Australia’s 2024 Cyber Security Reforms

The Act (together with the subordinate legislation being made under it) imposes obligations on manufacturers and suppliers of 'relevant connectable products' or smart devices to ensure the devices comply with mandatory security standards, have a statement of compliance, and ultimately, comply with ‘stop sell’ and product recall obligations where they are non-compliant.

Mandatory security standards are currently being made for consumer grade smart services, under the Cyber Security (Security Standards for Smart Devices) Rules 2024 (Rules)). The Rules require manufacturers/suppliers of smart devices that could be regarded as for ‘personal, domestic or household use or consumption’ and which are ‘acquired in Australia by a consumer’ (as defined in the Australian Consumer Law) to avoid generic device passwords, advise consumers of the support period (for security updates), and to have a program for reporting vulnerabilities.

Some consumer-grade smart devices will be excluded from these Rules, including:

• Desktop computers or laptops, tablets, and smartphones
• Medical devices, and
• Road vehicles and road vehicle components.

Laptops, computers, ipads and smartphones are exempt, essentially because they have existing security protections and complex supply chains which would make compliance difficult. However, it’s not expected that devices which connect to these types of devices would be exempt. That can include devices like payment terminals.

The Rules are subject to a 12 month implementation period, and won’t apply to smart devices which are already manufactured/in market.

The Department of Home Affairs has expressly advised that it will consider mandatory security standards for enterprise grade devices in future, as well as adding additional standards for consumer grade devices.

The Government has, for some time, expressed concern about the risks associated with the proliferation of internet-of-things or IoT devices in Australian households, the manner in which they collect data (including sensitive data), and the cyber risk arising from the use of these devices. The Cyber Security Act provides the Government with the flexibility to address security concerns through specific standards, including as technology and risks change.

After the 12 month implementation period, manufacturers and suppliers of consumer smart devices which meet the definitions will need to meet the mandatory security standards and have statements of compliance available.

The Act requires a reporting entity (defined as a business with an annual turnover >$3M or certain responsible entities for critical infrastructure) to report cyber ransom payments.

There are some protections associated with the reported information. It cannot be used by government agencies for enforcement (except re some criminal laws), the information is generally not admissible as evidence, and the Act looks to protect “privilege” to the extent it applies to reported details.

Ransom payment data has been notoriously patchy – it is often anecdotal or derived from survey questions or insurance related data sets. There is a need for good data to enable informed policy decisions. The Australian Government has also raised concerns about the limited reporting of cyber incidents (citing that only around 1 in 5 incidents are reported), including the corresponding impact on threat intelligence and mitigation.

Commencing 30 May 2025,, businesses which meet the reporting threshold will need to report cyber extortion payments (including details of the cyber incident, payment process and threat actor communications). While the report itself is unlikely to be onerous, the reporting regime another notification requirement into a complex regulatory and reporting environment. Importantly, it is not just the amount that is reportable – other details also need to be provided. Reporting will be undertaken via a webform at cyber.gov.au (essentially, similarly to critical infrastructure incident reporting).

The Act formalises the role of the National Cyber Security Coordinator as the Australian coordinator of significant cyber incidents, and creates a voluntary information flow regime for incident coordination, including:

• providing for organisations to voluntarily give the Coordinator and ASD (and ACSC) information about significant (and other) cyber incidents
• granting the Coordinator and other government entities the rights to use the information, and
• limiting the use of the information to certain purposes.

This ‘limited use’ regime is nominally for the purpose of responding to and resolving the incident. As with reported ransom information, the Act provides that the information provided voluntarily cannot be re-used by government agencies for enforcement (except re some criminal laws), is generally not admissible as evidence, and that its disclosure does not affect privilege claims (to the extent privilege would apply).

The ASD and other arms of Government have often lamented the lack of information flow around cyber incidents. In the context of a highly litigious space (with high regulatory and litigation risk), many organisations are reluctant to share openly without some form of protection. It follows that the limited use protections are an attempt to support open information flows.

Every organisation should plan for how it will work with government agencies, including the Coordinator, ahead of a cyber incident, and understand what information it would be comfortable providing. Despite the protections, legal advice will be needed to manage the complexity of the limited use rights. Cyber documentation should be updated to account for these considerations.

The Act establishes the CIRB as an independent board for the purpose of conducting no-fault, post-incident assessments of certain cyber incidents. The CIRB’s purview has a threshold (which in summary) includes serious or nationally significant incidents that are referred to it for review.

At the conclusion of a review, the CIRB will issue a report detailing its findings and recommendations. The CIRB also has certain information-gathering powers. Non-compliance with an information request may attract a civil penalty. Information received by the CIRB is subject to ‘limited use’ obligations (discussed above).

