The Australian Government takes its next step towards becoming a world cyber security leader by 2030.

In brief

In 2023, the Australian Government released the 2023-2030 Australian Cyber Security Strategy.

9 October 2024 marked the latest in a series of legislative reforms in pursuit of that strategy, as the Cyber Security Legislative Package 2024 (Package) was introduced to Parliament. The Package has been referred to the Parliamentary Joint Committee on Intelligence and Security for inquiry and report.

The Package contains the following:

  1. Cyber Security Bill 2024 (“Cyber Security Bill“);
  2. Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024 (“Intelligence Services Amendment Bill“); and
  3. Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024 (“SOCI Amendment Bill“).

The Package is targeted at addressing legislative gaps to bring Australia in line with global best practice and fostering collaboration and information-sharing between industry and government. This includes establishing a mandatory reporting requirement for ransomware and cyber extortion payments. Businesses should closely watch the progress of the Package.

Key Takeaways

Key areas of focus for businesses will likely be:

  • Understanding the complexity of the Package and how the provisions inter-relate with existing regulatory schemes.
  • Identifying what additional processes may be needed, in particular for managing and reporting cyber security incidents as well as increased engagement with government bodies on such incidents.
  • The potential extra-territorial impact of the Package.

In more detail

Cyber Security Bill

The Australian Government seeks to increase proactive industry reporting and engagement following cyber incidents. The Government has perceived that businesses may be hesitant to voluntarily report information due to concerns that such information may be shared between Government agencies and used against them in future proceedings. The Cyber Security Bill sets out a framework for the Government to gather information about emerging cyber threats and Australia’s overall risk position, which in turn will inform future protections and policy.

Security standards for IOT devices

IOT devices include home and personal technology such as smart TVs, smart watches, home assistances and baby monitors. These devices collect and process increasing volumes of personal and other sensitive information, often without the knowledge of the user. The Bill introduces a broad power for the Government to prescribe mandatory security standards for IOT devices. The Government has indicated that the intention is for Australia to align itself with international best practice with a particular focus on the UK, reinforced by adoption of the UK definition of ‘relevant connectable products’. Manufacturers and suppliers will be required to provide a statement of compliance for any devices they manufacture or supply to the Australian market. The Bill also introduces an enforcement and compliance regime under which compliance notices, stop notices and recall notices may be issued in the event of non-compliance with applicable standards. Manufacturers and suppliers of relevant connectable products, including those located outside of Australia, could find themselves subject to the new reporting requirements.

Mandatory reporting of ransomware and cyber extortion payments

The Government continues to consider ransomware among the most significant cyber threats. The Bill introduces a framework for mandatory reporting of ransomware and cyber extortion payments. Ransomware is malware designed to encrypt devices and data, rendering them inaccessible without a decryption key which is only provided if a ransom is paid. Cyber extortion involves the theft of confidential information (such as personal information) and the threat of disclosure if a ransom is not paid.

An entity is a ‘reporting entity’, subject to the new reporting obligation, if it:

If a reporting entity experiences or reasonably suspects a cyber security incident, has received a demand, and provides a payment to the extorting party (or is aware that a third party has done so), it will be required to make a report to the Australian Cyber Security Centre (ACSC) through the Online Portal. The report must be made within 72 hours of the payment or awareness of the payment.

The definition of cyber security incident adopted by the Bill is based on section 12M of the SOCI Act and broadened slightly to include where a communication has been intercepted by an unauthorised party.

Limited Use Obligation on government

The Bill will impose a “Limited Use Obligation” on government bodies receiving cyber security incident information. For example, cyber incident information disclosed voluntarily to the National Cyber Security Coordinator (NCSC), and information disclosed to the ACSC or Australian Security Directorate (ASD) in a ransomware payment report, can only be used to assist the entity to mitigate and respond to the incident, and for limited further cyber security purposes.

The following protections will generally apply to information disclosed (subject to limited exceptions):

  • it cannot be recorded, used or disclosed to investigate or enforce a breach of law by the reporting entity (other than a criminal offence or, in relation to a breach of the ransom payment reporting obligation);
  • it will not affect any existing right or claim to legal professional privilege; and
  • it is not admissible in evidence against the reporting entity for civil or criminal proceedings, tribunal proceedings, or any other proceedings for a breach of law (including the common law).

Additionally, neither an entity nor its representatives who made or omitted an act in good faith, in making a ransom payment report, will be liable in relation to that act or omission.

