Reaching new horizons: the Australian Government’s 7 year Cyber Security Strategy and appointment of three OAIC watchdogs

On 22 November 2023, the Australian Government committed to investing $586.9 million into its 2023-2030 Australian Cyber Security Strategy (the Strategy) over the next seven years,^[1] and delivering key initiatives under three major phases (Horizons).

The Strategy is supported by a Cyber Security Action Plan (Plan), which identifies actions and the Government agencies accountable for delivery Horizon 1 of the Strategy.

A new Executive Cyber Council will facilitate the delivery of the Plan, which is to be delivered under six ‘Cyber Shields’. The Plan will be reviewed every two years. In this article, we outline the key initiatives businesses need to be aware of in preparation of adapting to the Strategy through to 2030.

Will your business have a say?

The Government has foreshadowed the release of a Consultation Paper to work with industry to inform the proposed legislative reforms on new initiatives to address gaps in existing laws and the amendments to the Security of Critical Infrastructure Act 2018 (the SOCI Act).

Public consultation is now open in relation to the Cyber Security legislative reforms discussed in the Consultation Paper, with submissions open until 5pm AEDT, Friday 1 March 2024 (see here).

Please do not hesitate to reach out to us if your business requires assistance in making a submission during this consultation period.

Previous submissions during the public consultation on the Strategy (between 27 February 2023 to 15 April 2023) can be found here.

What reforms does your business need to prepare for?

The Plan provides a roadmap for the following key proposed legislative reforms, which may impact organisations doing business in Australia over the next two years. These include, notably:

1. Mandatory ransomware reporting – a ‘no fault, no liability’ ransomware reporting obligation for businesses to report ransomware incidents and payments.

   Subject to industry input on design, the Government has proposed that anonymised reports of ransomware and cyber extortion trends be shared publicly with the industry and broader community subject to industry input on design.

   Whilst Australia currently does not explicitly prohibit the payment of a ransomware demand, there are regulatory considerations businesses need to consider, such as the Criminal Code Act 1995 (Cth), Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth), with the Australian Cyber Security Centre (ACSC) recommending that victims do not pay a ransom.

   There has been no indication of the repercussions for businesses who fail to report or the protection for businesses who do report ransomware incidents.

   Mandatory reporting was previously considered by and withdrawn from Parliament in the Ransomware Payments Bill 2021 (Cth). We discussed the implications of that bill here.

2. Legislated limited use obligation – to limit how information that industry shares with the ASD and a National Cyber Security Coordinator (Cyber Coordinator) can be used by other Australian Government entities, including regulators.

   The Government has also foreshadowed the co-design a code of practice for cyber incident response providers to provide businesses with greater confidence when engaging with cyber security professionals, which will define service quality and expected professional standards.

3. Data retention requirements – focused on limiting entities from holding non-personal data and to complement the Government’s response to the Privacy Act Review (see our articles on the Review here and here).

   Following a review of the data brokerage system, the Government may minimise and simplify data retention requirements to restrict unwanted transfer of data to malicious actors via data markets and to complement proposed Privacy Act reforms. The Government also looks to develop a voluntary data classification model to reduce enterprise risk and ensure organisations hold data in a consistent and unified way.

4. Regulation of Internet of Things (IoT) / smart devices – by legislating mandatory cyber security standards for IoT devices to meet international security standards and assess national security risks presented by vendor products/services entering and operating in the Australian economy.

   This includes autonomous vehicles and distributed energy devices without built-in security which may present vulnerabilities that malicious actors can exploit. Further details for this mandatory standard are yet to be provided.

   The Government also looks to develop a voluntary labelling scheme for consumer-grade smart devices to align Australian with international markets, including the United States, Singapore and the United Kingdom.

5. Amending the SOCI Act- by:

• moving security regulation of the telecommunications sector from the Telecommunications Sector Security Reforms in the Telecommunications Act 1997 to the SOCI Act (to reduce regulatory duplication and complexity, but arguably subject telecommunications providers to higher reporting requirements);
• clarifying cyber security obligations for managed service providers;
  
• ensuring critical infrastructure entities are adequately protecting their data storage systems;
  
• considering options to incorporate cyber security regulation into ‘all hazards’ requirements for aviation and maritime sectors, including positive obligations to proactively manage cyber-related risks under existing legislation;
  
• developing ‘review and remedy’ powers, including the power for the Government to direct entities to uplift risk management plans where it finds that a regulated entity is seriously deficient, as part of its new compliance monitoring and evaluation framework.

See our previous discussions on SOCI Act reforms here and here.

Bonus! Australia’s privacy, information and FOI watchdogs appointed

Separate but related to the Strategy, on 27 November 2023 the Attorney General Hon Mark Dreyfus KC MP announced the appointment of standalone Privacy and Freedom of Information (FOI) Commissioners in addition to the Information Commissioner, fully restoring the Office of the Australian Information Commissioner (OAIC) to its original three Commissioner model enacted by Parliament in 2015.

Ms Elizabeth Tydd has been appointed as the FOI Commissioner for a five-year term, commencing 19 February 2024.

Ms Angelene Falk, who will maintain the role of Information Commissioner has stated that this 3-Commissioner model is a ‘significant and welcome step for the OAIC and the Australian community’.

Ms Falk will remain as Privacy Commissioner until Ms Carly Kind (previously inaugural Director of the London-based Ada Lovelace Institute since 2019) commences her role as Privacy Commissioner on 26 February 2024.