A clearer picture of the coming Cyber Security Bill and critical infrastructure reforms

A snapshot of the coming laws 

A closer look at mandatory reporting of ransom payments

Media reports of comments from Minister Clare O'Neil last week reveal the Government's thinking around ransom reporting. A recent cabinet reshuffle has seen Minister Tony Burke take over cyber security responsibilities from Minister O'Neil, and the appointment of Andrew Charlton as Special Envoy for Cyber Security and Digital Resilience.

Obligation to report payments (not ransom threats)

• The Government previously consulted on a two-step reporting process – requiring one report for a ransom threat, and a second report for a ransom payment.
• While reporting of ransom payments was broadly supported, reporting of ransom threats was seen as too complex and onerous (particularly for unfounded threats). Concerns were also raised about the regulatory burden and whether reports would meaningfully enhance the threat picture.
• Organisations believed that other reporting regimes (like Security of Critical Infrastructure Act and Privacy Act data breach notifications) would already require reporting of incidents associated with ransom threats.

Applies to business with greater than $3m turnover (previously greater than $10m)

• The Government previously consulted on a higher $10m threshold aligned to tax thresholds, recognising the burden that mandatory reporting may place on smaller businesses. However, 68% of consultation respondents supported a lower threshold. The legislation is expected to use a lower $3 million annual turnover threshold, aligned with the ‘small business operator’ threshold in the Privacy Act.
• Businesses with >$3m turnover will in general already be covered by the Privacy Act and its data breach reporting regime, and so are expected to be able to add ransom payment obligations to their incident response plans relatively easily. However, the Privacy Act contains exceptions and special rules that will not apply to the ransom payment reporting threshold – so ransom payment obligations can apply to a business even if the Privacy Act does not.
• This was clearly a balancing act for the Government.  The bulk of ransom payments are made by smaller organisations – having visibility of payments is an important weapon in the war on ransom. But will mandatory reporting obligations add further pressure to a sector already under pressure? The Government will need to grapple with the same question in relation to proposed changes to the Privacy Act, also expected to be introduced this month, which will potentially include a staged removal of the $3m ‘small business operator’ threshold.

$15,000 fines for failure to report

• Fines are intended to provide a "stick", to make sure ransom payments are actually reported, but their existence may mean entities fail to report payments (or fail to reach out for further assistance) if the reporting timeframe is missed – particularly small-to-medium enterprises, a sector that makes most ransom payments.
• Submissions to the consultation strongly supported the proposed "no fault, no liability" principle – and recommended that any penalties only apply for repeated non-compliance.

72 hour notice period

• Ransom payment reporting will be required within 72 hours after a payment is made, apparently consistent with other frameworks such as the Security of Critical Infrastructure Act and the Privacy Act. 
• However, in designing incident response playbooks it is important to understand that different reporting obligations will apply to different types of events, and reporting timeframes will begin at different times based on different triggers. Privacy data breach and security of critical infrastructure notifications relate to the incident, not the ransom payment – so are likely to be required earlier.
• Multiple reports may be required to multiple agencies, whether or not a ransom payment is made, and further work may be needed to help streamline reporting channels. 

"Limited use" of information disclosed to cyber agencies

A new "limited use" requirement will limit how the Australian Signals Directorate (ASD) and National Cyber Security Coordinator (NCSC) can use information provided to them by cyber attack targets – in the hope that businesses will be more comfortable cooperating with cyber agencies if they have comfort that information won't be used to take enforcement action against them. 

This regime is not a "safe harbour" – it will not provide any form of immunity, and will not prevent regulators with enforcement functions (like the ACCC, the OAIC, the ACMA, the APRA or the ASIC) using regulatory powers to obtain that same information directly from organisations who have been the target of a cyber attack. If information is not carefully handled by agencies, there also remains a risk of information disclosed to those agencies being the subject of a freedom of information request, or a subpoena from an aggrieved third party. 

Consultation feedback emphasised that keeping permitted uses narrow is essential to encouraging cooperation. At the same time, new laws will need to enable both the ASD and the NCSC to perform all of their functions, and to make sure that information can be shared with agencies involved in incident response and recovery (which might include enforcement action against a bad actor, or another entity involved in an incident). Regardless, clarity will be essential if the proposed “limited use” obligation is to have the desired outcome of business more openly sharing information, real time, with the ASD and NCSC.

It is not currently proposed that the "limited use" restriction will apply to the Cyber Incident Review Board (discussed below). The Review Board will face a similar challenge in providing industry with comfort that cooperation will not expose businesses to greater regulatory action or civil litigation risks.

A new Cyber Incident Review Board

A new Cyber Incident Review Board investigations will deliver "no fault, lessons learned" reviews of significant cyber incidents, modelled on similar safety-oriented bodies such as the US Cyber Safety Review Board (CSRB) and the Australian Transport Safety Bureau.

