Australia’s Cyber Security Legislative Package

Introduction

On 9 October 2024, the Cyber Security Legislative Package (CSLP) was introduced into the Australian Federal Parliament. It includes:

• Cyber Security Bill 2024, 
• Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024, and
• Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024.

If the CSLP passes, it will introduce the reforms outlined in the 2023-2030 Australian Cyber Security Strategy and its associated Consultation Paper. This paper aims to shed light on the key reformative changes under the proposed CSLP.

Preparing for the CSLP: Key Actionable Insights for Organizations

The CSLP is set to significantly influence how organizations in Australia handle cyber security incidents and respond to cyber threats. It introduces new legal requirements, making it essential for organizations to prepare now, stay compliant, and protect their operations. Organizations should consider the following:

1. Prepare for Cyber Incident and Data Breach Response

Organizations should begin by assessing and updating their cyber incident and data breach response plans. Key areas to focus on include:

• 72-Hour Mandatory Reporting Requirement for Ransomware Payments: Entities involved in ransomware payment in response to a cyber incident will need to comply with a new 72-hour reporting mandate. Organizations must establish clear protocols to meet this rapid reporting obligation.
• Information Disclosure Protocols: Businesses will need specific guidance on what information to share and establish an internal review process prior to submitting notifications. This includes voluntary notifications to the National Cyber Security Coordinator and mandatory notifications to the Cyber Incident Review Board.
• Government Intervention Response: Entities governed by the Security of Critical Infrastructure Act 2018 must have procedures in place to respond to government directions. Organizations must also be prepared for potential government mandates during a security incident.

2. Limited Scope of Reporting Requirements Reduces Regulatory Exposure

One of the notable provisions of the Cyber Security Bill is the limitation on the use of mandatory ransomware payment reports. It benefits businesses in the following manner:

• Limited Use of Ransomware Payment Reports: Commonwealth bodies can only utilize ransomware payment reports to manage and respond to the cyber incident itself. This restriction reassures organizations, as regulators cannot use these reports to initiate unrelated investigations or enforcement actions.
• Regulators' Independent Powers Remain Intact: However, organizations should note that while the reports are limited in scope, regulatory bodies retain the right to conduct investigations into cyber security incidents using their pre-existing powers. The restrictions only apply to the ransomware payment report; they do not prevent regulators from gathering information through other means.

3. Enhanced Risk Management

Organizations already regulated under the Security of Critical Infrastructure Act and required to maintain risk management programs should take proactive steps to expand their programs. Specifically, entities should start addressing risks associated with critical data storage systems that contain business-critical information.

For a detailed understanding of CSLP, go through the information provided below.

Cyber Security Bill 2024

The Cyber Security Bill (CSB) introduces several reforms.

1. Mandatory Reporting

The CSB introduces mandatory reporting for ransomware and cyber extortion payments to the Department of Home Affairs through the Australian Cyber Security Centre within 72 hours.

• Entities required to report are those operating in Australia with a turnover above a yet-to-be-determined threshold or those managing critical infrastructure under the Security of Critical Infrastructure Act. These entities must notify if
  • They experience a cybersecurity incident.
    • The CSB’s definition of a cyber incident is based on the Security of Critical Infrastructure Act (Section 12 M) however, it is expanded to include unauthorized interception of communications.
  • They or another entity receive a ransomware payment demand from an extorting entity.
    • Ransomware is a type of malware that encrypts data or system, making it inaccessible until a ransom is paid to obtain a decryption key.
    • Cyber extortion involves the theft or compromise of personal information, with threats to expose or misuse it unless a ransom is paid.
  • They or another entity make payment in response to a cyber incident.

The newly proposed mandatory reporting requirement addresses the current underreporting of ransomware and cyber extortion cases as the current voluntary reporting systems are not utilized.

2. Limited Use Obligation

The CSB  introduces a "limited use obligation" for Commonwealth bodies receiving cyber incident reports and restricts the use of this information. For example, Commonwealth bodies such as the National Cyber Security Coordinator (NCSC) can only use the information from ransomware reports to manage the immediate cyber security incident. This limits the use of the information to address the threat or risk posed by the incident.

Key protections include:

• The information cannot be used to investigate or penalize the reporting entity for legal breaches (except criminal offenses or failure to meet reporting obligations).
• Legal professional privilege is preserved.
• The information is not admissible as evidence in civil or criminal proceedings against the reporting entity.

This approach reassures businesses that reporting a cybersecurity breach won’t automatically trigger unrelated regulatory scrutiny or legal repercussions. By limiting how the government can use incident reports, the CSB encourages businesses to engage with authorities more openly and promptly when facing cyber threats. However, the ‘limited use obligation’ does not provide a safe harbor from liability, meaning the information could still be used against the entity if obtained by other means.

