The Latest on Cyber Security Regulation in Australia
Consultation on the latest proposals for cyber security regulation in Australia has now closed. What can we learn from the process to date?
Background
If you’re interested in the history of cybersecurity regulation in Australia, we summarised the current status of Australia’s Cyber Security Strategy and the ongoing consideration of what sort of cybersecurity regulation might be introduced to support that strategy in a blog post in 2023.
In November 2023, the much-anticipated 2023-30 Australian Cyber Security Strategy (Strategy) was released, accompanied by an Action Plan detailing key initiatives to be implemented over the next two years.
At that time, no decision was made about appropriate regulation at the time.
Later in 2023, as foreshadowed in the Action Plan, the Government released a Consultation Paper which included proposed legislative reform in two main areas:
- new initiatives to address gaps in existing laws; and
- amendments to the Security of Critical Infrastructure Act 2018 to strengthen protections for critical infrastructure.
The consultation period on those proposals ended in March 2024.
What’s proposed
The Consultation Paper outlined nine proposed measures to address gaps in the existing cybersecurity legislative and regulatory framework:
- Measure 1: Secure-by-design standards for Internet of Things devices
- Measure 2: Ransomware reporting for businesses
- Measure 3: Limited use obligations
- Measure 4: A Cyber Incident Review Board
- Measure 5: Data storage systems and business-critical data
- Measure 6: Consequence management powers
- Measure 7: Protected information provisions
- Measure 8: Review and remedy powers
- Measure 9: Telecommunications sector security under the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act)
In this post, we will focus on the Cyber Security Measures which are contained in:
- Measure 2: Ransomware reporting for businesses
- Measure 3: Limited use obligations
- Measure 4: A Cyber Incident Review Board
Measure 2: Ransomware reporting for businesses
The Strategy had proposed to introduce a legislated no-fault, no-liability ransom reporting obligations for businesses. This proposal is reflected in Measure 2 in the Consultation Paper.
Reporting obligations
The Government proposes to establish two reporting obligations in relation to ransom demands:
- The first notification will be required when a ransom demand is received to decrypt data or prevent data from being sold or released.
- The second notification will be required if a ransom payment is made.
The timeframe for providing the reports may be aligned to existing reporting requirements (eg the 72-hour mandatory incident reporting mechanism under the SOCI Act).
Information to be reported
The Government asked for input on the information to be included in the report. There is a long list of detailed information that could be reported, including:
- when the incident occurred, and when the entity became aware of the incident;
- what variant of ransomware was used (if relevant);
- what vulnerabilities in the entity’s system were exploited by the attack (if known);
- what assets and data were affected by the incident;
- what quantum of payment has been demanded by the ransomware actor or cybercriminal, and what method of payment has been demanded;
- the nature and timing of any communications between the entity and the ransomware actor or cybercriminal;
- the impact of the incident, including impacts on the entity’s infrastructure and customers; and
- any other relevant information about the incident or actor that could assist law enforcement and intelligence agencies with mitigating the impact of the incident and preventing future incidents.
No-fault and no-liability principles
The Government asked for input on:
- a no-fault principle to provide assurance to entities that the agency receiving ransomware reports will not seek to apportion blame for the incident, and
- a no-liability principle to provide assurance to entities that they will not be prosecuted for making a payment.
Who should report
The Government also sought input on the entities that should be required to report ransom demands:
- Entities that are already subject to reporting obligations – this would include responsible entities for critical infrastructure assets under the SOCI Act (~1,000 entities).
- Entities with an annual turnover of more than $10 million (~42,00 businesses). Small businesses would be exempt (noting that the current small business threshold under the Privacy Act 1988 is $3 million).
Penalties
To enforce compliance, Government proposes that a civil penalty would apply to any failures to comply with these reporting obligations. There would be no criminal penalties.
Measure 3: Limited Use Obligations
The Government proposes a ‘limited use’ obligation to restrict how cyber incident information shared with the Australian Signals Directory (ASD) and the National Cyber Coordinator can be used by other Australian Government entities, including regulators.
