The Australian government has introduced the country’s first standalone cybersecurity law to Parliament – the Cyber Security Bill 2024 (the “Cyber Security Bill”), representing a significant step towards bolstering the nation’s cyber defences and aligning with international best practices.
Key Provisions of the Cyber Security Bill
A. Mandatory Cyber Security Standards for Smart Devices
One of the cornerstone initiatives of the Cyber Security Bill is the introduction of mandatory security standards for Internet of Things devices. These standards are designed to ensure that smart devices, such as smart TVs, watches, and home assistants, adhere to stringent security protocols to protect user data and privacy. Manufacturers and suppliers will be required to provide a statement of compliance for any devices they manufacture or supply to the Australian market. The Cyber Security Bill also introduces an enforcement and compliance regime under which compliance notices, stop notices and recall notices may be issued in the event of non-compliance with applicable standards. Manufacturers and suppliers of relevant connectable products, including those located outside of Australia, may find themselves subject to the new reporting requirements.
B. Mandatory Ransomware Reporting
The Cyber Security Bill mandates that certain businesses that are responsible for critical infrastructure assets in Australia must report ransomware and cyber extortion payments to the Australian Signals Directorate and the Department of Home Affairs within 72 hours of making the payment or becoming aware that the ransomware payment has been made. Failure to comply with these reporting obligations may result in a civil penalty. This requirement aims to enhance transparency and enable the government to better understand and mitigate the impact of ransomware attacks.
C. Limited Use Obligations
Information disclosed under the Cyber Security Bill is protected by several provisions. It cannot be used to investigate or enforce a breach of law by the reporting entity, except for criminal offences or breaches of the ransom payment reporting obligation. Legal professional privilege remains unaffected, and the information is not admissible in evidence against the reporting entity in any legal proceedings. Entities and their representatives are protected from liability for acts or omissions made in good faith when reporting ransom payments. However, the limited use obligation does not provide a ‘safe harbour’ from liability, as reported information can still be used if obtained through other means.
D. Establishment of a Cyber Incident Review Board
The Cyber Security Bill also proposes the creation of a Cyber Incident Review Board. This board will conduct post-incident reviews of significant cyber security incidents, providing valuable insights and recommendations to prevent future occurrences. The establishment of this board underscores the government’s commitment to continuous improvement in cyber security practices.
Implications for Businesses
Businesses operating in Australia will need to closely monitor the progress of the Cyber Security Bill. The introduction of mandatory reporting requirements and security standards will necessitate changes in how businesses manage and report cyber security incidents. Additionally, the limited use obligations and enhanced government assistance measures are designed to foster greater cooperation between the private sector and government agencies.
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our Privacy Notice.