There have been a number of calls for mechanisms to enable whole-of-economy learnings from cyber incidents, including a post-incident type review for impacted organisations. The resulting CIRB mechanism is based on civil aviation accident review bodies.

CIRB review is likely to extend the tail of an incident. The nature and extent of participation and information sharing is unclear, and companies will need to prepare for certain incident details to be publicised. Companies should consider planning for participation inthe CIRB process, including through their Cyber Incident Response Plans.

The reform expands the type of assets currently captured as ‘critical infrastructure’ under the SOCI Act to more clearly cover related data storage systems that store or process business critical data.

Data storage systems, even where they are not primary or operational assets, can impact the operation of critical infrastructure. In some sectors the definition of critical infrastructure asset does not include data or data storage or processing systems, even though these may be components of a critical infrastructure asset.

The data storage systems of all SOCI entities will now expressly be subject to SOCI obligations. To be captured, a data storage asset:

• must be owned / operated by a critical infrastructure owner/operator which also owns/operates the primary critical infrastructure asset
• must store or process ‘business critical data’, and
• must be of a kind where vulnerabilities could impact the critical infrastructure asset itself (eg systems which are not network segregated or which hold key operational data).

Relevant entities have 6 months to ensure that:

• they meet the obligations to maintain a register and provide information about their regulated data storage systems
• their critical infrastructure risk management programs also cover regulated data storage systems, and
• they notify cyber incidents affecting those data storage assets.

The amendments extend existing government powers under Part 3A of the SOCI Act to a wider range of incidents (not only cyber security incidents, but any incident affecting the availability, reliability, or integrity of a critical infrastructure asset). This forms part of what has been described as an ‘all hazards’ approach. This means non-cyber incidents will be subject to government powers including information gathering and directions (although not intervention, which will remain confined to cyber security incidents). Trigger incidents could include things like terrorist attacks and natural disasters such as floods or bushfires. There are no new categories of government powers, and the powers are limited to ‘serious’ incidents, for example, those impacting national security, or social and economic stability, and which cannot be effectively addressed by another regulatory means.

The reforms address a gap in the Australian Government’s ability to manage major events affecting critical infrastructure, particularly where those events have broader consequences for the critical infrastructure ecosystem.

Entities have 6 months to ensure that business continuity, disaster recovery, and other response documents (not just cyber-related documents) are updated to take into account potential government powers under the SOCI Act. (We note entities responsible for critical broadcasting, domain name systems, data storage and processing, energy, food and grocery, payment services, freight assets and hospitals are already required to adopt an all hazard approach as part of their risk management program obligations.)

Careful consideration needs to be given to government stakeholder communication plans (although we note that obligations to notify incidents remain limited to cybersecurity).

The SOCI Act constrains the use and sharing of ‘protected information’ to protect potentially sensitive information regarding critical infrastructure.  The amendments narrow the definition of ‘protected information’, and expand and clarify when it can be disclosed.

The Government has acknowledged that the constraints on information sharing under the SOCI Act were too restrictive. Among other things, they were preventing information sharing in circumstances where it would have been beneficial during an incident. The reforms are intended to enable entities and government agencies to use and disclose information about incidents more broadly.

The reforms have reduced an artificial and technical barrier to information sharing (including during major incidents) for critical infrastructure owners/operators. A 6 month implementation period will apply.

The amending legislation brings telecommunications security obligations out of the ‘TSSR’ regime under Part 14 of the Telecommunications Act 1997 (Cth) and under the SOCI Act.

The amendment is a long-anticipated consolidation of telco- specific and general critical infrastructure security obligations.

Entities that operate telco assets have 12 months to assess their current compliance posture to ensure that they can continue complying with all security obligations. The  TSSR and equivalent SOCI provisions are not identical, and some uplift will be required.

Responsible entities are required to develop and maintain a CIRMP for their critical infrastructure assets under Part 2A of the SOCI Act. Under the reforms, the Critical Infrastructure Security Centre (CISC) now has the power to compel a responsible entity to vary its CIRMP to address ‘serious deficiencies’ (ie those that present a material risk to Australia’s national security, defence, or social or economic stability).

The changes are consistent with the Consultation Paper and reflect the government’s desire for a regulatory mechanism which helps to ensure responsible entities are adequately protecting critical assets.

Once the CISC has identified deficiencies and issued a direction to address them, entities have 6 months to amend their CIRMP in consultation with the CISC. However, entities should not wait for a direction to amend their CIRMPs if concerns about serious deficiencies are raised.

While the amendments may be consistent with the CISC’s Compliance and Enforcement Strategy, it’s difficult to assess how they will be used in practice (eg as a last resort?). While the CISC has issued useful guidance on the content of CIRMPs, it’s unclear what a ‘serious deficiency’, or the window of opportunity to address it, will look like in practice.