In response to the surge in cyber attacks on Australian businesses and individuals, the Federal Government has introduced the Cyber Security Bill 2024 (Cth) (Cyber Security Bill) into Parliament. The Cyber Security Bill aims to strengthen Australia’s cyber security framework and position the nation as a global leader in cyber security by 2030. It is a key component of the 2023-2030 Australian Cyber Security Strategy, which we discussed in our previous article on Australia's roadmap to global cyber leadership.
The Cyber Security Bill is intended to provide a framework to address cyber security issues, enhance protections, mitigate risks, and improve the government’s visibility of the threat environment, ensuring Australia is better prepared for future cyber threats. We summarise the key provisions of the Cyber Security Bill below.
Secure-by-design standards for smart devices
Smart devices, such as smart TVs, watches, home assistants, and baby monitors, have become integral to daily life in Australia. By 2025, it is expected that the average Australian household will have around 33.8 connected devices. The Australian Signals Directorate (ASD) Cyber Threat Report 2022 to 2023 highlighted that internet-facing devices are particularly vulnerable to cyber attacks, with the average cost of cybercrime per incident being $46,000 for small businesses, $97,200 for medium businesses, and $71,600 for large businesses.
Currently, there are no mandatory cyber security standards for smart devices, nor are there regulations requiring built-in security features to be active by default. During public consultation, there was support from the government, industry, and consumers for a mandatory approach to enhance the cyber security of smart devices (see our article Australia's evolving cyber security landscape: Consultation launched for information on the public consultation paper).
Mandatory cybersecurity standards and the obligations on manufacturers and suppliers
To address this gap in the regulatory framework, the Cyber Security Bill introduces mandatory cybersecurity standards for smart devices. These standards will apply to ‘relevant connectable products’, which include any device that connects to the internet to send and receive data, either directly or through another product. The definition of ‘relevant connectable products’ aligns with UK standards. It is hoped that the rules and security standards (once released) will conform with international market standards to ensure uniformity for manufacturers operating globally.
The Cyber Security Bill proposes that manufacturers must:
- manufacture their products to comply with these mandatory security standards, if they are aware, or could reasonably be expected to be aware, that their product will be acquired in Australia; and
- provide a statement of compliance for the devices they manufacture, confirming that the device meets the relevant standards (and, notably, the contents of the statement of compliance is consistent with equivalent UK requirements).
Suppliers in Australia will also have obligations to only supply compliant products, accompanied by a statement of compliance. The supplier can either request the statement of compliance from the manufacturer or have the product tested by a verified third party to obtain a statement of compliance.
Formalisation of the proposed standards
The proposed standards will be formalised in the legislation’s Rules, allowing the government to keep pace with evolving technology and respond to emerging threats with appropriate security standards. Companies should remain vigilant, as any prescribed security standard under the Rules could rapidly impact the smart device market.
Compliance and enforcement
To enforce these standards, the Cyber Security Bill will establish a compliance regime, with non-compliance potentially resulting in compliance notices, stop notices, or recall notices. According to the Cyber Security Bill’s Explanatory Memorandum, civil penalties have been excluded as it is anticipated they would have limited effect on changing behaviours and business decisions of manufacturers and suppliers of smart devices in the Australian market.
Mandatory ransomware reporting obligations
Ransomware and cyber extortion attacks continue to present a significant threat to Australia’s digital landscape. In 2023 alone, Australian businesses paid an average of $9.27 million to hackers, according to Cyber Security Minister, Tony Burke.
These attacks, which involve malicious software designed to cripple digital infrastructure by encrypting systems and demanding a ransom for their release, have caused substantial harm to the Australian economy and national security. The Department of Foreign Affairs and Trade, and Australian Cyber Security Centre (ACSC) strongly advise against paying a ransom, as it does not ensure the recovery of sensitive data and may increase the risk of future attacks.
