Australia introduces Comprehensive Cyber Security Legislation

25 November 2024

The Federal Government has reinforced its commitment to enhancing Australia’s cyber security by passing a suite of legislative reforms on 25 November 2024. The reforms were expedited on Parliamentary Joint Committee on Intelligence and Security (PJCIS) recommendations.

The Comprehensive Cyber Security Legislation comprises:

the Cyber Security Act 2024 (Cyber Security Act);
the Intelligence Services and Other Legislation Amendment (Cyber Security) Act 2024; and
the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Act 2024 (SOCI Amendment Act).

The reforms address a number of proposals which were set out in the 2023 – 2030 Cyber Security Strategy. However, it is the introduction of mandatory reporting of ransom payments and a new voluntary information sharing regime – each subject to a limited use protection - that we expect will have the most immediate impact on organisations and are the focus of this article.

Other amendments of note include:

Security Standards of IoT Devices

The Cyber Security Act provides for the Minister to have the power to mandate security standards for Internet of Things devices. These standards will be detailed in legislative rules, with suppliers required to provide a statement of compliance for devices supplied to the Australian market.

Cyber Incident Review Boards

The Cyber Security Act establishes a new Cyber Incident Review Board (CIRB). The CIRB will be an independent advisory body, empowered to conduct no-fault, post-incident reviews of significant cyber security incidents and provide recommendations and information to both the private and public sector. The CIRB will be granted powers to compel entities to provide information about significant cyber security incidents where voluntary requests for information are unsuccessful.

Security of Critical Infrastructure

The expansion of assets captured by, and the Government’s powers under, the Security of Critical Infrastructure Act 2019 (Cth) (the SOCI Act). The SOCI Amendment Act categorises data storage systems that hold business critical data as critical infrastructure assets. This closes a gap in the application of the critical infrastructure regulations that became apparent in the aftermath of the Optus and Medibank data breaches, where the Government could not exercise its regulatory powers because, while the breaches involved the disclosure of substantial amounts of personal information, the underlying critical telecommunication and insurance assets were not affected.

The SOCI Amendment Act also expands the scope of the Government’s incident response powers to enable the directions power (to direct an entity to take, or not take a specific action) to be exercised in the event of any incident affecting critical infrastructure, not just cyber security incidents. The Government’s intervention power, however, will remain limited to cyber security incidents.

Further, the SOCI Amendment Act shifts the existing network security and incident notification obligations from the Telecommunications Act 1997 to the SOCI Act, consolidating the cyber obligations of telecommunication carriers and carriage service providers under a single piece of legislation. Under the reforms, responsible entities for prescribed critical telecommunications assets will be required to do their best protect their assets from any hazard where there is a material risk that the hazard could have an impact on the asset. This extends beyond the current obligation to protect networks and facilities from unauthorised interference or access, meaning responsible entities must now consider hazards other than cyber incidents, such as software bugs and defects in the network.

Mandatory reporting of ransomware payments

Australian organisations are being increasingly targeted by ransomware attacks. Ransomware attacks accounted for 11% of all cyber incidents responded to by the ASD in 2023-2024, (up from 8% in the previous year) and 71% of all extortion-related cyber security incidents.^[1]

While the Government has previously stated its desire to ban ransom payments, the Cyber Security Act only requires organisations to report ransomware payments to the Department of Home Affairs and the Australian Signals Directorate. This obligation will commence, at latest six months after the Cyber Security Act receives royal assent, or such earlier date set by proclamation. The reporting obligation applies broadly to:

any organisation who is a responsible entity for a critical infrastructure asset; and
any other private sector organisation carrying on business in Australia with an annual turnover exceeding threshold to be specified, but likely to be A$3 million.

Ransomware reports are to be made within 72 hours of payment and a failure to comply will result in a civil penalty of 60 penalty units (currently A$93,900). However, as detailed below, there are restrictions on how information provided in such reports can be used or further disclosed by the Government.

Notably, the reporting requirement is triggered on the payment of a ransom, not the receipt of a demand or the discovery of a ransomware attack. The requirement to report payments will need to be considered by Boards and General Counsel when considering whether to pay a ransom. Despite the introduction of mandatory reporting, the Government’s policy remains that organisations should not pay ransoms, arguing that payment does not guarantee the recovery or confidentiality of stolen data and merely encourages the proliferation of cybercrime. As such, the decision on how to respond to a ransom demand remains a difficult one for organisations given the potential consequences of both paying and not paying. For example:

paying a ransom may contravene other laws, such as sanctions or anti-money laundering legislation. This is particularly relevant given that the Government has started sanctioning cyber criminals, such as Aleksandr Ermakov, the individual responsible for the 2022 Medibank data breach;
directors need to act in the best interests of their organisation when exercising their duties, including taking reasonable steps to prevent foreseeable risks of harm. This will require balancing both the risks of payment (the commercial damage, the risk of re-targeting in the future, the uncertainty that the payment will be effective) with the risks of not paying (loss of systems and data, potential reputational damage and third party claims, the cost of any operational impact and loss of business).

If a ransom payment is made, then this reporting obligation will operate in addition to any other applicable reporting requirements that an organisation may be subject to, including under the Privacy Act 1988, the SOCI Act, continuous disclosure obligations under the ASX Listing Rules and CPS 234. Cyber incident response plans will need to address these overlapping regimes, noting the different regulators and reporting timeframes applicable to each.

