Publication
Road to COP29: Our insights
The 28th Conference of the Parties on Climate Change (COP28) took place on November 30 - December 12 in Dubai.
Author:
Australia | Publication | novembre 2024
This article was co-authored with Amanda Wescombe and Maximus Leskien.
On 9 October 2024 (appropriately, nine days into Cyber Month), the government introduced its long awaited, first ever draft cyber security legislation, in the form of the Cyber Security Bill 2024 (the Bill) to Parliament. It was accompanied by the introduction of a number of complementary updates to existing legislation as part of the Cyber Security Legislative Package 2024 and is currently being considered by the Parliamentary Joint Committee on Intelligence and Security (PJCIS) for inquiry and report.
You can read our take on the proposed changes to the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024 here.
In this article we provide our key takeaways from the Cyber Security Bill 2024 which will complement, not replace, the existing Australian legislative framework around cyber security.
The Bill contains four main initiatives:
The Bill requires that Australian manufacturers and suppliers of “relevant connectable products” must ensure that the products comply with mandatory security standards when supplied in Australia. “Relevant connectable products” are described in the Bill as products that can be connected to the internet, and are commonly referred to as “Internet of Things” devices or “smart” devices. Smart devices can include internet-connected televisions, watches, kitchen appliances and home assistants, but also include substantial items such as cars, and are commonplace in homes and workplaces across Australia.
The applicable security standards will be developed through a consultation process with industry and set out in the regulatory rules. The government has flagged in the Explanatory Memorandum that the proposed standards will mirror existing UK standards to help achieve consistency for Australian product requirements with those already in place in the UK. The Bill introduces a three step enforcement process including compliance notices, stop notices, and recall and public notices. There is likely to be a ‘grace period’ between the commencement of the Act and when manufacturers and suppliers have to comply – potentially 12 months.
Manufacturers and suppliers (which will include resellers) of smart devices; all organisations purchasing internet-connectable products.
Potential level of impact:
Some practical considerations for your action plan:
If an organisation pays a ransom payment or other benefit in response to a ransom demand arising from a cyber security incident, the organisation must report it within 72 hours of making the payment. The Ransomware Payment Report must comply with the requirements set out in the Bill and include details of the amount of the payment, the method of payment, the identities of the attackers amongst other details. If you fail to report within the required 72 hours, penalties may apply.
Organisations responsible for a critical infrastructure asset to which Part 2B of the Security of Critical Infrastructure Act 2018 (Cth) and organisations with revenue over $3m annually. Note the Bill provides for the annual turnover threshold to be set out in the regulations. The Explanatory Memorandum to the Bill indicates that the initial annual threshold will be $3m but this may be adjusted in future.
Potential level of impact: Medium to high.
Some practical considerations for your action plan:
Any organisation impacted by a cyber security incident can voluntarily share information about the incident with the NCSC. This helps the Government to understand and respond to cyber threats facing the Australian community. Under the Bill, information that an impacted entity (or an entity acting on behalf of an impacted entity – such as a cyber incident response firm) provides to the NCSC related to the cyber incident– either on the entity’s own initiative, or in response to a request by the NCSC, is covered by the limited use provisions.
“Limited use” refers to information provided to the NCSC which may only be used for the permitted purpose and is not admissible in regulatory proceedings against the entity (subject to some limitations).
Organisations should note: “Limited use” does not equal “safe harbour” to shield or immunise a reporting business entity from legal liability. Voluntarily sharing with the NCSC does not replace mandatory obligations to report a cyber security incident (for example, to the OAIC and other regulators).
All organisations.
Potential level of impact: Medium.
Some practical considerations for your action plan:
The Bill establishes the CIRB as an independent, review body with a clear remit to conduct no-fault, post-incident reviews of significant cyber security incidents in Australia. The CIRB will be empowered with limited information gathering powers to compel information from entities involved in a cyber security incident under review by the CIRB, but only where voluntary requests for information have been unsuccessful.
Organisations involved in a cyber security incident under review.
Potential level of impact: High.
Some practical considerations for your action plan:
The introduction of the Cyber Security Bill 2024 represents the Australian Government’s desire to provide a clear legislative framework for modern, whole-of-economy cyber security issues. Most, if not all, organisations are impacted by the Cyber Security Bill 2024 in some way.
The Cyber Security Legislative package is still before the PJCIS for review. We will provide further updates following the passage of the Bill through Parliament and into law.
Norton Rose Fulbright offers one of Australia’s and the world’s largest and most experienced legal teams to support your current cyber security capacity including security review, compliance, implementation, and assurance needs. Please reach out to any of us below for a confidential discussion regarding how you may be affected by the Cyber Security Bill 2024 or if you require assistance in adopting our practical considerations for your action plan.
Publication
The 28th Conference of the Parties on Climate Change (COP28) took place on November 30 - December 12 in Dubai.
Subscribe and stay up to date with the latest legal news, information and events . . .
© Norton Rose Fulbright LLP 2023