This obligation would only allow cyber incident information to be used for prescribed cyber security purposes, including:
- to assist the entity with preventing, responding to and mitigating the cyber security incident;
- to facilitate consequence management after a cyber incident;
- to identify further potential cyber security vulnerabilities and take steps to prevent further incidents;
- to analyse and report trends across the cyber threat landscape, including the provision of anonymised cyber threat intelligence to government, industry and international cyber partners;
- to inform relevant Ministers and government officials of the fact of a significant cyber security incident;
- to share incident information with other agencies for law enforcement, intelligence and national security purposes, such as taking action to identify, disrupt or deter cyber threat actors;
- to provide stewardship and advice to industry, including provision of advice to industry on cyber maturity and best practice risk mitigation across sectors; and
- to improve existing incident response mechanisms, such as incident reporting processes and coordination between government and industry.
At the same time the Consultation Paper states that the limited use obligation does not preclude ASD and the National Cyber Coordinator from sharing appropriate information with other agencies – including law enforcement, national security, intelligence agencies and regulators. It states that regulators can use incident information for industry stewardship to help manage cyber risks across sectors and to mitigate harms to individuals arising from cyber security incidents. However, they would not be able to use the information as part of an investigation or compliance activity.
Measure 4: A Cyber Incident Review Board (CIRB)
A Cyber Incident Review Board (CIRB) is proposed to conduct no-fault incident reviews to reflect on lessons learned from cyber incidents, and share these lessons learned with the Australian public. The paper sought input on the development of ‘no-fault’ principles for the CIRB, the membership of the CIRB and the extent to which it would have information gathering powers.
Responses
Just as in previous consultation processes (see our summary here)the Australian community has been generous with over 220 public submissions listed on the Home Affairs website. (See all the responses here.) A review of these responses suggests that some consensus is emerging.
Ransomware reporting
The stated objective for mandatory reporting of ransomware incidents and payments is to assist the government with increasing visibility of the threat landscape, to increase the capacity of the government and the private sector to help Australian organisations prepare for, and respond to, these incidents
Many question whether what is proposed is consistent with that objective (particularly given the burden on the reporting organisation which is also handling the cyber incident). Or whether in fact ransomware reporting should be set up as a de facto threat intelligence sharing regime.
It has also been suggested that mandatory ransomware reporting should only be required if a ransom is paid.
Questions were raised as to ASD’s capacity to handle a significant increase in reports and the deterrent effect this could have on engagement with ASD if they are not seen as responsive and helpful. This is a valid concern given the stretched resources of government bodies and the experience in other jurisdictions where mandatory reporting obligations have been introduced.
No Liability principle
It is not clear if the no-liability principle would essentially constitute a defence against an entity breaching sanctions laws or instruments of crime laws by making a ransom payment. This should be made clear as otherwise it doesn’t simplify the current complex analysis that an entity needs to undertake to avoid breaching laws by making a ransom payment.
Limited use
There are questions around the limited use of the reported information. It has been noted that there are rights to share with a wide range of bodies including law enforcement and regulators. It is not clear how the limited use obligation as expressed would prevent a regulator who has information provided under limited use from exercising its other powers to obtain the same information for an investigation or compliance activity.
Some of the responses from law firms noted the need to preserve legal professional privilege and confidentiality plus an exemption from any FOI requests for any documents provided following a ransomware attack. It has also been suggested that there should be no sharing with regulators without the consent of the organisation involved.
The list of permitted uses includes to facilitate ‘consequence management’. It is not clear what falls within this concept and particularly if that stretches to investigation or compliance activity (which should not be allowed).
Cyber Incident Review Board
Although this was a recommendation that was generally supported there were many comments regarding the composition and role of this board.
There were also comments regarding the need to protect Information disclosed to the CIRB which should be subject to statutory confidentiality obligations to ensure that it is not capable of being accessed, used or disclosed for other purposes.
Any information that is subject to legal professional privilege should not be capable of being required to be given to the CIRB. In any event, even if disclosed, it should not lose that privilege by reason of the disclosure.
Other responses
Over 200 responses were submitted to the Consultation Paper. They can be downloaded here.
Australian Chamber of Commerce