Australia’s 2024 Cyber Security Reforms

The Act enables the Minister to prescribe mandatory security standards (via ‘rules’ under the Act) for internet or network connectable devices. It also imposes obligations on manufacturers and suppliers of connectable devices to produce statements of compliance with the mandatory security standards, and establishes an enforcement regime, including potential ‘stop sell’ and product recall obligations.

The Government has, for some time, expressed concern about the risks associated with the proliferation of internet-of-things or IoT devices in Australian households, the manner in which they collect data (including sensitive data), and the cyber risk arising from the use of these devices. The legislation provides the Government the flexibility to address these concerns through specific standards.

After the 12 month implementation period, manufacturers and suppliers of ‘relevant connectable products’ will need to meet the mandatory security standards. These standards are yet to be developed but, once they are, suppliers will need to work with manufacturers (and others in the supply chain) to ensure compliance.

The Act requires a reporting entity (a business with annual turnover >$3M¹ or certain responsible entities for critical infrastructure) to report payments and certain information about a cyber extortion incident (including threat actor communications).

There are some protections associated with the reported information. It cannot be used by government agencies for enforcement (except re some criminal laws), the information is generally not admissible as evidence, and the Act looks to protect “privilege” to the extent it applies to reported details.

Ransom payment data has been notoriously patchy – it is often anecdotal or derived from survey questions or insurance related data sets. There is a need for good data to enable informed policy decisions. The Australian Government has also raised concerns about the limited reporting of cyber incidents (citing that only around 1 in 5 incidents are reported), including the corresponding impact on threat intelligence and mitigation.

After the 6 month implementation period, reporting entities will need to report cyber extortion payments (including details of the payment process and related communications). While this is unlikely to be onerous, it adds another notification requirement. Importantly, it is not just the amount that is reportable – other details also need to be provided.

The Act formalises the role of the National Cyber Security Coordinator as the Australian coordinator of significant cyber incidents, and creates a voluntary information flow regime for incident coordination, including:

• providing for organisations to voluntarily give the Coordinator and ASD (and ACSC) information about significant (and other) cyber incidents
• granting the Coordinator and other government entities the rights to use the information, and
• limiting the use of the information to certain purposes.

This ‘limited use’ regime is nominally for the purpose of responding to and resolving the incident. As with reported ransom information, the Act provides that the information provided voluntarily cannot be re-used by government agencies for enforcement (except re some criminal laws), is generally not admissible as evidence, and the disclosure does not affect privilege claims (to the extent privilege would apply).

The ASD and other arms of Government have often lamented the lack of information flow around cyber incidents. In the context of a highly litigious space (with high regulatory and litigation risk), many organisations are reluctant to share openly without some form of protection. It follows that the limited use protections are an attempt to support open information flows.

Every organisation should plan for how it will work with government agencies, including the Coordinator, ahead of a cyber incident, and understand what information it would be comfortable providing. Despite the protections, legal advice will be needed to manage the complexity of the limited use rights. Cyber documentation should be updated to account for these considerations.

The Act establishes an independent board for the purpose of conducting no-fault, post-incident assessments of certain cyber incidents. The CIRB’s purview has a threshold (which in summary) includes serious or nationally significant incidents that are referred to it for review.

At the conclusion of a review, the CIRB will issue a report detailing its findings and recommendations. The CIRB also has certain information-gathering powers. Non-compliance with an information request may attract a civil penalty. Information received by the CIRB under this provision is subject to ‘limited use’ obligations.

There have been a number of calls for mechanisms to enable whole-of-economy learnings from cyber incidents, including a post-incident type review for impacted organisations. The resulting CIRB mechanism is based on civil aviation accident review bodies.

CIRB review is likely to extent the tail of an incident. The nature and extent of participation and information required to be shared is unclear, and companies will need to prepare for certain incident details to be publicised. Organisations also need to be cognisant of the potential exposure to the organisation (at both a management and a board level) with any CIRB information-gathering request. The 6 month implementation period allows time for companies to add the CIRB process to their Cyber Incident Response Plans.

The reform expands the type of assets currently captured as ‘critical infrastructure’ under the SOCI Act to more clearly cover related data storage systems that store or process business critical data.

