Corporate & Commercial

Introducing the Cyber Security Legislative Package

29 October 2024

The Cyber Security Legislative Package was introduced into the Australian Federal Parliament on 9 October 2024. The legislative package comprises of:

  • the Cyber Security Bill 2024 (Cyber Security Bill);
  • the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024 (SOCI Bill); and
  • the Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024 (IS Bill).

The Federal Government has stated that the objectives of this Cyber Security Legislative Package are to bring Australia in line with international best practice and for Australia to become a global leader in cyber security.

Cyber Security Bill

The proposed Cyber Security Bill will require reporting entities to make a report to the Department of Home Affairs, within 72 hours, if they have been or will likely be a victim of ransomware. The definition of ‘Reporting Entities’ is likely to include organisations with an annual turnover of $3 million aligning with the definition of ‘organisation’ in the Privacy Act 1988 (Cth), although this has yet to be determined. A failure to report will result in a fine of $19,800 (60 penalty units).

The Bill will also limit how voluntarily provided information can be used and disclosed by the National Cyber Security Coordinator (NCSC). The NCSC will only be able to use and disclose voluntarily provided information to respond, mitigate or resolve cyber security incidents or to exercise their functions and powers. This encourages businesses to be more comfortable cooperating with cyber agencies. However, the regime is not a safe harbour and will not provide any form of immunity or prevent regulators with enforcement functions (like the ACCC, the OAIC, the ACMA, the APRA or the ASIC) to obtain that same information directly from organisations who have been the target of a cyber attack.

The Cyber Security Bill will also establish the Cyber Incident Review Board which will cause reviews to be conducted on cyber security incidents of serious concern to Australia. The purpose of a review is to make recommendations to government and industry about actions that could be taken to prevent, detect, respond to or minimise the impact of cyber security incidents of a similar nature in the future.

The Bill also introduces Security Standards for Smart Devices. This places an obligation on manufacturers and suppliers of smart devices to comply with security standards and to produce statements of compliance to confirm the smart devices meets the mandated security standards.

SOCI Bill

The proposed SOCI Bill will amend the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act) and will make internal systems that hold business critical data a critical infrastructure asset in their own right. Organisations will need to add systems holding business critical data to their Register of Critical Infrastructure and consider the risks to such systems in their Critical Infrastructure Risk Management Program.

The Bill will also expand the powers of the Minister to make directions in response to cyber incidents. Under the proposed Bill, the Minister will have powers to make directions in response to other forms of disruption and the longer-term consequences of an incident.

The SOCI Bill will require organisations to adopt a ‘harms-based’ approach to information sharing. Before disclosing protected information, organisations will be required to consider the potential harm or risk of the disclosure to the security of their asset and the socioeconomic stability, national security and defence of Australia.

IS Bill

The proposed IS Bill will amend the Intelligence Services Act 2001 (Cth) by introducing a limited use obligation on the Australian Signals Directorate (ASD). Similar to the ‘limited use’ obligation imposed on the NCSC under the Cyber Security Bill, it will limit how the ASD can use the information voluntarily provided to it by an organisation in connection with a cyber security incident. This encourages organisation to provide the ASD with the necessary information to strengthen Australia’s cyber security systems.

What are your next steps?

Submissions to the Parliamentary Joint Committee on Intelligence and Security are invited regarding the proposed Cyber Security Legislative Package, by 25 October 2024. We recommend that organisations continue to monitor the progress of the Cyber Security Legislative Package and proactively update their cyber incident response plans and processes to ensure that they remain compliant with legislative obligations.

If you would like further information about this article, please contact:

Kathryn Speed

Principal Lawyer

P:(03) 6235 5105
M:0408 446 013
E:[email protected]
Linkedin
View profile

Esther Chai

Lawyer

P:(03) 6235 5196
E:[email protected]
Linkedin
View profile
Let us know how we can help
Contact