This article was co-authored with Amanda Wescombe and Maximus Leskien.
Introduction
On 9 October 2024 (appropriately, nine days into Cyber Month), the government introduced its long awaited, first ever draft cyber security legislation, in the form of the Cyber Security Bill 2024 (the Bill) to Parliament. It was accompanied by the introduction of a number of complementary updates to existing legislation as part of the Cyber Security Legislative Package 2024 and is currently being considered by the Parliamentary Joint Committee on Intelligence and Security (PJCIS) for inquiry and report.
You can read our take on the proposed changes to the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024 here.
In this article we provide our key takeaways from the Cyber Security Bill 2024 which will complement, not replace, the existing Australian legislative framework around cyber security.
The Bill contains four main initiatives:
- The introduction of security standards for supply or manufacture of smart devices.
- The introduction of mandatory reporting obligations for organisations that have made a ransom payment.
- Introducing a limited use framework to protect information provided to the National Cyber Security Coordinator through voluntary or mandatory reporting.
- Establishing a Cyber Incident Review Board.
1. Security standards for smart devices
Summary
The Bill requires that Australian manufacturers and suppliers of “relevant connectable products” must ensure that the products comply with mandatory security standards when supplied in Australia. “Relevant connectable products” are described in the Bill as products that can be connected to the internet, and are commonly referred to as “Internet of Things” devices or “smart” devices. Smart devices can include internet-connected televisions, watches, kitchen appliances and home assistants, but also include substantial items such as cars, and are commonplace in homes and workplaces across Australia.
The applicable security standards will be developed through a consultation process with industry and set out in the regulatory rules. The government has flagged in the Explanatory Memorandum that the proposed standards will mirror existing UK standards to help achieve consistency for Australian product requirements with those already in place in the UK. The Bill introduces a three step enforcement process including compliance notices, stop notices, and recall and public notices. There is likely to be a ‘grace period’ between the commencement of the Act and when manufacturers and suppliers have to comply – potentially 12 months.
Who do the requirements impact?
Manufacturers and suppliers (which will include resellers) of smart devices; all organisations purchasing internet-connectable products.
Potential level of impact:
- Manufacturers and suppliers of smart devices = high.
- All organisations purchasing smart devices = low to medium.
Actions
Some practical considerations for your action plan:
- Manufacturers and suppliers of smart devices in Australia will need to ensure the design of the smart devices manufactured or supplied:
- Meet the applicable standards.
- Are accompanied by a statement of compliance (which is held by the relevant manufacturer or supplier).
- Manufacturers and suppliers of smart devices should consider:
- Auditing or cataloguing of devices in their portfolio that fit the smart devices category in anticipation of the release of the standards.
- Confirming security architecture of smart devices (where the architecture is not already confirmed) in preparation for assessment against the standards.
- Suppliers should review (and renegotiate where necessary) procurement contracts for smart devices to ensure relevant disclaimers and liability provisions protect them in the event of a smart device being found in breach of the applicable security standards.
- Manufacturers should review (and renegotiate where necessary) supply contracts for smart devices to ensure relevant disclaimers and liability provisions will protect them in the event of a smart device being found in breach of the applicable security standards due to interference by a third-party.
- Organisations purchasing smart devices should consider the security of devices being considered in current and planned procurement processes. Items purchased before the introduction of the laws do not need to meet security requirements, however they will potentially have lower security controls and the introduction of the new laws may make their resale value lower.
2. Mandatory ransom payment reporting obligations
Summary
If an organisation pays a ransom payment or other benefit in response to a ransom demand arising from a cyber security incident, the organisation must report it within 72 hours of making the payment. The Ransomware Payment Report must comply with the requirements set out in the Bill and include details of the amount of the payment, the method of payment, the identities of the attackers amongst other details. If you fail to report within the required 72 hours, penalties may apply.
Who do the requirements impact?
Organisations responsible for a critical infrastructure asset to which Part 2B of the Security of Critical Infrastructure Act 2018 (Cth) and organisations with revenue over $3m annually. Note the Bill provides for the annual turnover threshold to be set out in the regulations. The Explanatory Memorandum to the Bill indicates that the initial annual threshold will be $3m but this may be adjusted in future.
Potential level of impact: Medium to high.
Actions
Some practical considerations for your action plan:
- Ensure the organisation’s Cyber Incident Response plan incorporates the requirements and processes for reporting a ransom payment (if a ransom payment or other benefit is to be made).
- Work with your legal team to define your organisation’s ethical sensitivities and to address any legal or regulatory factors including avoidance of furtherance of a crime. Consider developing a ransom payment policy to guide decision-making regarding situations where the organisation will consider paying a ransom (or not).
