Australia now has it first stand-alone Cyber Security laws contained in the Cyber Security Legislative Package 2024.

Three separate Bills have been passed and are currently awaiting royal assent which make up these reforms. They are:

• the Cyber Security Bill 2024
• the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024
• the Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024

Pleasingly the reforms involve a range of initiatives including the mandatory security standards for smart devices and the legal framework for critical infrastructure protection.

The Cyber Security Bill 2024 has four key aspects which are:

• mandatory security standards for smart devices
• mandatory reporting of ransomware payments within 72 hours
• the establishment of a ‘limited use’ obligation that restricts how information provided to the National Cyber Security Coordinator during a cybersecurity incident can be used and shared with other government agencies, including regulators
• the establishment of a Cyber Incident Review Board

The Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024 amends the Security of Critical Infrastructure Act 2018 with the intention of strengthening the security and resilience of critical infrastructure, and the cooperation of government and infrastructure operators.

The Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024 amends Intelligence Services Act 2001 and establishes a ‘limited use’ obligation that restricts how cyber security information voluntarily provided to the Australian Signals Directorate can be used and disclosed; and Freedom of Information Act 1982 to exempt cyber security information voluntarily provided to the National Cyber Security Coordinator from the operation of the Act.

How will this impact Australian Businesses?

Whilst it has not been determined what businesses will have to comply it is believed the threshold will be $3 Million turnover which brings the reform packages into line with the reporting threshold for the Privacy Act 1988.

This will impact a significant a number of Australian businesses.

The reform package will require those businesses affected to report:

• a cybersecurity incident which has happened, is happening or imminent
• an extorting entity making a demand of the business, or a third party, directly related to the incident impacting them
• the business provides or is aware that another entity directly related to it has provided, a payment or benefit to the extorting entity that is directly related to the demand.

The report must be made to the Department of Home Affairs within 72 hours of making a payment or becoming aware of such a payment, through a portal which is administered by the Australian Cyber Security Centre.

Failure to report may result in civil penalties of 60 penalty units which equates to $18,780.

Manufacturers and suppliers of smart products will be required to comply with the security standards if they are aware, or could reasonably be expected to be aware, that the products will be acquired in Australia.

Failure to do so will allow the Secretary of Home Affairs to issues compliance notices, stop notices, and recall notices.

What should businesses do?

If you will be affected by these new laws, your business should:

• Have in place protocols and tools to respond to the new regime
• Have in place and/or update any current cyber-attack response plan
• Have clear lines of communication and reporting mechanisms
• Ensure they have sufficient protection including firewalls etc.
• Ensure employees are trained and understand the obligations of the business

There is a lot of excellent information as to what businesses should do to protect themselves and ensure compliance and the following are just a few of those sites:

• Australian Government Business
• Office of the Australian Information Commissioner
• Cyber and Infrastructure Security Centre
• Australian Signals Directorate
• Business Chamber Queensland

How can FC Lawyers help?

We are currently working will many of our business clients to ensure that they are ready for the new reforms and can assist in reviewing and advising on their current organisation ability and what may be needed to ensure they are ready for the new regimes.

Contact our team to discuss your cyber security or business needs.