The Cyber Security Act passed Parliament this week, mandating that Australian companies report ransomware payments made to hackers to the Australian Signals Directorate. Here’s how to stay compliant.
The information that now must be provided to the Australian Signals Directorate (ASD) — or that may be voluntarily provided to the National Cyber Security Coordinator under a parallel voluntary scheme — can only be utilised for certain purposes. Any such notification does not mean that the organisation is completely free of legal obligations, however. A decision to pay a ransom comes with broader legal requirements.
Initiatives expected to have the most immediate impact on organisations
Mandatory 72-hour reporting obligation for ransom payments
Organisations, other than small businesses, must report any payments made in response to a cyber ransom event to the ASD within 72 hours.
The obligation also recognises that there will be circumstances where making a payment could be justified and seeks to preserve the legal rights of the disclosing entity, for instance, by excluding waiver of privilege. While the government has not pursued a complete ban on payments, they strongly advise against payments, to make Australia a less attractive target for ransomware attacks.
Security standards for smart devices
New security requirements will apply to smart devices that form part of the Internet of Things (IoT). Manufacturers and suppliers of internet-connected products, such as televisions, speakers, watches and doorbells, will now need to meet the security standards for those devices. These may be in the form of secure default settings, unique device passwords, regular security updates and encryption of sensitive data. The details of the relevant standards and how they will interact with other existing product regulations are yet to be finalised.
Regulated use of information submitted to National Cyber Security Coordinator
There will be rules in place to govern how organisations use information submitted to the National Cyber Security Coordinator to ensure such information is used appropriately. However, this does not extend to the full ‘safe harbour’, a legal provision that affords protection from prosecution to individuals or organisations from liability or penalties, despite it being called for, in many submissions made during the government’s consultation process.
Instead of granting an organisation total immunity for the information it provides to the authorities after a cyber incident, the proposed rules will reassure them that the information can only be used and shared for prescribed purposes, such as assisting with incident response. Similar restrictions will apply to the ASD when it receives such information, under the Intelligence Services and Other Legislation Amendment (Cyber Security) Act 2024.
New Cyber Incident Review Board
A new Cyber Incident Review Board will be established to review how cyber incidents are dealt with, including by compelling entities to produce information. Its role will be to review and assess major cyber incidents that impact Australia’s defence or cause serious public concern. It will have the authority to request information from affected entities, allowing it to examine how incidents were handled and provide findings that help prevent future occurrences. While the Board may share its findings with government and industry, any public reporting will not assign fault or prejudice legal rights. Through these reviews, the Board aims to improve understanding and prevent similar incidents in the future.
SOCI Act extends to data systems associated with a critical infrastructure asset
Amendments to the Security of Critical Infrastructure Act 2018 (SOCI Act) extend the legislation to cover data systems associated with a critical infrastructure asset. The digital networks supporting essential services, such as utilities, healthcare, and finance, are increasingly vulnerable targets in cyber warfare. By expanding the Act’s reach, the government will have greater regulatory authority over data systems associated with critical infrastructure warfare that, if compromised, could disrupt national security or public safety. Additionally, these changes grant regulators a new power to address significant weaknesses in an entity’s risk management program when national security is at risk. For organisations, this means new obligations to protect these systems and respond to regulatory requirements.
Implications for organisations and how to prepare
These new cyber security laws introduce new requirements for organisations, especially those managing data systems related to critical infrastructure. To prepare, organisations will need to review and strengthen their cyber security measures to ensure they meet these requirements, such as the new 72-hour deadline for reporting ransomware payments to the ASD. This may involve assessing internal security measures, reviewing incident response plans, and preparing for increased regulatory requirements. By staying informed of these changes, organisations can better position themselves to comply with the legislation and manage potential cyber threats.
A director’s general duty to act in the best interests of their company means the director must consider whether making the payment (and obtaining an initial release from the incident) will necessarily provide any certainty that information obtained during the incident stays out of nefarious hands, and whether it might make the company a target for future attacks. Depending on the circumstances, a ransom payment may put the organisation at risk of being penalised under counter-terrorism and anti-money laundering laws.
The reporting regime under the new Act also does not replace the ongoing reporting obligations under the Privacy Act (where personal data is involved, and there is an eligible data breach), the Security of Critical Infrastructure regime, and ASX and APRA requirements for entities that are subject to those regulators. Accordingly, each organisation should consider the broader framework of regulation that applies to it as it prepares itself for this latest legislative change.
Dan Pearce is General Counsel in the Corporate & Commercial section of the law firm Holding Redlich. He previously led the firm’s technology, media and intellectual property practice
Look back on the week that was with hand-picked articles from Australia and around the world. Sign up to the Forbes Australia newsletter here or become a member here.