- Work with your legal team to develop a template Ransomware Payment Report (to be completed if a ransom is paid). The organisation should consider:
- The minimum requirements (s.27(2)).
- Supporting documentation such as who is authorised to make the report, (noting the 72-hour post payment timeframe), who from the organisation is delegated the task to call (and their backup), and the decision-making process regarding whether (or not) other bodies need to be notified (for example, is making a report considered to be market sensitive information?). This may lead to other organisational delegates, policies, and procedures, such as a continuous disclosure committee/policy. You should also consider whether legal professional privilege will apply and if so, how it can be protected.
3. Limited use for information shared with the National Cyber Security Coordinator (NCSC)
Summary
Any organisation impacted by a cyber security incident can voluntarily share information about the incident with the NCSC. This helps the Government to understand and respond to cyber threats facing the Australian community. Under the Bill, information that an impacted entity (or an entity acting on behalf of an impacted entity – such as a cyber incident response firm) provides to the NCSC related to the cyber incident– either on the entity’s own initiative, or in response to a request by the NCSC, is covered by the limited use provisions.
“Limited use” refers to information provided to the NCSC which may only be used for the permitted purpose and is not admissible in regulatory proceedings against the entity (subject to some limitations).
Organisations should note: “Limited use” does not equal “safe harbour” to shield or immunise a reporting business entity from legal liability. Voluntarily sharing with the NCSC does not replace mandatory obligations to report a cyber security incident (for example, to the OAIC and other regulators).
Who do the requirements impact?
All organisations.
Potential level of impact: Medium.
Actions
Some practical considerations for your action plan:
- Organisations must consider what information they are prepared to share on a voluntary basis. This should include considering the organisation’s risk appetite for disclosing incident information. Organisations should be satisfied with a balance of compliance (mandatory disclosure) and voluntary disclosure. Organisations should also note that the Cyber Incident Review Board has the power to compel information from entities involved in a serious cyber security incident where voluntary requests for information have been unsuccessful.
- Delegate responsibility to person(s) for:
- Receiving requests for information from the NCSC and implementing processes and procedures for addressing the request in the timeframe(s) required. Involve legal, compliance, risk, security, IT teams.
- Determining delegate sign-off for information that is reported to NCSC (either on organisation’s own initiative or in response to a request). A low risk tolerance will require a more senior delegate sign-off. Involve legal, compliance, risk, security teams.
- Consider how the information provided should be marked and controlled to help protect legal professional privilege (where it applies). Note that the legislation currently considers retention of privilege in some circumstances but not all.
- Consider retention of external counsel for additional support in considering and responding to requests. Retainers can be a helpful tool here.
4. New Cyber Incident Review Board (CIRB)
Summary
The Bill establishes the CIRB as an independent, review body with a clear remit to conduct no-fault, post-incident reviews of significant cyber security incidents in Australia. The CIRB will be empowered with limited information gathering powers to compel information from entities involved in a cyber security incident under review by the CIRB, but only where voluntary requests for information have been unsuccessful.
Who do the requirements impact?
Organisations involved in a cyber security incident under review.
Potential level of impact: High.
Actions
Some practical considerations for your action plan:
- Establish a process to “stand up” a response team to:
- Respond to voluntary and mandatory requests for information by the CIRB while maintaining legal professional privilege (where possible).
- Review any draft reports or materials shared with the organisation by the CIRB for the organisation’s feedback.
- Your response team should:
- Involve legal, compliance, risk, security, IT teams. Consider retention of external counsel for additional support.
- Consider flow-on scenarios and the decision-making process regarding whether (or not) other bodies need to be notified (for example, is this market sensitive information?). This may lead to other organisational delegates, policies, and procedures, such as a continuous disclosure committee/policy.
- Establish a process for the organisation to evaluate and, where appropriate, implement and review, recommendations included in reports issued by the CIRB.
- Consider an organisational response to publication of a report by the CIRB (for example, addressing stakeholders, media).
What next?
The introduction of the Cyber Security Bill 2024 represents the Australian Government’s desire to provide a clear legislative framework for modern, whole-of-economy cyber security issues. Most, if not all, organisations are impacted by the Cyber Security Bill 2024 in some way.
The Cyber Security Legislative package is still before the PJCIS for review. We will provide further updates following the passage of the Bill through Parliament and into law.
Getting help
Norton Rose Fulbright offers one of Australia’s and the world’s largest and most experienced legal teams to support your current cyber security capacity including security review, compliance, implementation, and assurance needs. Please reach out to any of us below for a confidential discussion regarding how you may be affected by the Cyber Security Bill 2024 or if you require assistance in adopting our practical considerations for your action plan.