Importantly, the Limited Use Obligation provisions will not serve as a ‘safe harbour’ to shield businesses from liability. Reported information can still be used against the reporting entity if collected through other means.

Cyber Incident Review Board

The Bill establishes the Cyber Incident Review Board (Board) to review certain cyber security incidents and make recommendations to government and industry based on its findings, acknowledging that there are further lessons to be learned by both Government and industry when it comes to high-profile and high-impact cyber security incidents.

The aim of investigations conducted by the Board will not be to assign liability, but to reflect on common elements or themes , and what can be done to avoid them in the future.

The Board will have limited information-gathering powers – to be used only where voluntary requests for information from entities involved in a cyber security incident have been unsuccessful.

Intelligence Services Amendment Bill

The provisions proposed by the Intelligence Services Amendment Bill are designed to create a safe environment for businesses to voluntarily report on cyber security incidents, without compromising the efficacy of the regulatory function. The Bill incorporates the Limited Use Obligation set out above with respect to the NCSC into the Intelligence Services Act 2001 (Cth), to apply to the ASD (including the ACSC).

SOCI Amendment Bill

The SOCI Amendment Bill proposes a series of amendments to the SOCI Act in pursuit of Shield 4 of the 2023-2030 Australian Cyber Security Strategy: Protected Critical Infrastructure. The Bill seeks to remedy gaps in the current regulatory framework for protecting critical infrastructure and broaden the asset classes that fall within the scope of the framework.

Expansion of critical infrastructure asset definition

The Bill expands the definition of critical infrastructure assets to include data storage systems holding business critical data, as opposed to solely applying to operational assets. A responsible entity for a critical infrastructure asset may need to revisit its SOCI Act obligations to ensure this new category of critical infrastructure asset is sufficiently protected including adequate cyber security incident response processes.

Government powers relating to critical infrastructure incidents

Currently, the Government is empowered to do the following in response to a serious cyber security incident affecting a critical infrastructure asset:

  • issue information-gathering directions to relevant entities, requiring entities to provide information;
  • issue actions directions to relevant entities, requiring entities to do or omit a certain act; and
  • give intervention requests to the authorised Government agency, allowing them to step in.

These powers are intended to serve as a last resort.

The Government has assessed that the current powers do not allow it to adequately respond to incidents affecting critical infrastructure assets more generally (i.e. non-cyber incidents), where the availability, integrity and reliability of the asset may still be at risk. As a result, the Bill proposes that the information-gathering and action direction powers (but not the intervention power) be broadened to be enlivened following any incident affecting a critical infrastructure asset.

Simplification of information-sharing across industry and government

“Protected Information” under the SOCI Act, broadly-speaking, is information obtained in the course of exercising powers or performing duties or functions under the SOCI Act including information prepared or exchanged in specified circumstances (e.g., to report certain matters required under the SOCI Act). It also includes key documents such as a critical infrastructure risk management program. Unauthorised disclosure of Protected Information can constitute an offence.

It may not always be clear whether information falls under this definition. Given the potential for criminal proceedings, dealing with this information appropriately has caused some concern for entities responsible for critical infrastructure assets. This has impeded information-sharing by industry with government.

In response, the Bill would restrict the definition of Protected Information to an assessment of whether it could cause harm, or pose risk to the Australian public, the security of the asset, commercial interests, the socioeconomic stability, national security or defence of Australia. Additionally, disclosure of Protected Information will be permitted for an entity to operate the critical infrastructure asset or manage its own affairs.

Addressing serious cyber risk management deficiencies

Entities that are responsible for cyber security assets must establish, maintain and comply with a Critical Infrastructure Risk Management Program (CIRMP). This is to ensure responsible entities are proactively and holistically identifying, preventing and mitigating risks to critical infrastructure assets.

At present, the Government is not empowered to require an entity to vary a deficient CIRMP. The Bill will enable the Government to issue directions to address any serious deficiencies that are identified in a CIRMP, addressing perceived gaps in the current powers available.

Security of critical telecommunications assets

The Bill proposes bringing the regulation of the telecommunications sector further under the SOCI Act. Currently there is a hybrid scheme with some SOCI Act requirements for the telecommunications sector being addressed under instruments issued under the Telecommunications Act 1997 (Cth). The intention is to clarify security and other obligations for responsible entities of critical telecommunications assets and unify regulation of critical infrastructure assets under the SOCI Act.