Reporting obligations and criteria for reporting
The Cyber Security Bill introduces mandatory reporting obligations for ransomware and cyber extortion payments with the intention to improve the government’s visibility of ransomware incidents, which are currently underreported. According to the Cyber Security Bill’s Explanatory Memorandum, the Australian Institute of Criminology found that only 20% of ransomware victims report the attacks, leaving a significant gap in understanding the full impact of these crimes. Conversely, industry has expressed concerns that new mandatory reporting obligations will add additional pressure to entities who are dealing with a cyber threat. These reporting obligations will be in addition to other cyber-related reporting obligations, including the Privacy Act 1988 (Cth) (Privacy Act), the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act), APRA Prudential Standard CPS 234, ASX continuous disclosure requirements, and for some Australian organisations, the EU or UK General Data Protection Regulation (GDPR).
Entities that meet certain criteria will be required to report ransomware payments to the Department of Home Affairs. More specifically, a report must be made when:
- a cyber security incident that impacts or could impact (either directly or indirectly) an entity, has occurred, is occurring, or is imminent;
- an extorting entity makes a demand from the business entity or a related third party to benefit from the incident; and
- the entity or a related entity provides a payment or benefit to the extorting entity in response to the demand.
Reporting timeframe and penalties
Entities must submit the ransomware payment report within 72 hours of making the payment or becoming aware that a payment has been made. The report should include detailed information about the incident, the extortion demand, the payment made, and any related communications with the extorting entity. Failure to comply with the reporting requirements can result in a civil penalty of up to 60 penalty units (currently $18,780).
Use and disclosure of the reported information
The Cyber Security Bill includes provisions on the permitted use and disclosure of the information contained in the ransomware payment report. The information reported can only be used by government agencies for specific purposes, such as assisting the affected entities in responding to the cyber security incident and enabling the ACSC to perform its duties. This provision offers broad protection to the reporting entity to ensure that the information cannot be used to investigate or enforce actions against the reporting entity (other than for a contravention of the ransomware payment obligations, or a criminal offence).
Legal professional privilege and admissibility of reported information
Information included in a ransomware payment report is not intended to impact an entity's claim of legal professional privilege in relation to that information. Nonetheless, entities should exercise caution when providing information to the ACSC that is the subject of legal professional privilege, as such disclosure may still, in certain circumstances, result in a waiver of that privilege.
If the information in a ransomware payment report is obtained by a Commonwealth or State body, it is generally inadmissible in most civil and criminal proceedings. Importantly, this provision does not apply if the Commonwealth or State body obtains the same information through other lawful means.
Liability protections and limitations for reporting entities
A reporting entity will not be liable for civil damages as a result of complying with their ransomware reporting obligations (provided the relevant act was done in good faith). This provision is intended to protect entities from incurring liability as a consequence of compliance with these reporting obligations, for example, if the making of the report would otherwise breach confidentiality or other obligations that are owed to a counterparty under a contract.
Importantly, however, the liability protections under the Cyber Security Bill will not provide a ‘safe harbour’ in relation to the ransomware incident itself, and organisations may still be exposed to:
- liability or sanctions under other applicable laws; and/or
- civil liability.
For example, the organisation may incur liability if the ransomware incident constitutes a breach of the Privacy Act or the SOCI Act, or if the ransomware incident has arisen as a result of negligence or gives rise to a breach of contract.
Reviewing cyber incident response plans
During the consultation, the government initially considered a two-step reporting process, suggesting one report for a ransomware threat, and a second report for a ransomware payment. However, it was determined that this approach would be overly burdensome for entities and unnecessary, considering that many entities already have reporting obligations relating to cyber-related incidents (as outlined above).
Entities should review their cyber incident response plan to ensure it addresses this new ransomware reporting obligation.
'Limited use' of information
During a data breach, entities often voluntarily notify the National Cyber Security Coordinator (NCSC) to seek guidance. However, the ASD has observed a plateau in incident reporting and engagement from industry. At its core, some entities fear that the information shared to the NCSC might be used against them in future regulatory or legal action. To address this concern, the Cyber Security Bill formalises the voluntary reporting process and aims to offer reassurance to entities regarding the use of information shared with the NCSC.
The 'limited use' obligation
The Cyber Security Bill introduces a 'limited use' obligation. This measure restricts how information provided to the NCSC regarding significant cyber security incidents, or other cyber security incidents (i.e. which are not deemed significant) can be used and shared with other government agencies, including regulators.
An incident will be a significant cyber security incident if:
- there is a material risk that the incident has seriously prejudiced, is seriously prejudicing, or could reasonably be expected to prejudice either Australia’s social or economic stability, defence or national security; or
- the incident is, or could reasonably be expected to be, of serious concern to the Australian people.
