Australia’s first standalone cyber security law – the Cyber Security Act 2024

Background

The Australian Government in 2023 published its 2023-2030 Australian Cyber Security Strategy (Cyber Security Strategy), which we have previously covered in more detail here. As part of the implementation of that Strategy, the Government in October 204 introduced its ‘Cyber Security Legislative Package’ comprising three pieces of legislation, including the Cyber Security Bill 2024 (Cth). The Cyber Security Bill 2024 was passed by Parliament in the last week of November, in what was the final sitting week of the year, and so became the Cyber Security Act 2024 (Cth).

What is the overall objective of the Cyber Security Act?

The Cyber Security Act comprises several parts which address some disparate issues and requirements:

• Part 2 legislates mandatory security standards for smart devices;
• Part 3 establishes reporting obligations for any certain types of entities that make ransomware payments, including some provisions around limitations on use of those disclosures;
• Part 4 creates a regime around the voluntary sharing of information with the National Cyber Security Coordinator in connection with ‘significant cyber security incidents’, and limitations on the purposes for which that shared information may be recorded, used and disclosed; and
• Part 5 establishes a Cyber Incident Review Board which will undertake reviews of certain cyber security incidents.

When do the requirements under the Cyber Security Act commence?

The Act received Royal Assent on 29 November 2024, Parts 1, 6 and 7 provisions commenced on 30 November 2024 (i.e., the day after it received assent), although:

1. the ransomware reporting requirements and Cyber Incident Review Board provisions commence on a date to be proclaimed or 29 May 2025 (whichever occurs first); and
2. the provisions around mandatory security standards for smart devices commence on a date to be proclaimed or 29 November 2025 (whichever occurs first).

What are the ransomware reporting requirements?

Part 3 of the Act sets out mandatory reporting requirements for entities that experience a cyber security incident and elect to pay a ransom or extortion payment demanded by a threat actor who is seeking to benefit from that cyber incident. The reporting obligations also extend to entities who are aware that another entity has provided a ransomware payment on its behalf – e.g., if a cyber security expert, accountant or lawyer paid a ransomware payment on behalf of the affected entity, the entity would have remain subject to the obligation to report.

The reporting obligations apply to “reporting business entities” which are:

1. entities carrying on a business in Australia with an annul turnover for the previous business year that exceeds the ‘turnover threshold’ for that year – this is prescribed in, or worked out in the manner prescribed by, the rules. The rules have not yet been prescribed by the Minister for Cyber Security, but the Government has indicated that it intends to set this threshold at AUD 3 million; and
2. a responsible entity for a critical infrastructure asset to which Part 2B of the Security of Critical Infrastructure Act 2018 applies.

A reporting business entity must make a report within 72 hours of making the ransomware payment or becoming aware that the ransomware payment has been made, with reports to be made through portal on the cyber.gov.au website.

The obligation on the entity making a report is to report the information that it knows, or is able, by reasonable search or enquiry, to find out, relating to the following matters:

• the contact and business details of the entity that made the payment;
• the facts of the cyber security incident, including its impact on the reporting business entity;
• the demand made by the extorting entity;
• the ransomware payment; and
• any communications with the extorting entity relating to the incident, demand and the payment.

The Act contemplates that report may also include other information relating to the cyber security incident.

A civil penalty of 60 penalty units (currently AUD 19,800) can apply where a reporting business entity does not make a mandatory ransomware payment report when they are obligated to do so within the 72 hour timeframe. However, the Department of Home Affairs has indicated that it “is committed to an education first approach to regulation” and it “will prioritise warnings, meetings and engagements, before pursuing civil penalties, especially in respect of small and medium enterprises”.

The Act also provides that the Department of Home Affairs and the Australian Signals Directorate may only use and disclose information contained in a ransomware payment report for a permitted purpose, being a handful of limited purposes specified in the Act including around responding to, mitigating and resolving cyber security incidents, national security and intelligence, and some limited enforcement activities. However, while the regime purportedly prevents information in a ransomware payment report being used in connection with regulatory investigations or enforcement action under the Privacy Act 1988 (Cth), as an example, some commentators have expressed concerns about how these ‘limited use’ obligations will operate in practice.

How does the Act impose security standards for smart devices?

The provisions of Part 2 of the Act apply to products that can directly or indirectly connect to the internet (defined as ‘relevant connectable products’) that the manufacturer ‘could reasonably be expected to be aware’ will be acquired in Australia.

The regime provides that the Minister can mandate security standards through Ministerial rules for smart devices, with flexibility to tailor security standards to a subset, type or class of smart devices (e.g., they could be different for health-related devices vs smart doorbells or security cameras vs ‘smart home’-type devices).

Entities who manufacture devices in Australia or supply smart devices to the Australian market are required to provide a statement of compliance for smart devices, including a declaration that the device complies with applicable security requirements for the product of its class.

The Act also establishes an enforcement and compliance regime for entities that fail to comply with the regime, comprising:

• compliance notices requiring an entity take specified steps or actions to address an identified issue of non-compliance;
• stop notices requiring an entity to stop or refrain from doing a particular action;
• recall notices requiring an entity to take specified steps to arrange for the return of the product to the entity or the manufacturer of the product; and
• public notifications of a failure to comply which will be issued when an entity fails to comply with a Recall Notice, and published on the Department’s website or anywhere the Minister considers appropriate. These notices can include wide range of information including the risks posed by the product and the identity of the manufacturer or supplier, which may have significant reputational impacts.

The roles of the National Cyber Security Coordinator and Cyber Incident Review Board

Part 4 of the Act contemplates that the National Cyber Security Coordinator (NCSC) is a public servant within the Department of Home Affairs who supports the Minister for Cyber Security, and is responsible coordinating and triaging whole-of-Government action in response to significant cyber security incidents, as well as:

• ·national cybersecurity policy;
• whole-of-government cyber incident preparedness efforts; and
• strengthening Commonwealth cybersecurity capability.

The Act also sets up a regime for voluntary information sharing with the NCSC, and that this is again subject to a ‘limited use’ obligation similar to that which applies to the contents of a ransomware payment report.

The other role established by the Act is the Cyber Incident Review Board (CIRB), which operates as an independent advisory body that makes recommendation to government and industry “about actions that could be taken to prevent, detect, respond to or minimise the impact of, cyber security incidents of a similar nature in the future”.

Interestingly, the CIRB will have power to compel information and specific documents from entities involved in a cyber security incident where requests for information have been unsuccessful.