Responsible entities for critical infrastructure telecommunications assets must:

  • protect the asset to ensure security, confidentiality of communications, and the availability and integrity of the asset; and
  • notify the Government of changes that may affect the entity’s ability to protect the asset. Where the Government considers there may be a risk to security, they may issue a direction to the responsible entity not to use or supply the asset.

Where the Government considers there may be a risk to security, they may issue a direction to the responsible entity not to use or supply the asset.

Author

Paul Forbes is a partner in the Dispute Resolution group at Baker McKenzie, Sydney. Paul acts in complex commercial disputes before state, federal and appeal courts in relation to claims for negligence, misleading conduct and other contraventions of trade practices legislation, breach of contract, judicial review, equitable relief, fraud, white-collar crime, data and cyber-security. Paul also has significant experience in class actions, financial services, disputes related to business sale and purchase contracts, supply and distribution contracts, franchising agreements and the use and misuse of confidential information.

Author

Ryan Grant is a litigation partner with over 12 years' experience. Ryan has acted for national and international technology and media companies in relation to disputes in the areas of misleading or deceptive conduct, data protection, data breach, copyright, defamation, including online defamation, and general commercial disputes. Many of these disputes involve issues that have never been litigated in Australia. Ryan also holds a Bachelor of IT majoring in Software Engineering and Internet Technology and worked as a software developer prior to becoming a lawyer. Ryan focuses his practice on advising and acting for technology and media companies in litigious matters, particularly in the areas of data protection, general commercial disputes, defamation, intellectual property, information technology and commercial law.

Author

Adrian Lawrence is the head of the Firm's Asia Pacific Technology, Media & Telecommunications Group. He is a partner in the Sydney office of Baker McKenzie where he advises on media, intellectual property and information technology, providing advice in relation to major issues relating to the online and offline media interests. He is recognised as a leading Australian media and telecommunications lawyer. Adrian's practice focuses on advising on online and offline media interests including digital copyright, data and information transfer, content and advertising regulation, consumer protection, defamation, online payment systems and transaction engines, online gambling, website risk minimisation measures, online security and cryptography, securities licensing, and trade marks and domain names.

Author

Anne has been with Baker McKenzie since 2001. Prior to that, she spent four years with the Australian Attorney-General's Department/Australian Government Solicitor mostly working on large IT projects. In her time at Baker McKenzie, Anne has spent 18 months working in London (2007-2008) and more recently three years working in Singapore (2017-2020). Anne's practice focuses on IT and telecommunications supply arrangements; understanding regulatory issues for online, telecommunications and IT businesses (in particular for data management); and trade regulatory and commercial contracting advice. Anne regularly leads projects for drafting, localising or rolling out commercial agreements of data protection policies for multiple jurisdictions in Asia Pacific and conducting due diligence for undertaking new activities in Asia Pacific markets. While in Singapore, Anne worked with many businesses seeking to navigate data, tech regulatory and business establishment issues across Asia. Key industry sectors in which Anne works are TMT, defence and public sector, consumer goods and retail, financial services, healthcare and automotive.

Author

Jarrod Bayliss-McCulloch is a special counsel in the Information Technology & Commercial department at the Melbourne office of Baker McKenzie and advises on major technology-driven transactions and regulatory issues spanning telecommunications, intellectual property, data privacy and consumer law with a particular focus on digital media and new product development. Jarrod joined the Firm in 2009 and his prior experience includes working in strategy consulting and development economics. Jarrod’s practice focuses on technology and commercial contracts (including drafting and negotiating master services agreements), product counselling and advising on current and emerging technology regulatory issues spanning data protection, cyber security, consumer law, digital media and content, intellectual property and artificial intelligence. He has recently advised leading international technology, communications and media companies on cross-border product launches, commercial contracting and regulatory issues and also has prior litigation experience in multiple jurisdictions including Australia and Malaysia.

Author

Simone Blackadder is a special counsel in Baker McKenzie's IP Tech team in Sydney. Simone has been with Baker McKenzie since 2010. In her time at Baker McKenzie, Simone has spent 3 years working in London (2017-2020). Simone focuses on providing commercial contracting advice for service and outsourcing arrangements. Simone also provides advice on regulatory and privacy issues for IT, online, financial services and technology businesses. Simone regularly advises on cyber security, including compliance and cyber response incidents. While in London, Simone worked with many businesses seeking to navigate its obligations under its contracting arrangements as well as data, tech regulatory and GDPR implementation. Key industry sectors in which Simone works are TMT, consumer goods and retail and financial sectors.