September was a big month in Australian cyber. Regulators and government agencies competed for headlines. Threat activity was prolific. The Australian Financial Review Cyber Summit drew heavyweights from across the sector. And HSF released its 2024 Cyber Risk Survey report!
At the Summit, Minister Burke gave us a taste test of upcoming cyber law reform. There was a lot of discussion around the so-called ‘limited use’ provisions, as industry came to grips with the fact it will not offer ‘safe harbour’. Shock waves rippled throughout an otherwise jovial room, when Commissioner Constant said that ASIC is actively investigating directors and executives that are falling short when it comes to protecting their organisations from foreseeable cyber risk.
In the privacy realm, the federal government released the first tranche of long-awaited privacy reforms and the OAIC released its notifiable data breaches report for January to June 2024.
In terms of AI, the federal government introduced a Voluntary AI Safety Standard, and it is seeking feedback on its Proposals Paper for Introducing Mandatory Guardrails for AI in High-Risk Settings (in addition to a new Scams Prevention Framework). Government use of AI is also under review.
Deficiencies in the public sector’s security posture were again emphasised in the Australian National Audit Office’s audit of the Department of Defence.
Unsurprisingly, cyber security remains the top investment priority for Australian and New Zealand CIOs in 2025.
Internationally, data centres have been classified as ‘critical national infrastructure’ in the UK, and Indonesia is launching a fourth branch of its military dedicated to cyber warfare and defence. The FBI disrupted a large-scale Chinese state-backed botnet, while China denied an ABC report that it hacked the Pacific Islands Forum.
Cyber incidents that made headlines in September include those impacting Australian interior solutions supplier Nikpol, Planned Parenthood, New Zealand accounting firm Bennett Currie, fundraiser supply company BSG Australia, Swinburne University’s Malaysian campus, White Mountain Backpacks, Seattle-Tacoma International Airport, Australian aged care agency Daughterly Care, Dell, Total Tools, cyber security firm Fortinet, Australian flooring provider Protecta, Avis, Transport for London, Central Bank of Iran, Taiwanese Stock Exchange, Russian taxi app Yandex Taxi and the Australian Cancer Research Foundation. Each of Microchip Technology and Haliburton have now confirmed that data was stolen in attacks on the organisations in August. Temu denied it was hacked.
Privacy reforms were introduced into Parliament this month, marking the next step in a protracted exercise in modernising Australia’s Privacy Act.
We have prepared a summary of the Privacy and Other Legislation Amendment Bill 2024 and its implications for your business, so you don’t have to.
Podcast: Cross Examining Cyber with David Thodey
Cameron Whittfield and Carolyn Pugsley interviewed David Thodey, one of Australia’s most respected company directors and current Chair of Xero and Ramsay Healthcare. After we discussed his fascinating career, David provided some valuable insights into the role of a director and board in a cyber incident. Our discussion was so rich, we decided to break the podcast in two.
Part one is here. Keep an eye out for part two, dropping later this week.
Catch up on past episodes here.
HSF Cyber Risk Report 2024
Our Cyber Risk Report 2024 was launched at the Australian Financial Review Cyber Summit in Sydney this month (an event proudly sponsored by HSF).
The report reflects on data captured in the only survey in Australia to seek the views of legal leaders in relation to an evolving cyber risk landscape. We hope it prompts some provocative discussions regarding cyber engagement and investment.
We are sending out benchmarking reports this week, to those who requested one. If you think you’d benefit from one, you can still complete the survey here.
Business to get cyber ‘safe harbour’ protections – Australian Financial Review – 17 September 2024
Minister for Home Affairs and Cyber Security, Tony Burke, revealed measures to be proposed by the federal government to pursue the 2023 – 2030 Australian Cyber Security Strategy. These include ‘limited use’ protections regarding information shared by industry with the ASD and the National Cyber Security Coordinator during incident response, mandatory cyber ransom payment reporting, the introduction of a Cyber Incident Review Board, amendments to the Security of Critical Infrastructure Act 2018, and new laws specifying security standards for Internet-of-Things (IoT) devices.
Regulators warn cyber reforms will not provide immunity from prosecution – Australian Financial Review – 17 September 2024
On a panel event at the Cyber Summit, alongside HSF’s Cameron Whittfield, Privacy Commissioner Carly Kind said it would be ‘problematic’ if the proposed ‘limited use’ provisions protected entities from regulatory action. ASIC Commissioner Simone Constant said that information shared during an incident typically played a minimal role in ASIC investigations, emphasising the regulator’s focus on ‘cyber washing’ and the process companies are adopting to prepare their organisations for a cyber incident.
ASIC readies to wield a big stick against boards lax on cybersecurity – Australian Financial Review – 17 September 2024
ASIC investigations are currently underway into directors and executives who have taken inadequate steps to manage cyber risk. Commissioner Constant urged directors to demand evidence to back up cyber security claims made by executives and security teams.
Report shows highest number of data breaches in 3.5 years – Office of the Australian Information Commissioner – 16 September 2024
The OAIC was notified of 527 data breaches between January and June 2024, the highest number of notifications in 3.5 years, and a 9% increase from the previous six-month period. The health and government sectors reported the most breaches. Malicious cyber activity continues to cause most breaches and most breaches impacted 100 people or fewer. The OAIC clarified that paying a ransom would not be sufficient to prevent serious harm to affected individuals, as it relates to an eligible data breach assessment.