Data storage systems, even where they are not primary or operational assets, can impact the operation of critical infrastructure. In some sectors the definition of critical infrastructure asset does not include data or data storage or processing systems, even though these may be components of a critical infrastructure asset.

The data storage systems of all SOCI entities will now expressly be subject to SOCI obligations. To be captured, a data storage asset:

• must be owned / operated by a critical infrastructure owner/operator which also owns/operates the primary critical infrastructure asset
• must store or process ‘business critical data’, and
• must be of a kind where vulnerabilities could impact the critical infrastructure asset itself (eg systems which are not network segregated or which hold key operational data).

Relevant entities have 6 months to ensure that:

• they meet the obligations to maintain a register and provide information about their regulated data storage systems
• their critical infrastructure risk management programs also cover regulated data storage systems, and
• they notify cyber incidents affecting those data storage assets.

The amendments extend existing government powers under Part 3A of the SOCI Act to a wider range of incidents (not only cyber security incidents, but any incident affecting the availability, reliability, or integrity of a critical infrastructure asset). This forms part of what has been described as an ‘all hazards’ approach. This means non-cyber incidents will be subject to government powers including information gathering and directions (although not intervention, which will remain confined to cyber security incidents). Trigger incidents could include things like terrorist attacks and natural disasters such as floods or bushfires. There are no new categories of government powers, and the powers are limited to ‘serious’ incidents, for example, those impacting national security, or social and economic stability, and which cannot be effectively addressed by another regulatory means.

The reforms address a gap in the Australian Government’s ability to manage major events affecting critical infrastructure, particularly where those events have broader consequences for the critical infrastructure ecosystem.

Entities have 6 months to ensure that business continuity, disaster recovery, and other response documents (not just cyber-related documents) are updated to take into account potential government powers under the SOCI Act. (We note entities responsible for critical broadcasting, domain name systems, data storage and processing, energy, food and grocery, payment services, freight assets and hospitals are already required to adopt an all hazard approach as part of their risk management program obligations.)

Careful consideration needs to be given to government stakeholder communication plans (although we note that obligations to notify incidents remain limited to cybersecurity).

The SOCI Act constrains the use and sharing of ‘protected information’ to protect potentially sensitive information regarding critical infrastructure.  The amendments narrow the definition of ‘protected information’, and expand and clarify when it can be disclosed.

The Government has acknowledged that the constraints on information sharing under the SOCI Act were too restrictive. Among other things, they were preventing information sharing in circumstances where it would have been beneficial during an incident. The reforms are intended to enable entities and government agencies to use and disclose information about incidents more broadly.

The reforms have reduced an artificial and technical barrier to information sharing (including during major incidents) for critical infrastructure owners/operators. A 6 month implementation period will apply.

The amending legislation brings telecommunications security obligations out of the ‘TSSR’ regime under Part 14 of the Telecommunications Act 1997 (Cth) and under the SOCI Act.

The amendment is a long-anticipated consolidation of telco- specific and general critical infrastructure security obligations.

Entities that operate telco assets have 12 months to assess their current compliance posture to ensure that they can continue complying with all security obligations. The  TSSR and equivalent SOCI provisions are not identical, and some uplift will be required.

Responsible entities are required to develop and maintain a CIRMP for their critical infrastructure assets under Part 2A of the SOCI Act. Under the reforms, the Critical Infrastructure Security Centre (CISC) now has the power to compel a responsible entity to vary its CIRMP to address ‘serious deficiencies’ (ie those that present a material risk to Australia’s national security, defence, or social or economic stability).

The changes are consistent with the Consultation Paper and reflect the government’s desire for a regulatory mechanism which helps to ensure responsible entities are adequately protecting critical assets.

Once the CISC has identified deficiencies and issued a direction to address them, entities have 6 months to amend their CIRMP in consultation with the CISC. However, entities should not wait for a direction to amend their CIRMPs if concerns about serious deficiencies are raised.

While the amendments may be consistent with the CISC’s Compliance and Enforcement Strategy, it’s difficult to assess how they will be used in practice (eg as a last resort?). While the CISC has issued useful guidance on the content of CIRMPs, , it’s unclear what a ‘serious deficiency’, or the window of opportunity to address it, will look like in practice.