Australia Introduces First Standalone Cybersecurity Law

Written by

The Australian government has introduced the country’s first standalone cybersecurity law to Parliament.

The new legislation aims to better protect citizens and organizations against a heightened geopolitical and cyber threat environment.

The Cyber Security Bill 2024 covers a range of areas, including mandating minimum cybersecurity standards for IoT devices and mandatory ransomware reporting for critical infrastructure organizations.

Additionally, the legislation will establish a Cyber Incident Review Board to conduct post-incident reviews into significant cybersecurity incidents and a ‘limited use’ obligation that restricts how incident information provided to the National Cyber Security Coordinator can be used and shared with other government agencies.

The package will also progress and implement reforms under Australia’s Security of Critical Infrastructure (SOCI) Act 2018. This includes provisions to simplify information sharing across industry and government and enhancing government assistance measures to better manage the impacts of all hazards incidents on critical infrastructure.

Read now: UK Government Set to Introduce New Cyber Security and Resilience Bill

Minimum Standards for Smart Devices

Currently, smart devices are not subject to mandatory cybersecurity standards in Australia, and the government described the voluntary approach as “fragmented and insufficient.”

The Cyber Security Bill 2024 will establish a baseline level of security for internet connected devices such as smart doorbells and watches, including secure default settings, unique device passwords and regular security updates.

The relevant Minister will also be given powers to mandate security standards as Ministerial rules for smart devices. This power will enable Australia to quickly update standards in alignment with existing international standards, following the approach in the UK’s Product Security and Telecommunications Infrastructure (PSTI) Act.

A compliance notice, a stop notice and a recall notice may be issued for non-compliance.

Obligation to Report Ransomware Payments

The new law will also introduce mandatory reporting obligation for certain Australian businesses to report cybersecurity incidents that resulted in a ransomware payment.

The requirements apply to private sector organizations responsible for critical infrastructure assets in Australia. They do not cover public sector organizations.

Any business of this nature that makes a ransomware payment must report this to the Australian Signals Directorate (ASD) and the Department of Home Affairs within 72 hours of making the payment or becoming aware that the ransomware payment has been made.

Failure to comply with these reporting obligations may result in a civil penalty.

Addressing “Whole-of-Economy” Cybersecurity Issues

Introducing the Bill to the Parliament of Australia on October 9, Tony Burke, Minister for Home Affairs of Australia, said the legislation provides a clear framework that addresses whole-of-economy cybersecurity issues, positioning the country to respond to new and emerging threats.

“We need a framework that enables individuals to trust the products they use every day. We need a framework that enhances our ability to counter ransomware and cyberextortion. We need a framework that enhances protections for victims of cyber incidents and encourages them to engage with government, and we need a framework that enables us to learn lessons from significant cybersecurity incidents so that we can be better prepared going forward,” stated Burke.

He added that the law will implement key initiatives under the 2023-2030 Australian Cyber Security Strategy.

Download NCC's Whitepaper: How to comply with Australian Privacy Act changes

Image credit: EQRoy / Shutterstock.com

What’s hot on Infosecurity Magazine?