The Australian Government has introduced a new Cyber Security Legislation Package to Parliament, seeking to establish a clearer legislative framework and enhancing cyber security obligations placed on businesses.
The Bill implements the following key measures:
- A new power to mandate security standards for smart devices
- A mandatory reporting obligation for businesses with an annual turnover of more than $3million to report ransom payments
- Reforms to the Security of Critical Infrastructure Act 2018 (SOCI Act), including aligning telecommunications regulation to the Act, clarifying obligations in relation to systems holding business critical data, and introducing a Government power to direct regulated entities to address deficiencies within their risk management programs
- A ‘limited use’ obligation that restricts how cyber security incident information provided to the National Cyber Security Coordinator can be used
- A new Cyber Incident Review Board – akin to the U.S. equivalent - to conduct post-incident reviews into significant cyber security incidents, and which could see senior executives more likely to face scrutiny over their cyber strategy decisions
Tim Dillon, Director of Professional Services, APAC, comments:
“The introduction of these new laws marks a critical step toward ensuring the rules which govern digital resilience reflect the evolving threat landscape.
NCC Group's recent report - Digital Dawn - found that the public expect governments to keep them safe in cyberspace. Strengthening Australia’s cyber safeguards in this way demonstrates the Government’s ongoing commitment to protecting Australian citizens and businesses online.
We are particularly pleased to see the Government moving forward with plans to enhance security standards in the smart devices we’ve all come to rely on. NCC Group research has revealed just how vulnerable these devices can be to malicious attackers. That is why we have long advocated for basic security principles to become legally binding and hope that the Government pursues a framework that is aligned to ambitious global laws like the EU’s Cyber Resilience Act.
As we outlined in our advice to Government earlier this year, these reforms need to be accompanied by investment in the Australian Cyber Security Centre (ACSC) and regulators, ensuring they have the capabilities, expertise and skills to effectively enforce the new laws. Failure to do so would leave regulators without teeth and could undermine the new regulatory regime’s effectiveness.”