Australia passed its first-ever Cyber Security Act on Nov. 25, introducing various measures to strengthen the nation’s defenses. Among its key provisions is a requirement that organisations report to the government if they pay ransomware criminals — a practice that has become widespread globally.

The Cyber Security Act follows Australia’s Cyber Security Strategy 2023-2030. The strategy, designed to position Australia as a leader in cyber resilience, foreshadowed several measures in the law, including creating a National Cyber Security Coordinator to oversee a cohesive national cyber response.

In a media release, Australia’s Minister for Cyber Security Tony Burke said the Act was “a key pillar in our mission to protect Australians from cyber threats” and that it “forms a cohesive legislative toolbox for Australia to move forward with clarity and confidence in the face of an ever-changing cyber landscape.

Experts have urged IT and security leaders to update their cyber security incident response plans to consider the legislative changes, which may require them to communicate with the government in new ways in the confusing midst of a cyber security attack or crisis.

How will Australia’s new cyber security law affect organisations?

The two main changes impacting Australian organisations are creating a mandatory obligation to report any ransomware payments and a new voluntary reporting regime for cyber incidents.

Mandatory ransomware payment reporting

The government will require organisations of a certain size to report ransomware payments. While the size threshold has yet to be determined, local Australian law firm Corrs Chambers Westgarth said the mandate will likely apply to businesses with a turnover above AUD $3 million.

Reports must be made to the Department of Home Affairs and the Australian Signals Directorate within 72 hours of a ransomware payment. If organisations fail to report these payments, they could be charged a civil penalty, which Corrs said is currently valued at AUD $93,900.

SEE: The alarming state of Australian data breaches in 2024

Corrs notes that, despite the new obligation, the government’s policy is still that organisations should not pay ransoms. The government believes that paying ransoms only feeds the business model of cybercrime gangs — and there is no guarantee organisations will actually recover their data or keep it confidential.

Voluntary reporting of new cyber incidents

The new Act commenced a new framework for the voluntary reporting of cyber incidents. The measure is designed to encourage more free information sharing when parties suffer a cyber attack so that other private and public sector organisations and the community can benefit.

Overseen by the NCSC, any organisations doing business in Australia can report incidents while being protected somewhat by a “limited use” obligation, restricting what the NCSC can do with the information.

For example, reporting a significant cyber security incident will allow the NCSC, under the law, to use the information for purposes including preventing or mitigating risks to critical infrastructure or national security and supporting intelligence or enforcement agencies, Corrs said.

Further measures included with Australia’s new laws

IT and security pros will be impacted by several other measures included in the legislative package.

IoT device security in focus

Australia’s government will now have the power to enforce security standards for any Internet of Things devices. Once these standards are stipulated in legislative rules, any global suppliers must comply if they want to continue supplying to the Australian market, Corrs explained.

Cyber Incident Review Board

Significant cyber incidents in Australia are now likely to be reviewed by a newly enfranchised Cyber Incident Review Board. The CIRB will conduct no-fault and post-incident reviews, provide recommendations, and have the power to compel entities to provide information.

Other cyber security legislation

The Cyber Security Act is part of a broader legislative package, including updates to Australia’s Security Of Critical Infrastructure Act 2019. The SOCI Act has been updated to classify data storage systems that hold business-critical data as critical infrastructure assets, among other changes.

IT and security urged to review cyber incident response plans

IT and security teams should review their cyber security incident response plans and integrate changes to them where necessary. This would accommodate the new mandatory ransomware payment reporting obligations and engagement with the National Cyber Security Coordinator.

SEE: Australian government proposes mandatory guardrails for AI

The new regulatory obligations will require organisations to adjust their plans to ensure compliance. CISOs and security teams will be key in adjusting plans and integrating these changes into future cyber security tabletop exercises. Corrs noted that the trigger for an organisation to report a ransomware payment is the payment itself rather than any receipt of a demand for payment. This will impact both how organisations manage these cyber decisions and when they choose to communicate them.

Organisations may also have overlapping reporting requirements with different timelines under Australia’s privacy laws and SOCI Act if they are designated critical infrastructure companies, in addition to continuous disclosure obligations if they are listed on the Australian Stock Exchange.

Read More