The introduction of the first Cyber Security Act 2024 (the “Act”) marks the next step in Australia’s evolution
of cyber security standards and protocols. The reforms are an important step because they will clarify and
enhance our standards and resilience against threats.
We believe Australia has opportunities to improve its effectiveness against cyber-attacks compared to some other countries, so we welcome the Cyber Security Act 2024. The standards imposed by the new Act encompass proactive, managerial, and post-attack actions, to help all sectors, from manufacturing to telecommunications, become fortified as an industry.
This Act was accompanied by the introduction of several updates to existing legislation as part of the Cyber Security Legislative Package 2024. These updates aim to increase transparency, inform best practices, and pave the way for a stronger nation digitally – from security standards for smart devices to establishing a Cyber Incident Review Board (CIRB).
The passed Cyber Security Legislative Package 2024 includes the Cyber Security Act, as well as the Intelligence Services and Other Legislation Amendment (Cyber Security) Act 2024 (Intelligence Services Reform Act) and the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Act (SOCI Amendment Act) 2024.
By way of background, the Intelligence Services Reform Act is an amendment to the Intelligence Services Act 2001 and concerns cyber security information voluntarily provided to the Australian Signals Directorate that can be used and disclosed. The SOCI Amendment Act focuses on protecting critical infrastructure.
In this blog, we’ll primarily focus on the Cyber Security Act 2024 and what it means for our customers.
The Cyber Security Act 2024 will impact any Australian organisation that handles personal information. By staying informed, organisations will be well- positioned to comply with the legislation and manage potential cyber threats. While it’s early days, here are some considerations for our customers based on the initiatives of the Cyber Security Act:
Strengthening compliance is a key takeaway from the Act so far. If an organisation pays a ransom, it must report it within 72 hours of making the payment. This requirement impacts organisations responsible for a critical infrastructure asset to which Part 2B of the Security Critical Infrastructure Act 2018 and organisations with revenue over three million dollars annually. Failure to comply with the reporting requirements will expose organisations to financial penalties.
This reporting will create greater transparency in the private sector, which will allow different organisations to learn from each other. We understand that every organisation has a different view or policy on paying a ransom. We encourage our customers to ensure that their cyber incident response plans incorporate these new requirements, should a scenario arise where a ransom payment is made.
The objective of the CIRB is to conduct no-fault post-incident investigations of significant cyber security incidents in Australia. The CIRB will look to understand why cyber incidents occurred, examine the effectiveness of the response to an attack, and share learnings to promote improvements.
As a result, any organisation impacted by a cyber incident will be under review. It’s important for our customers to ensure their crisis response teams involve legal, IT, compliance, and security. Customers should be in a position to promptly respond to requests for information and implement any recommendations from the CIRB.
There will also be stipulations in the Act that specifically affect smart device manufacturers and sellers. At Slipstream, we’re more focused on systems than manufacturing, but that said, it’s a good idea for customers to check in with their legal team, or to seek legal advice, on how best to proceed. For example, manufacturers and suppliers of smart devices will need to ensure the design of the devices meets the applicable standards of the Act and are accompanied by a statement of compliance.
The Cyber Security Act 2024 also introduces a voluntary notification scheme to encourage entities to report significant cyber incidents to the National Cyber Security Coordinator (NCSC) and the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC). The scheme protects business interests by ensuring that voluntarily shared information cannot be used against organisations, except in cases of criminal offences, breaches of the Act, or other permitted cyber security purposes. These provisions are designed to encourage collaboration while protecting legal professional privilege and restricting how shared information can be used. The Act also solidifies the NCSC’s role in leading a whole-of-government response to significant cyber incidents and working with industry to manage broader risks to social, economic, or national stability, particularly for entities under the SOCI Act.
The new cyber security laws demonstrate the Australian Government’s commitment to establishing a framework to protect businesses and individuals by implementing new requirements for organisations, especially those managing data systems related to critical infrastructure. This is a good thing for all of us, but businesses need to be prepared.
That’s why, at Slipstream, we’re assessing our approach to security and expanding our consultative services to support the Cyber Security Act 2024. Our specialists are available to guide our customers with navigating through and adapting to the evolving regulations. We have a portfolio of cyber assessments to help businesses identify cyber security risks and provide expertise in prioritisation and mitigation steps.
Now is the time to prepare for increased regulatory requirements. Get in touch now.
Think this service suits your business? We work with a multitude of different industries across the board, so get in touch with us if you think you’re in the right area and would like to talk to one of our team about becoming cyber secure.