As part of Cyber Awareness Month this October, Marsh is committed to keeping you informed on the latest developments in Australia’s evolving cyber security landscape.
Under the leadership of the new Federal Cyber Security Minister, Tony Burke, there has been a notable surge in regulatory development and activity in recent months, aimed at strengthening Australia’s cyber security framework. On 9 October 2024, the Australian Government introduced the Cyber Security Bill 2024 (the Bill), which builds upon the proposed amendments to the Privacy Act 1988 introduced last month. These reforms are part of the Federal Government's commitment to the six key pillars of the Australian Cyber Security Strategy 2023-2030. Minister Burke emphasised that these reforms are designed to address emerging cyber threats, ensuring that individuals and businesses are better equipped to respond and recover from cyber incidents.
Here is a snapshot of some key features of the proposed amendments from the new Bill:
- Mandatory reporting of ransom payments
The Federal Government has long expressed a desire to truly understand the amount of ransom payments being made by Australian organisations and the impact on the Australian economy. If the Bill is passed, businesses with revenue exceeding $3 million will be required to report any ransom payments to the Australian Signals Directorate (ASD) within 72 hours. This obligation extends to entities that become aware of such payments, placing significant responsibility on those involved in facilitating these transactions. Non-compliance could result in civil fines of up to $19,800.
- Establishment of a cyber incident review board
The proposed legislation encourages the establishment of a cyber incident review board (CIRB), which will independently review significant cyber security incidents and publish findings publicly, for the benefit of all Australian organisations. The CIRB will have the authority to compel entities to provide information and will issue recommendations to enhance future cyber resilience.
- New cyber security standards for smart devices
The Bill empowers the Minister to establish mandatory security standards for "connectable products," including mobile phones, tablets and smart home devices. The rules will outline security standards which need to be adopted and could prevent the supply of any products in Australia that do not comply with the standards. A compliance statement may be mandated by the manufacturers of these products. Non-compliance could lead to product recalls and public disclosures about manufacturers failing to meet these standards.
- Limited use regime
The Bill introduces provisions that limit how information shared can be used and provides some protection in relation to the use of information disclosed to government entities. An entity will not be liable to an action or other proceedings for damages for or in relation to an act done or omitted in good faith in complying with the reporting regime. The details reported within this regime can only be used and disclosed by government agencies for permitted purposes, such as assisting the affected entity in resolving the cyber security incident and allowing the Government to perform the function of an "intelligence agency", as defined under the Bill.
Preparing for change
These legislative changes reflect the Government's proactive approach to addressing cyber security threats and enhancing the resilience of Australian businesses. We encourage you to stay informed and prepared as these significant reforms are debated in Parliament and eventually passed into law.
As a priority, we recommend organisations to consider incorporating the new notification obligations into their incident response playbooks and plans. As these reforms take shape, it is also important for businesses to proactively consider the other aspects of the proposed legislation (as highlighted in this article) when thinking about your cyber resilience and responding to cyber incidents.
Learn more
If you have any question and would like to discuss these cybersecurity reforms in more detail or explore how best to take steps to prepare for their implementation, please contact one of our cyber specialists.