For any significant cyber security incident, the NCSC can use the information to assist the impacted entity to respond, mitigate or resolve the incident, or for 'permitted cyber security purposes', which includes (amongst other things), preventing or mitigating material risks to a critical infrastructure asset and the performance of the functions of an intelligence agency or a Commonwealth enforcement body.
Whereas, for any other cyber security incident (i.e. that is not a significant cyber security incident), the NCSC can only use the information in a more limited way, specifically directing the impacted entity to other services for assistance, coordinating a whole of government response to the incident, or informing the Minister of the incident.
Scope of the 'limited use' obligation
The 'limited use' obligation applies to any information given to the NCSC by an impacted entity or a representative, such as a law firm specialising in cyber threat response. Importantly, entities with mandatory reporting obligations under existing law cannot use this voluntary reporting process in place of making the mandatory report.
Legal professional privilege and admissibility of the reported information
The information shared under this voluntary reporting process is subject to the same protections as discussed above (i.e. preservation of legal professional privilege and inadmissibility of the information), although, entities should be mindful that the information disclosed to the ACSC could still be subject to a subpoena or a freedom of information request.
Cyber Incident Review Board
Recent high-profile breaches, such as those involving Medibank, Optus, Latitude Financial, and MediSecure, have underscored the need for a more robust mechanism to review and learn from significant cyber incidents, in order to better prepare for future attacks.
Unlike the United States, which has recently established the Cyber Safety Review Board to review major cyber incidents and issue public findings, Australia lacked a similar mechanism. The United States' Board has been well-received by industry and has successfully completed three reviews since its inception in 2022.
Cyber Incident Review Board and criteria for incident reviews
The Cyber Security Bill proposes the creation of an independent advisory body, the Cyber Incident Review Board (CIRB). The CIRB, consisting of a Chair and up to six other standing members, will conduct post-incident reviews of major cyber security incidents in Australia. Reviews will be initiated through written referrals from either the Minister, the ACSC, impacted entities, or Board members.
The CIRB will only review a cyber security incident after the incident has occurred, and after the initial response mechanisms have concluded. The CIRB must also be satisfied that the incident, or series of incidents, meet any one of the following criteria:
- the incident has seriously prejudiced, or could reasonably be expected to prejudice,
- Australia’s social or economic stability;
- Defence; or
- national security,
- the incidents involves novel or complex methods or technologies, and an understanding of those incidents could enhance Australia’s preparedness, resilience, or response to incidents of a similar nature; or
- the incident is of serious concern to the Australian people.
Following each review, the CIRB will share its recommendations and reasons with both government and industry, with the aim to strengthen Australia’s collective cyber resilience.
Significantly, the CIRB's reviews will be conducted on a no-fault basis, meaning they will not assign blame or determine liability. The reports will exclude any personal, confidential, or commercially sensitive information, as well as any information that could compromise Australia’s security, defence, or international relations.
Authority to request information and penalties for non-compliance
To effectively carry out its functions, the CIRB will have the authority to request specific information or documents from entities, with reasonable compensation provided by the Commonwealth. In line with the protections discussed above, legal professional privilege claims will remain unaffected, and the information or documents provided will not be admissible in most proceedings.
Entities failing to comply with information or document requests may face a maximum civil penalty of up to 60 penalty units (currently $18,780), except in cases where compliance would prejudice Australia’s security, defence, or international relations (amongst some other exceptions).
Conclusion
The Cyber Security Bill marks a step towards strengthening Australia’s cyber security framework, aiming to create a more robust and secure digital landscape. Minister for Cyber Security, Tony Burke, stated, “[t]his legislation ensures we keep pace with emerging threats, positioning individuals and businesses better to respond to, and bounce back from cyber security threats.”
Entities impacted by the Cyber Security Bill can begin preparing their compliance strategies and identifying necessary internal process and procedural changes to ensure readiness once the Bill has been enacted.
As a leader in cyber security, MinterEllison provides integrated legal, cyber risk, and technology consulting services. This integrated capability enables us to advise and navigate our clients through the challenging and complex cyber security risk landscape. Please contact us if you would like assistance managing your cyber risks, or understand how the Bill may impact your organisation.