For entities regulated under the SOCI Act, it is also conceivable that the Government could rely on its actions directions power to direct the entity to pay, or not pay, a ransom.

Voluntary reporting regime

The Cyber Security Act also establishes a new National Cyber Security Coordinator (NCSC), to lead a whole-of-government response to significant cyber security incidents.

The Act provides a framework for the voluntary disclosure of information by any organisation operating in Australia, or any responsible entity under the SOCI Act, to the NCSC relating to cyber security incidents and, depending on the significance of the incident, imposes limitations on how the NCSC may further use and disclose information voluntarily provided by entities.

Non-significant cyber security incidents: Information can be used for limited purposes such as directing the reporting entity to assistance services, coordinating a government response, and informing Ministers.
Significant cyber security incidents: Information can be used for broader ‘Permitted Cyber Security Purposes’, including preventing or mitigating risks to critical infrastructure or national security, and supporting intelligence or enforcement agencies.

A cyber security incident is deemed a significant cyber security incident if:

there is a material risk that the cyber security incident has seriously prejudiced, is seriously prejudicing or could reasonably be expected to prejudice the social or economic stability of Australia or its people, the defence of Australia or national security; or
the incident is, or could reasonably be expected to be, of serious concern to the Australian people.

Importantly, information voluntarily provided to the NCSC is subject to similar limited use protections as those that apply to information disclosed as part of a ransomware payment report.

This voluntary reporting regime and corresponding limited use protection will commence immediately.

Limited use protection but not safe harbour

The Cyber Security Act provides businesses with certain limited use protections when collaborating with the government’s cyber security agencies. This gives a clearer basis for businesses to work with the National Cyber Security Coordinator (NCSC) and through the NCSC, other government agencies to obtain assistance and guidance in responding to a cyber event.

It backstops the ‘gentlemen’s agreement’ Traffic Light Protocol (adopted from CISA) that these agencies have recently offered when providing assistance to Australian entities.

The Government’s view is that, not only are Government agencies such as the Australian Signal Directorate well placed to assist organisations in responding to cyber incidents, but greater information on current threats may prevent other organisations being subject to similar incidents.

This limited use protection responds to feedback received from the business community that disclosing information about a data breach to government cyber agencies may risk exposing the organisation to further regulatory or enforcement action, or to adverse publicity and litigation. The concern is that if a disclosure was determined to be contrary to the organisation’s best interests, then there is a risk that directors would be in breach of their duties in approving the disclosure, exposing directors to potential enforcement action from ASIC.

The Cyber Security Act does not go so far as to create a safe harbour but does limit the purposes for which information contained in a ransomware payment report or voluntarily provided to the NCSC in the context of a significant cyber security incident can be used or disclosed, e.g. to assist the reporting entity in responding to the incident.

The NCSC (and any Government agency it coordinates with) cannot record, use or disclose the information provided for the purposes of investigating or enforcing or assisting in the investigation or enforcement of any contravention of a Commonwealth, State or Territory law, with the exception of crimes and breaches of the limited use protections created by the Act. The crimes exception is a notable departure from a full safe harbour.

Secondly, information provided under these protections is not admissible in evidence against the disclosing entity, including criminal, civil penalty and civil proceedings (including a breach of the common law).

As an additional comfort, the Cyber Security Act expressly states that the provision of information to the NSCS does not affect any claim of legal professional privilege over the information contained in that information.

While this limited use protection should provide organisations with greater comfort when disclosing information to the Government, it is not a safe harbour and there are some notable gaps in the protection it affords. For example:

the information provided cannot be used or disclosed for the purposes of investigating or enforcing any contravention by the reporting entity of another law (whether federal, state or territory), other than a law that imposes a penalty or sanction for a criminal offence. This means that if the ransomware report indicates that a payment was made in breach of relevant sanctions laws, then the limited use protection will not prevent the use of the report in a subsequent investigation or enforcement action.
while information provided to the NCSC cannot be obtained from the NSCS by regulators or government agencies, the protection offered under this Act does not prevent regulators from obtaining the underlying information through other means, including via regulatory investigatory powers or where provided under other mandatory reporting regimes, such as those in the Privacy Act 1988 (Cth), the SOCI Act, the Telecommunications Act 1997 (Cth) and the ASX Listing Rules continuous disclosure obligations. This means that cyber incident notifications provided to the ACSC under the SOCI Act are not captured by the limited use protection, even if that information is also voluntarily provided to the NCSC or detailed in a mandatory ransomware report.

A similar limited use protection has been introduced via the Intelligence Services and Other Legislation Amendment (Cyber Security) Act 2024 for cyber incident information voluntarily shared with the ASD.

Key takeaways

As a matter of priority, organisations should review and uplift their cyber security response plans and procedures to ensure they align with the mandatory ransomware reporting requirements.

While the limited use protection does afford organisations with some comfort as to how reports may be used, it is important to note that this protection is not a safe harbour. It would be prudent to update cyber playbooks to consider engagement with the cyber security authorities against the new limited use protection, and to test business decision making processes in this area, when conducting executive and Board level desk top exercises.

Consequently, the legality of ransom payments and the best interests of the organisation (particularly in the context of directors’ duties) remain key considerations in responding to any ransom demand.

^{[1]
Australian Signals Directorate, Annual Cyber Threat Report 2023-2024}

Authors