3. Security Standards for Smart Devices

The CSB itself does not define or list specific technical security standards for smart devices (e.g., IoT devices, connected appliances, etc.). However, it grants the authority to create rules to regulate the security standard of these devices through regulations.

• Once these security standards are prescribed in the regulations, businesses that manufacture or supply smart devices must follow them. This applies to any entity that intends to bring such products into the market, ensuring their devices meet the government-mandated security requirements.

The CSB also establishes an enforcement regime, with the Secretary of Home Affairs having the authority to issue compliance notices, stop notices, recall notices for non-compliant devices, or public notification of failure to comply with recall notices.

4. Establishment of Cyber Incident Review Board

The CSB creates an independent board tasked with reviewing major cybersecurity incidents and offering recommendations for improvement. Importantly, these reviews are designed to be constructive and not focus on assigning liability. The working of the board includes the following:

• The board will step in after initial incident response actions have concluded, reviewing events to identify areas for improvement.
• At the end of each review, the board will produce a report outlining its findings and recommendations for both the government and private sector. These reports will exclude any personal, confidential, or commercially sensitive information, along with data that could jeopardize national security or international relations.
• The board will have limited information-gathering powers, such as requesting documents. If voluntary cooperation is not achieved, the board can enforce compliance, with businesses facing civil penalties for failing to provide the requested information.

Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024

The Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024 (SOCI Amendment Bill)  introduces several reforms.

1. Expanded Definition of Critical Infrastructure Asset

Under the SOCI Amendment Bill, data storage systems that house business-critical data could be classified as critical infrastructure assets if:

• The data storage system is owned or operated by a responsible entity and is used in relation to an existing critical infrastructure asset,
• Stores or processes business-critical data, and
• Could pose material risks to critical infrastructure assets if hazards occur to the data storage system.

This reform broadens the scope of assets regulated by the Security of Critical Infrastructure Act (SOCI Act), requiring regulated entities to evaluate their data storage systems to ensure compliance with their obligations under the Act.

2. Expansion of the Government’s Assistance Powers

The proposed SOCI Amendment Bill introduces significant changes to the government assistance powers under the SOCI Act, broadening their scope beyond just cyber security incidents. If enacted, these new powers will enable the government to respond to a wider range of ‘incidents’ that could impact critical infrastructure assets.

Key aspects of this expansion include:

• The expansion of the government’s assistance powers allows for information gathering and action directives only if cyber incidents may have, are having, or are likely to have a relevant impact on critical infrastructure assets.
• While the scope of assistance powers is expanding, intervention requests will still be confined to cyber security incidents.

3. Protected Information And Permitted Disclosure

Protected information under the SOCI Act includes information obtained while exercising powers related to the Act, such as mandated reports and critical infrastructure risk management documents. The criteria for identifying protected information can be ambiguous, causing concerns for entities managing critical infrastructure and hindering information-sharing with the government.

• To address this, the SOCI Amendment  Bill aims to refine the definition of protected information, focusing on whether disclosure could harm public safety, asset security, commercial interests, socioeconomic stability, national security, or defense of Australia.

Under the SOCI Act, unauthorized disclosure of protected information can constitute an offense. The  SOCI Amendment  Bill permits the use and disclosure of protected information by a relevant entity when it is necessary for:

• The ongoing operation of a critical infrastructure asset or to mitigate risks to its availability, integrity, reliability, or security.
• The entity's business, professional, commercial, or financial affairs, provided the information was obtained or generated to comply with the SOCI Act.

4. Enhancement of Regulator’s Powers

The SOCI Amendment Bill enhances regulators' powers to enforce critical infrastructure risk management obligations. Under the amendment, regulators will be able to address serious deficiencies in the risk management programs of responsible entities, helping integrate risk management into their daily operations.

Non-compliance with regulatory directions may result in civil penalties of AU$82,500.

Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024

The CSLP also includes the Intelligence Services and Other Legislation Amendment (Cyber Security) Bill (IS Amendment Bill). The IS Amendment Bill aims to protect sensitive information related to cyber security incidents by amending the Intelligence Services Act 2001 (Cth). The amendment includes:

• The introduction of a ‘limited use obligation’ designed to safeguard information that is either voluntarily provided to or acquired and prepared by the Australian Signals Directorate (ASD) during an impacted entity's engagement in a cyber security incident.

This limited use obligation aligns with the existing framework established by the CSBl, which also imposes a ‘limited use’ obligation on the National Cyber Security Coordinator. This obligation encourages entities to engage more openly with the ASD during cyber security incidents.