Navigating Australia’s first standalone Cyber Security Act 2024 (Cth)

As part of the significant hive of parliamentary activity last month, Australia now has a suite of new cyber security laws, including Australia’s first standalone Cyber Security Act 2024 (Cth). As part of this suite of statutory reforms, amendments to existing laws were also passed by Parliament , resulting in changes to the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act), the Intelligence Services Act 2001 (Cth) and the Freedom of Information Act 1982 (Cth). The focus of this insight is on the new Cyber Security Act.

The new Cyber Security Act introduces several key changes, including mandatory reporting obligations where ransomware payments are paid. It also establishes the Cyber Incident Review Board and provides for mandatory security standards for internet connected products, such as smart devices. For organisations and other entities impacted by the reforms, this means navigating a new compliance landscape and enhancing their processes and procedures to ensure that they can comply with the reforms.

The reforms form part of the Commonwealth Government’s 2023-2024 Australian Cyber Security Strategy and seek to strengthen Australia’s cyber security foundations and scale cyber security maturity across the economy.

Mandatory ransomware payment reporting obligations

The new laws introduce mandatory reporting obligations for any "reporting business entity" where an extorting entity demands a payment or benefit from an entity impacted by a cyber security incident and a payment is made. A cyber security incident is broadly defined under the Cyber Security Act and includes (among other incidents) a cyber security incident as defined under the SOCI Act.

This means that the laws not only apply to ransomware attacks but a much broader range of security incidents, including ‘denial of service’ and malware attacks.

A "reporting business entity" is broadly defined under the Cyber Security Act to include an entity who, at the time of the ransomware payment is:

• "carrying on a business in Australia" with an annual turnover above the "turnover threshold" prescribed by, or worked out in the manner prescribed by, the rules. The explanatory memorandum suggests that the "turnover threshold" will be $3 million to align with the current small business exception under the Privacy Act 1988 (Cth); or
• an entity that is a responsible entity for a critical infrastructure asset to which Part 2B of the SOCI Act applies.

A "reporting business entity" does not include "a Commonwealth body or a State body".

Once triggered, the "reporting business entity" must submit a ransomware payment report in the prescribed form to the relevant "designated Commonwealth body" set out in the rules, or where no such entity is specified, the Department of Home Affairs and the Australian Signals Directorate. The ransomware payment report must be made within 72 hours of making the payment or benefit, or becoming aware that it has been made and must address the matters set out under the Cyber Security Act, including, amongst other matters, information relating to:

• the cyber security incident and its impact on the reporting business entity;
• the demand made by the extorting entity;
• communications with the extorting entity relating to the incident, demand and the payment.

Failure to comply with the reporting obligations results in a civil penalty offence. This means that reporting business entities could be subject to potentially high financial penalties of up to $99,000 if the entity is a body corporate (due to the penalty unit multiplier for body corporates in the Regulatory Powers (Standard Provisions) Act 2014 (Cth)).

This mandatory reporting obligation under the Cyber Security Act exists alongside an entity’s other reporting obligations at law, such as under the Notifiable Data Breach scheme under the Privacy Act, the cyber incident reporting obligations in the SOCI Act, and other disclosure obligations, such as the ASX’s continuous disclosure requirements.

To support responses to cyber security incidents, a designated Commonwealth body may record, use and disclose information in a ransomware payment report for a number of prescribed purposes including (among others):

• assisting the reporting business entity and other entities acting on behalf of the reporting business entity, to respond to, mitigate or resolve the cyber security incident;
• the performance of the functions of a Commonwealth or State body and the National Cyber Security Coordinator to respond to, mitigate or resolve a cyber security incident;
• the performance of the functions of an intelligence agency;
• informing and advising the Minister, and other Ministers of the Commonwealth, about a cyber security incident; and
• for certain criminal proceedings under the Criminal Code.

Ransomware payment reports may only be used or disclosed for the above purposes and other permitted purposes set out in the Cyber Security Act. There is also a general restriction on the use and disclosure of the ransomware payment report for some investigations and enforcement activities, as well as protections for communications which are subject to a claim for legal professional privilege, subject to exceptions. For example, a ransomware payment report may be used for criminal contraventions which impose a penalty or sanction for a criminal offence.

Security standards for relevant connectable products

The Cyber Security Act introduces a statutory mechanism which enables standards for "relevant connectable products" to be set out in rules prescribed by the Minister. Subject to some exceptions, this would require Australian manufacturers and suppliers of an "internet connectable product" or "network-connectable product" (for example, "smart" or "internet of things" devices, such as home assistants and smart watches) to comply with the mandatory security standards when the entity is aware, or could reasonably be expected to be aware, that the product will be acquired in Australia.

Manufacturers of a relevant connectable product must provide a statement of compliance with the security standard and suppliers of such products in Australia must supply the product with the statement of compliance with the standard. The applicable security standards are still being developed.

The Cyber Security Act facilities the ability for the Secretary of the Department of Home Affairs to issue a compliance notice, stop notice or recall notice to entities that do not comply with the security standards. Non-compliance with the security standards may therefore result in a prohibition on the ability to sell relevant connectable products in the Australian market.

Entities who supply relevant connectable products will need to ensure that they comply with any mandatory security standards set out in the rules. We also recommend that entities procuring such products from a third party ensure that the contract requires the supplier of the relevant connectable products to ensure that the products meet applicable mandatory security standards.

Other relevant matters

The reforms also introduce other measures, including:

• Coordinated responses to significant cyber security incidents. Under the new Cyber Security Act, the National Cyber Security Coordinator is granted functions and powers in respect of significant cyber security incidents. Entities impacted by a significant cyber security incident may voluntarily provide information to the National Cyber Security Coordinator in respect of such incidents. The powers and functions of the National Cyber Security Coordinator are not, however, unlimited and are subject to some key restrictions, including in respect of the use and disclosure of information provided to the National Cyber Security Coordinator.
• The establishment of the Cyber Incident Review Board (Board). The Board will have the ability to conduct reviews of cyber security incidents on referral by the Minister, the National Cyber Security Coordinator, an entity impacted by the incident or a member of the Board. The Chair of the Board will, subject to qualifications, have the power to compel the production of certain documents. The failure to comply with a written notice from the Chair of the Board is a civil penalty offence.

When does the Cyber Security Act come into effect?

• The Cyber Security Act received Royal Assent on 29 November 2024 and the obligations in the Cyber Security Act will come into effect at different times. Some provisions within this new Act are now already in effect.
• The mandatory ransomware payment reporting obligations will come into effect on the date fixed by proclamation (or, otherwise, within six months following Royal Assent).
• The requirement to comply with relevant security standards for manufacturers or suppliers of relevant connectable products will come into effect on the date fixed by proclamation (or, otherwise, within 12 months following Royal Assent).