Australia’s first standalone Cyber Security Act has come into effect, imposing new obligations and minimum cyber security standards on businesses which aim to strengthen the nation’s defence against cyber threats and bring Australia in line with international best practice.
Cyber security remains an ongoing issue for Queensland businesses. In fact, our Digital Future of Work Report 2024 found 15% of businesses in Queensland experienced a cyber security attack in the past 12 months, of which 52% were small businesses.
Building an understanding of new legislative requirements included in the Cyber Security Act is important to ensure compliance, contribute to a safer cyber environment and protect business critical data both now and into the future.
The Cyber Security Act 2024 includes measures relating to:
- Mandated minimum cyber security standards for smart devices
- Mandatory reporting requirements for ransomware and cyber extortion
- A Limited Use obligation for the National Cyber Security Coordinator
- The establishment of a Cyber Incident Review Board
Security standards for smart devices
Smart devices or Internet of Things (IoT) devices will be required to meet mandatory cyber security standards, to which manufacturers and suppliers of those devices must comply. The Act includes that the standards for these products will be defined based on rules developed by the government.
This rules-based model enables the government to adapt the regulations alongside changing technologies and respond to new and emerging cyber threats.
The first standard expected to be introduced seeks to increase the cyber security of consumer-grade smart devices. This standard will likely include: No universal default passwords, the implementation of a means to manage reports of vulnerabilities and requirements to provide information about how long the device will receive security updates for.
Consumer-grade smart devices include products such as home security cameras, smartphone-controlled appliances and baby monitors.
Considerations for business:
- Build an understanding of how these obligations could apply to your business and supply chain.
- Assess which consumer smart device products may be impacted and determine if they meet current relevant international security standards.
- Establish internal processes for monitoring product compliance.
Ransomware and cyber extortion reporting obligations
Reporting business entities are obligated to report on ransomware and cyber extortion payments within 72 hours of making the payment or becoming aware it has been made.
Reporting entities who make ransom payments but don’t comply could face fines of up to $94,000, however the government is committed to an education-first approach to regulation which will prioritise warnings, meetings and engagements before penalties.
Considerations for business:
- Save the phone number (1300 CYBER1) and the Australian Signals Directorate’s online portal for reporting and educate staff on the reporting requirements.
- Check the Australian Signals Directorate’s website to keep up to date with reporting processes.
- Establish an incident response process to ensure any required reports are made within the 72-hour timeframe.
Limited Use obligation for the National Cyber Security Coordinator
The Limited Use obligation restricts how the National Cyber Security Coordinator and the National Office of Cyber Security can record, use or disclose information voluntarily provided by an individual or entity.
The role of the coordinator is to lead whole-of-government response to significant cyber security incidents, and it relies heavily on voluntary cyber threat or incident information provided by businesses.
This aspect of the legislation is designed to encourage business to engage early and share information freely, without fear of that information being used in regulatory or law enforcement proceedings.
Considerations for business:
- Build an understanding of what the National Cyber Security Coordinator can do with limited use information.
- Establish processes for timely and transparent reporting of cyber threats or incidents which could have wider implications beyond your business.
The establishment of a Cyber Incident Review Board
The Cyber Incident Review Board is an independent statutory body which will conduct no-fault, post-incident reviews of significant cyber security incidents in Australia. These reviews will be used to make recommendations to both government and industry on future actions which can be taken to prevent cyber security incidents or minimise the impact when they occur.
These updates to Australia’s cyber security legislation form part of a legislative package which includes seven initiatives under the 2023-2030 Australian Cyber Security Strategy. The measures intend to create a safer business operating environment across the country, reduce the threat of malicious cyber actors and position Australia as a leader in cyber security.
