New Cyber Security Regulation for Australia

Draft new cyber security bills were released this month.  The purpose of the new laws are to support Australia’s 2023 – 2030 Cyber Security Strategy and bring Australia in line with international best practice (according to the government’s media release). 

The measures are said to be designed to address gaps in current legislation to:

• introduce mandatory ransomware payment reporting for certain businesses;
• introduce a ‘limited use’ obligation (applying to information provided to the National Cyber Security Coordinator and the Australian Signals Directorate); 
• provide powers to a National Cyber Incident Review Board; and
• mandate minimum cyber security standards for smart devices.

The package will also progress and implement reforms under the Security of Critical Infrastructure Act 2018 (SOCI Act) including clarifying  existing obligations in relation to systems holding business critical data and enhancing government assistance measures to better manage the impacts of all hazards incidents on critical infrastructure.

The legislative package consists of the following three draft bills:

• Cyber Security Bill 2024
• Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024
• Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024

We look more closely at some of the proposed changes below.

Background

The measures in this package were informed by an extensive consultation process, both prior to and following the release in November 2023 of the much anticipated 2023-30 Australian Cyber Security Strategy.  The Strategy was accompanied by an Action Plan which detailed key initiatives to be implemented across the next two years, although no decision was made about appropriate regulation. (We summarised the then-current status of Australia’s Cyber Security Strategy and the on-going consideration of what sort of cyber security regulation might be introduced to support that strategy in a blog post in 2023.)

As part of the Action Plan, the Government subsequently released a Consultation Paper​ proposing measures to address gaps in the existing cyber security legislative and regulatory framework.  We’ve covered that Consultation Paper in our blog post.  In that post, we  focused on three of the nine proposed measures, which were:

• Measure 2: Ransomware reporting for businesses
• Measure 3: Limited use obligations 
• Measure 4: A Cyber Incident Review Board

These three measures are included in the draft legislation released this month, and are the focus of this post.

Proposed changes

Ransomware reporting for businesses

The Cyber Security Bill 2024 (Cyber Security Bill) introduces a mandatory reporting requirement for certain entities that pay a ransomware payment (or other benefit) to an extorting entity. 

The legislation requires that a report be made to the Department of Home Affairs within 72 hours of making the payment, where:

• a cyber security incident has occurred, is occurring or is imminent and has had, is having or could reasonably be expected to have, a direct or indirect impact on a reporting business entity;
• an extorting entity makes a demand of the reporting business entity, or some third party directly related to the incident impacting the reporting entity, in order to benefit from the incident or the impact on the reporting business entity; and
• the reporting business entity provides, or is aware that another entity, directly related to the reporting entity, has provided a payment or benefit to the extorting entity that is directly related to the demand.

The notice must include the following (plus other information as may be prescribed by rules):

• if a payment was made —the reporting business entity’s contact and business details (or the details of any other entity that made the payment);
• the cyber security incident, including its impact on the reporting business entity;
• the demand made by the extorting entity;
• the ransomware payment;
• communications with the extorting entity relating to the incident, the demand and the payment.

 Other information relating to the cyber security incident may also be included in the ransomware payment report.

Some Australian businesses will be exempt from the reporting requirement, if their annual turnover falls below an as-yet unspecified amount. (The amount will be specified in rules yet to be issued.)

Originally it was proposed to introduce two reporting obligations in relation to ransom demands:

• The first notification when a ransom demand is received to decrypt data or prevent data from being sold or released.
• The second notification will be required if a ransom payment is made.

However, the legislation now proposes just one single reporting obligation (where a payment or other benefit is provided to the ransoming entity). 

The move to a single reporting requirement reflects concerns around the burden on entities at a time when they are trying to respond to a difficult situation. It may also reflect concern for the ability of the ASD to handle a large volume of reports.

It is also worth noting that failure to comply with these reporting obligations may result in a civil penalty.

Concerns around loss of legal privilege have also been addressed by including a specific provision that providing information in a ransomware payment report does not otherwise affect a claim of legal professional privilege that anyone may make in relation to that information in any proceedings.

Limited Use Obligations

Given the above reporting obligations and the powers of the Board described below, there were concerns regarding how that information might be used, particularly if shared with other regulators who could commence investigations.

The legislation includes a ‘limited use’ obligation to restrict how cyber incident information shared with the Australian Signals Directory and the National Cyber Coordinator can be used by other Australian Government entities, including regulators.

 Allowed uses include:

• assisting entities to respond to, mitigate or resolve the cyber security incident;
• performing functions or exercising powers under the Act;
• certain criminal proceedings
• the performance of the functions of a Commonwealth or State body relating to responding to, mitigating or resolving a cyber security incident;
• the performance of the functions of the National Cyber Security Coordinator under this Act relating to a cyber security incident;
• informing and advising the Minister, and other Ministers of the Commonwealth, about a cyber security incident;
• the performance of the functions of an intelligence agency.

This should alleviate some of the concerns around the provision of ransomware attack-related information to the relevant bodies.

Cyber Incident Review Board 

Under the consultation paper, a Cyber Incident Review Board (similar to those in other jurisdictions like the USA) was proposed to conduct no-fault post-incident reviews to reflect on lessons learned from significant cyber incidents, and share these lessons with the Australian public. 

Following a series of major data breaches, a National Cyber Incident Review Board was established in April 2024. The Board’s main objective is to ensure a well-coordinated response to cyber threats, thus protecting businesses and critical infrastructure. The responsibilities of the NCIRB include:

• investigating significant cyberattacks. Understanding threat actors and developing defensive strategies requires a thorough investigation. 
• monitoring the enforcement of the compulsory reporting of ransom payments. This initiative aims to offer a thorough comprehension of the ransomware threat landscape, enabling the development of effective responses. 
• helping to disseminate valuable insights gained from cyber incidents. Through a thorough examination and analysis of these incidents, the board can pinpoint weaknesses, propose proactive steps, and play a role in strengthening Australia’s cybersecurity framework. 

The new legislation will upgrade the board’s investigative powers. The board will now be able to conduct “no-fault” investigations after significant cyber attacks. The board will then share insights to promote improvements in cyber security practices more generally. These insights will be anonymised to ensure the identities of victims of cyber attacks aren’t publicly revealed.

Under the proposed legislation, the Board will be comprised of a Chair, standing members and an Expert Panel. The Expert Panel will be drawn from a pool of industry members with relevant expertise.

Limited information gathering powers will be granted to the Board, so it will largely rely on cooperation by impacted businesses. 

Another amendment to note: Security of Critical Infrastructure Act

Amendments to the Security of Critical Infrastructure Act 2018 were also proposed.

The key change to note for regulated entities is that secondary assets which hold ‘business-critical data’ may also be captured as critical infrastructure assets, regardless of the primary purpose of the asset.  Other changes to the Security of Critical Infrastructure Act 2018 include the provision of further clarity on the secrecy and disclosure provisions, and the implementation of new powers for the Secretary of the Department of Home Affairs

What happens next?

The package is a set of draft legislation. Submissions are invited by Friday, 25 October 2024. Further information about making a submission to a parliamentary committee is available here.

Given the significant consultation which has already taken place on this set of reforms, it is not expected that any major changes will be made to the current drafts which may pass in the next parliamentary sitting.

References

ParlInfo – Cyber Security Bill 2024 (aph.gov.au)