For the last Newsletter of this year, we have decided to look at a new legislation that was passed by the Federal Parliament in Australia this year, as a part of a bigger cybersecurity legislative package that is designed to help the Australian government achieve the vision it has for becoming a global leader in cyber security by 2030.

What is the Cybersecurity Act?

So what is the Cybersecurity Act? This is an act that was part of the Cyber Security Legislative Reforms Consultation Paper in 2023 that has now received Royal Assent on November 29, 2024 and has thus become a law. Within the next six months, since the date it received Royal Assent, it will commence.

The intent of this cybersecurity act was to encourage further collaboration between governments, organisations and individuals. So, what does this new law include and what does it mean for organisations?

The new couple of things that it includes is a mandated minimum cyber security standard for smart devices – this is needed for any device that is to be sold in Australia, it will introduce a mandatory ransomware and cyber extortion reporting obligation for certain businesses that fall under the reporting business entity and it will introduce a limited use obligation for the National Cyber Security Coordinator.

It will further try to encourage industry engagement with the government following cyber incidents and it will establish a new Cyber Incident Review Board to conduct review of significant cyber incidents and share any lessons learned.

The intent of the Act is to ensure that any gaps present in Australia’s cyber security legislation are covered and to bring Australia up to line with international standards. This is to set the path for the country to be on track to become a global and internation leader in Cyber Security.

A massive conversation has been the decision to make ransom payments and cyber extortion reporting mandatory and finable – this has come off the back of an increased number of ransom payments and cyber incidents occurring this year. The higher numbers are concerning, but perhaps what is more concerning is that this is unlikely to be the full extent of the problem.

The new laws around ransom payments and cyber extortion

Ransomware – something that has proven to be an ever-increasing problem for Australian businesses. The Australian Signals Directorate (ASD) statistics show that in 2024 alone they responded to 121 ransomware incidents – a whopping 11% of all the reported incidents. For 12% of those victims they were also extorted for payment with threats of their persona data being leaked or sold online.

There also began a new kind of ransomware crime – data theft extortion. This kind of crime was one where only the data was exfiltrated, without the victims systems being encrypted. This kind of crime is more attainable for less technically skilled actors. The intent of this is not the extort the ransom for the system – its to extort with threats of the data that they stole being released.

The ASD has also advised businesses not to pay the ransom if possible. There is no actual guarantee that the data is recoverable even if it is returned, or that the data won’t be – or hasn’t already been – sold or leaked online. The long term effect further is that it runs the danger of encouraging the continuation and proliferation of the cybercriminal business model.

The new Act will change the way that businesses should conduct themselves around ransomware.

When an applicable business is extorted out of a ransom payment, that business has a requirement to report this incident. From the moment the incident occurs, they have 72 hours to let the Department of Home Affairs and the ASD know that the incident happened.

The new Act threatens financial repercussions if the reporting obligations are not followed, and the penalties can reach up to 94,000AUD at most. The original plan was for ransom payments to be completely outlawed, but the decision was made instead to make it mandatory to report the incident.

So why was this decision made? It is believed that the current issue of ransom payments is so extensive, that instead the current efforts are to understand what the true scale of the problem is.

Although paying ransoms is still legal, it was cautioned for the companies to remember that paying the ransoms does not take away from any legal obligations that there could be for the company. If there truly is no choice but to pay the ransom, it should still be first off considered what the broader legal requirements of doing so are.

Some things to bear in mind are:

• Does paying the ransom ensure that the possibly private information of individuals stays out of nefarious hands and threat actors.

• Is there any chance that the company could then become a target for any new or further cyber-attacks.

• Any counter terrorism and anti-money laundering laws still have to be followed.

• If a company is unsure if they fall under the new requirement, the Home Affairs has provided this image and graphic to follow to get a simple idea.

The new Mandate for the Cyber Security Standards of Smart Devices

The Act will also specify a new mandate that was made to place the responsibility on manufacturers and suppliers to be aware of specific requirements that are in place for all Internet of Things devices if they wish to manufacture or sell them in Australia.

Every manufacturer who is covered by the new mandate is responsible for producing a statement of compliance confirming that their device meets the requirements under the new relevant standard.

At a minimum, the statement of compliance should include the following information:

• product type and batch identifier; 

• name and address of each manufacturer of the product, an authorised representative of the manufacturer and, where applicable, each authorised representative that are in Australia; 

• a declaration that the statement of compliance is prepared by or on behalf of the manufacturer of the product; 

• a declaration that, in the opinion of the manufacturer, the product has been manufactured in compliance with the requirements of the security standard, and they have complied with any other obligations relating to the product as set out in the security standard;  

• the defined support period for the product at the date the statement of compliance is issued; 

• signature, name and function of the signatory; and 

• the place and date of issue of the statement of compliance. 

• If responsible entities that are not the manufacturer of the device intend to supply a device in Australia, they can request the relevant information from the device manufacturer.

This has all been taken from the Home Affairs website, which we will link here so you can find further information on what these requirements are, who they apply to, and what it further includes.

The newly created Cyber Incident Review Board and regulated use to the information submitted to the National Cyber Security Coordinator

There has been a newly established Cyber Incident Review Board. The task of this is to review how cyber incidents are currently dealt with, and to review and assess any major cyber security incidents that occur that can impact Australia’s defence or can cause serious public concern. It is also standing as an independent statutory advisory body.

This board will also have the ability to compel information from any entity that has been affected by a cyber incident – for which they are entitled to be paid a reasonable compensation for if they need to produce copies of the necessary documents. The board can then investigate how the incident was handled and provide any findings that can help prevent any future reoccurrences of the incident.

There is also insurance for the entities that although the Board is able to share its findings with government and body, any public reporting done is protected and will not assign fault or prejudice legal rights.

The review of the incident can only be conducted after the incident or series of incidents has occurred and the immediate response has ended. At this point the board may seek relevant information voluntarily from entities that were involved in the cyber incident.

The aim of the board is to improve our understanding of cyber incidents, how these occur and to work on preventing any similar incidents from occurring again in the future.

There are also further regulations being put in place for how any information that is submitted to the National Cyber Security Coordinator can be used. Instead of the ‘full harbour’ that was originally called for, instead it is ensured that the information that entities hand over can only be used and shared for prescribed purposes, such as assisting with incident response.

The objective of this move is to give the affected parties the confidence to engage early, and share information without the worry that this will immediately be sent to regulators or law enforcement to use in their proceedings.

The Home Office has once again provided a simple to follow graph to give entities an understanding on whether limited use applies to the information that they are handing over.