OAIC welcomes first step in privacy reforms – Office of the Australian Information Commissioner – 12 September 2024
The OAIC welcomed the first tranche of reforms to the Privacy Act 1988 as a step towards strengthening Australia’s privacy framework.
HSF’s summary of the reforms can be accessed here.
Defence’s management of ICT systems security authorisations – Australian National Audit Office – 11 September 2024
The Australian National Audit Office (ANAO) conducted an audit of the Department of Defence to assess the effectiveness of its arrangements to manage the security authorisation of its ICT systems. The Department agreed with ANAO’s eight recommendations in the report. Key takeaways from the audit are the importance of up-to-date policy and guidance documentation, and accurate, evidence-driven compliance monitoring and reporting.
The Albanese Government acts to make AI safer – Minister for Industry and Science – 5 September 2024
The Minister for Industry and Science announced two new initiatives designed to ensure safer use of artificial intelligence: (1) a Voluntary AI Safety Standard, which provides practical guidelines on how to best implement AI with due regard for the protection of oneself and others, and (2) a Proposals Paper for Introducing Mandatory Guardrails for AI in High-Risk Settings. The consultation period for the Proposal Paper closes this Friday 4 October 2024.
Government’s use of AI to be examined – IT News – 13 September 2024
The federal government’s use of AI is being reviewed by a new inquiry body, the Joint Committee of Public Accounts and Audit, to ensure measures are being implemented regarding appropriate and ethical use of AI.
Australian government touts new Scams Prevention Framework – Cyber Daily – 13 September 2024
The federal government has introduced details of a new Scams Prevention Framework, which is now open to consultation. Draft legislation contemplates regulation of specific industries. Non-compliance could see operators in industries including financial services, telecommunications and social media platforms fined up to $50 million.
Critical vulnerability in Ivanti CSA 4.6 – Australian Signals Directorate – 20 September 2024
The ACSC released a critical alert regarding new Ivanti CSA 4.6, a cloud service appliance. Ivanti stated they were aware of numerous customers who have been exploited by the vulnerability, leading to unauthenticated threat actors accessing restricted systems. It was recommended that users upgrade to CSA 5.0 immediately.
Cyberspies phones businesses to warn of danger but half do not respond – Australian Financial Review – 17 September 2024
Nearly half of Australian businesses contacted to receive warnings of a potential attack in 2023 never returned ASD’s phone call. According to ASD Director-General Abigail Bradshaw, the ASD contacted 620 organisations in the last 12 months to share information with them, and 280 never returned their call.
SolarWinds security chief calls for tighter cyber laws – Financial Times – 29 September 2024
Since the SEC’s case against SolarWinds was substantially dismissed by a US federal court in July 2024, its chief information security officer Tim Brown has emphasised the importance of introducing cyber security regulations to address the stress currently felt by cyber chiefs across the globe. “Very few security people would ever do something that wasn’t right, but you just have to tell us what’s right in order to do it,” he added.
Gartner survey reveals cybersecurity remains the top investment for Australian and New Zealand CIOs in 2025 – Gartner – 10 September 2024
During Gartner’s IT symposium, 88% of Australian and New Zealand CIOs and technology executives revealed that cyber security will remain the top technology investment in 2025, followed by data analytics (84%), cloud platforms (83%) and generative AI (81%).
UK to class data centres as critical national infrastructure – Reuters – 13 September 2024
Data centres in the UK have been classified as ‘critical national infrastructure’. It covers both physical data centres and the cloud operators that use them to supply ordinary services. The new designation is intended to allow the government to prevent issues from arising and support the sector in the event of critical incidents to minimise damage to the economy in the event of a critical incident, by allowing better cooperation and coordination with government.
HSF’s summary of the development can be accessed here.
FBI disrupts large scale Chinese state backed botnet activity – Australian Cyber Security Magazine – 19 September 2024
The FBI has targeted a botnet infecting more than 260,000 devices worldwide, including in Australia, operated by a Chinese company targeting entities across the United States and Taiwan. Concurrently, the ACSC released an advisory on the botnet operated by Chinese firm, Integrity Technology Group. The botnet was running on infected IoT devices, SOHO networking devices, firewalls, and NAS devices.
Indonesia to Launch Cyber Force as Fourth Branch of Military – Jakarta Globe – 23 September 2024
The Cyber Force will become the fourth branch of the Indonesian Military, alongside the Army, Navy and Air Force. Chief Security Minister Hadi Tjahjanto acknowledged the need for Indonesia to build cyber warfare expertise in the context of its geopolitical vulnerability. "The Cyber Force is a battle of minds. It's about how we can influence others and win the war."
Vanir Group ransomware gang’s leak site seized by German authorities – Cyber Daily – 19 September 2024
German State Police have taken down the Vanir Group’s leak site. The data stolen by the group can no longer be published, but the identity of the perpetrators is still unknown. The Vanir Group reportedly claimed three victims in June and July of this year.
China denies hacking the Pacific Islands Forum earlier this year – Cyber Daily – 13 September 2024
According to an ABC report, Chinese state-backed actors were allegedly detected in the Forum Secretariat’s network in February, where they were monitoring communications between Pacific Island Forum members and gathering information on the Secretariat. Due to the severity of the apparent compromise, the Australian government dispatched cyber security experts to remediate the breach. China has rejected the ‘fake news’ and made a statement strongly opposing ‘the practice of politicising cyber security issues.’
Key contacts
Disclaimer
The articles published on this website, current at the dates of publication set out above, are for reference purposes only. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action.