[co-authors: Denise Kara, Steven Chong]
The Cyber Security Bill 2024 ("Cyber Bill") tabled in the Australian Federal Parliament yesterday is set to bring significant changes to the cyber security landscape in Australia.
The Cyber Bill introduces several critical areas of compliance and reporting that businesses must be aware of to avoid penalties and ensure robust cyber security measures. Set out below are the key takeaways from the Cyber Bill:
- Security Standards for Smart Devices: The Cyber Bill mandates that manufacturers and suppliers of smart devices comply with specified security standards. This is crucial for businesses involved in the production or distribution of smart devices. Non-compliance can result in compliance notices, stop notices, and recall notices. These measures are designed to ensure that smart devices are secure and do not pose a risk to users.
- Ransomware Reporting Obligations: Entities impacted by cyber security incidents and making ransomware payments must report these payments within 72 hours. This overall aim of this obligation is to improve the detection and response to ransomware incidents, thereby reducing their impact. Failure to report can result in civil penalties.
- Laws on the Protected or Limited Use of Incident Information: The Cyber Bill includes provisions to ensure that information provided about cyber security incidents is used or disclosed only for permitted purposes, with strict limitations on using this information for civil or regulatory actions against the reporting entity.
- Cyber Incident Review Board: The Cyber Bill establishes a Cyber Incident Review Board ("Board"), which is tasked with reviewing certain cyber security incidents and making recommendations. The Board has the authority to request and require documents from entities. Non-compliance may result in civil penalties.
The Cyber Bill is part of a legislative package of reforms that also includes amendments to the Intelligence Services Act 2001 and the Security of Critical Infrastructure Act 2018. Organisations should determine if they are subject to the Cyber Bill and if they are, they should, among other things, make sure to implement security standards in compliance with the specified security measures currently provided for in the Cyber Bill, and make sure they can comply with the ransomware reporting obligations including the timelines foreseen in the Cyber Bill.
[View source.]
