In addition