With the Federal Government’s cyber security reforms passing on 25 November 2024, it is anticipated that Australia’s cyber laws will be ushered into the 21st century to collectively strengthen and secure Australia’s cyber environment and protect our critical infrastructure. The suite of reforms seek to create cohesive legislative toolbox aimed at moving forward with clarity and confidence in the face of an ever changing cyber and extortion landscape.
These reforms were expedited by the Parliamentary Joint Committee on Intelligence and Security and recommended several proposals that addressed issues raised under the Government’s 2023-2030 Australian Cyber Security Strategy released on 22 November 2023.
The legislative reforms encompass three Acts:
- the Cyber Security Act 2024 (Cyber Security Act);
- the Intelligence Services and Other Legislation Amendment (Cyber Security) Act 2024; and
- the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Act 2024 (SOCI Amendment Act).
The keys reforms covered under this article concern the mandatory reporting of ransomware payments, a new voluntary information sharing regime, and the expansion of assets covered by the Security of Critical Infrastructure Act 2018 (Cth) (the SOCI Act). Although not discussed in detail, the reforms also provide for the Minister to have the power to mandate security standards for Internet of Things (IOT) devices.
SOCI Act
Readers may recall our coverage of the increased compliance burden for responsible entitles Managing Australia’s Critical Infrastructure Assets previously. Under those changes, the Government sought to expedite the extension of Federal Government powers to address increasing security threats to Australia’s critical infrastructure assets deemed vital for maintaining the Australia’s sovereign security and in managing national security risks of sabotage, espionage and coercion posed by foreign involvement. Under the SOCI Amendment Act, a further category extends now to data storage systems that hold business critical data as critical infrastructure assets. Importantly, this inclusion now allows the Government to exercise its regulatory powers in circumstances similar to the widely publicised Optus and Medibank data breaches which previously were not governed by the SOCI Act given the underlying critical telecommunication and insurance assets were not affected or governed by that Act.
The SOCI Amendment Act also expands the scope of the Government’s incident response powers to enable the directions power (to direct an entity to take, or not take a specific action) to be exercised in the event of any incident affecting critical infrastructure, not just cyber security incidents.
Cyber Security Act
The Cyber Security Act now requires certain organisations to report ransomware payments to the Department of Home Affairs and the Australian Signals Directorate – but only triggered upon the payment of a ransomware demand, not the receipt of a demand or the first discovery of a ransomware attack. Ransomware reports are to be made within 72 hours of payment and a failure to comply may result in a civil penalty of 60 penalty units (currently AU$93,900).
This reporting obligation not only applies to a responsible entity for a critical infrastructure asset under the SOCI Act but also now to any other private sector organisation carrying on business in Australia with an annual turnover exceeding a threshold to yet be specified.
These mandatory reporting obligations commence upon the earlier of six months after the Cyber Security Act receives royal assent or an earlier date as set by proclamation.
Limited Use Exemption
The Government is partially restricted on how information provided in such reports can be used or further disclosed by the Government with certain limited use protections provided to businesses. This limited use protection has been provided in response to risks to directors approving disclosure about a data breach to government cyber agencies and opening themselves to potential enforcement action from ASIC, to further regulatory action, or to adverse publicity and litigation.
Nonetheless, under the reforms, reporting of ransomware payments to Government cyber agencies cannot record, use or disclose the information provided for the purposes of investigating or enforcing or assisting in the investigation or enforcement of any contravention of a Commonwealth, State or Territory law, with the exception of crimes and breaches of the limited use protections created by the Cyber Security Act. Nor does such disclosure affect any claim of legal professional privilege over the information contained in that information. Importantly, reported information is not admissible in evidence against the disclosing entity, including criminal, civil penalty and civil proceedings (including a breach of the common law).
As a cautionary note, great care however should be exercised when considering whether to make a ransomware payment given that such payment may be in breach of relevant sanctions laws or anti-money laundering legislation and if so, the limited use protection will not prevent the use of the report in a subsequent investigation or enforcement action.
Voluntary Information Sharing Regime
In addition to the mandatory reporting of ransomware payments, the Cyber Security Act also establishes a new National Cyber Security Coordinator (NCSC), aimed at leading a coordinated government wide response to significant cyber security incidents.
Under those provisions, any organisation operating in Australia, or any responsible entity under the SOCI Act, may voluntarily disclose information to the NCSC relating to cyber security incidents. The framework also provides for limited use protections to the information voluntarily disclosed.
For non-significant cyber security incidents, the reported information may be used for limited purposes such as directing the reporting entity to assistance services, coordinating a government response, and informing Ministers. For significant cyber security incidents,[1] the reported information may be used for broader ‘Permitted Cyber Security Purposes’, including preventing or mitigating risks to critical infrastructure or national security, and supporting intelligence or enforcement agencies.
This publication covers legal and technical issues in a general way. It is not designed to express opinions on specific circumstances It is intended for information purposes only and should not be regarded as legal advice. Further professional advice should be obtained before taking action on any issue dealt with in this publication.