Submissions to consultations generally supported either modest or no information gathering powers, and raised concerns about whether information collected will remain confidential. The US CSRB currently relies on voluntary cooperation, but we may see information gathering powers introduced as part of renewed calls to legislate the body following the recent CrowdStrike mass outage. Under the CSRB's charter, its reports and related materials are protected under Presidential Communications Privilege, and an organisation's consent is required to include its non-public information in public reports.

Australian legislation will need to balance these concerns to encourage open engagement with the new Review Board. 

Submissions also raised concerns around impartiality and conflicts of interest. Legislation will need to include flexibility to make sure that the Review Board has appropriate expertise available to it (including from industry) while managing the risks of conflicts of interest – particularly amongst competitors. Legislation will need to be flexible enough to deal with any teething problems for significant new investigative body, and to rapidly deal with any unforeseen challenges.

Mandatory security standards for consumer-grade connectable devices

Australia will look to align cyber security standards for consumer-grade connectable devices (Internet of Things or IoT devices) with international regimes, focusing on the first three principles of the European Telecommunications Standards Institute (ETSI) standard ETSI EN 303 645 as a minimum baseline.

Australia’s regime will likely follow the United Kingdom's new Product Security and Telecommunications Infrastructure regime (which came into effect 24 April 2024), which requires the following:

• Unique passwords: Must be unique per product or capable of being defined by the user of the product – no more default "admin" passwords.
• Manage reports of vulnerabilities: Have a vulnerability disclosure program that lets third parties (such as security researchers) know how to report security issues identified in a product, and the timeframes within they can expect acknowledgment of receipt and status updates until the security issue is resolved.
• Transparency around security updates: Information on the minimum time period for which security updates will be provided for a product.

We may see flexibility introduced to allow compliance with equivalent alternative standards, and to accommodate sector-specific requirements, such as standards for consumer energy resources (such as rooftop solar, batteries and electric vehicle chargers) being considered in the recent Consumer Energy Resources (CER) Roadmap. 

The ASD has released guidance to help manufacturers comply with all 13 secure-by-design principles covered by the complete ETSI EN 303-645.

Critical infrastructure reforms

Submissions to consultations emphasised that critical infrastructure reforms should be very clear, supported by appropriate guidance, and should not duplicate obligations under other regimes (such as under the Privacy Act or financial services regulation).

Coming reforms will amend the Security of Critical Infrastructure Act.

A new asset type: Systems holding business critical data

Entities already covered by critical infrastructure legislation will need to treat internal systems that hold business critical data as critical infrastructure assets in their own right. This will likely mean that protection of large volumes of personal information is captured under both the Privacy Act and Security of Critical Infrastructure Act, although the Security of Critical Infrastructure Act will also capture non-personal information that is still business critical. 

The new asset type is focused on internal systems – systems supplied by third parties should already be addressed as "critical data storage or processing assets."

The focus will be on systems that if compromised would have an impact on availability, integrity, reliability or confidentiality of another critical infrastructure asset. 

For many organisations, it will be difficult to identify which of its systems fall into this new category, and we expect (at least initially) an education and uplift approach will be adopted with additional guidance on what business critical data might mean for different entities, and what systems have a sufficient connection to the main critical assets. 

Understanding which systems are "in scope" will in practice require an understanding of what data is considered "business critical data" under the Security of Critical Infrastructure Act, together with a risk assessment – for example, considering whether compromise of a data storage system may allow lateral movement between IT systems, or between IT systems and Operational Technology systems.

Organisations will need to add systems holding business critical data to the Register of Critical Infrastructure, a process that requires a good understanding of the operational management responsibilities and the ownership, influence and control that entities (including suppliers) may have over systems.

Expanded "consequence management" powers 

These powers supplement existing cyber incident response powers that allow the Minister to authorise directions in relation to critical infrastructure assets as well as participants in the relevant infrastructure sector. 

New laws will expand this regime to apply to:

• other forms of disruption (not just cyber incidents); and
• the longer-term consequences of an incident (not just responding to a cyber attack). 

The expanded powers will be subject to the same safeguards as the existing regime – for example, that no existing regulation can provide a practical response, that the incident has or is likely to have a relevant impact to availability, confidentiality, integrity or reliability of a critical infrastructure asset, and that there is a material risk to Australia’s social or economic stability.

A "harms-based" approach to sharing protected information 

Reforms will allow entities to share protected information about their critical assets for the purpose of the continued operation of, or mitigation of risks to, an asset. You read more in our publication, Clarifying the protected information regime under the SOCI Act. 

Require a seriously deficient CIRMP to be remedied 

Proposed amendments will allow written directions where a Critical Infrastructure Risk Management Program (CIRMP) is seriously deficient (such that it carries a material risk to the socioeconomic stability, defence, or national security of Australia, or there is a severe and credible threat to national security). 

Before a direction is issued, the regulator will give an entity notice of the deficiency and consider any response and any actions taken or to be taken.

Moving telco rules into the Security of Critical Infrastructure Act 

Security requirements currently spread through the Telecommunications Act (including Part 14 of that Act, Carrier Licence Conditions and a Service Provider Determination) and the Security of Critical Infrastructure Act will be consolidated in the Security of Critical Infrastructure Act. 

Through ongoing consultation with the Australian Telecommunications Security Reference Group, the new laws are hoped to simplify regulatory arrangements, minimise duplication, create clear demarcation between the role of telecommunications and critical infrastructure regulators, and bring an "all hazards" approach to telecommunications security regulation (consistent with other critical infrastructure sectors).

A shifting in regulatory focus

In addition to the proposed reforms, Cyber and Infrastructure Security Centre (CISC) has indicated that critical infrastructure oversight is shifting from an "education and awareness" posture to a compliance focused posture. We have already seen industry compliance with Security of Critical Infrastructure obligations tested through a series of trial audits in the latter half of 2023-24. This shift will continue to progress in 2024-25.

CISC has also indicated that it will partner with entities responsible for Systems of National Significance (SoNS), to ensure they understand and comply with the additional obligations that apply to them, known as Enhanced Cyber Security Obligations. 

The broader technology reform agenda

These changes have been proposed in the midst of a very ambitious and busy digital, technology and cyber agenda for the Government, not long before the end of its term. 

• CDR – We expect to see a Senate vote in August on action initiation legislation, amending the Consumer Data Right.
• Scams – The Assistant Treasurer recently announced next steps on the approach to regulating scam protection.
• Digital ID – New Digital ID laws are expected to commence 1 December 2024, with the work continuing on rules and standards required for launch.
• Misinformation – The Government has consulted on draft legislation to help combat misinformation and disinformation, and provide ACMA with powers to enforce a code of practice.
• Artificial intelligence – We expect significant announcements in September – an Australian Senate Select Committee will report on opportunities and impacts for Australia arising from AI by 19 September 2024, and the term of the temporary expert group advising on mandatory AI "guardrails" was recently extended to September. In addition, Australia's May 2024 budget allocated funding to review and strengthen regulation of AI in health care, consumer, and copyright law.
• Privacy and doxxing – The Attorney-General and the Prime Minister have announced that they will bring forward a long-awaited bill to implement Privacy Act reforms and regulate doxxing (the malicious disclosure of personal information) – we also expect the release of an important strategic operational review of the Office of the Australian Information Commissioner.
• Online Safety – New standards have been registered by the eSafety Commissioner, coming into effect 21 December 2024, completing the first tranche of codes and standards to manage the risks of  seriously harmful online content such as child exploitation and pro-terror materials.  A second tranche of new codes are being developed dealing with age-appropriate access to online content, and a statutory review of the Online Safety Act is due to report to the Minister by 31 October 2024.

Want to know more?

Cyber

• Blue Screen of Death: Global CrowdStrike outage is a call to action
• Governing Through a Cyber Crisis - Cyber Incident Response and Recovery for Australian Directors (Ashurst and the Australian Institute of Company Directors)
• Australia's cyber strategy – a bold regulatory reform agenda
• Ashurst response to the 2023 – 2030 Australian Cyber Security Strategy Discussion Paper

Critical Infrastructure

• SOCI CIRMP – are you ready?
• Clarifying the protected information regime under the SOCI Act
• Mandatory cyber incident reporting now live for Australia’s critical infrastructure

Related reforms:

• What's Ahead: 2024 Digital Economy in Australia
• Australia's blueprint for privacy reform– what you need to do today
• Consumer data right news for non-bank lenders and buy now pay later, screen scraping and energy rollout
• Action Initiation under the Consumer Data Right is coming
• Australia’s Digital ID Act and a new Trusted Exchange (TEx) – an update and a deep dive
• Identity Resilience and digital identity – key defences against cyber threats 

Authors: John Macpherson, Partner, Ashurst Risk Advisory; Geoff McGrath, Partner; John Moore, Director, Ashurst Risk Advisory; Andrew Hilton, Expertise Counsel; Thomas Suters, Graduate.

This publication is a joint publication from Ashurst Australia and Ashurst Risk Advisory Pty Ltd, which are part of the Ashurst Group.

The Ashurst Group comprises Ashurst LLP, Ashurst Australia and their respective affiliates (including independent local partnerships, companies or other entities) which are authorised to use the name "Ashurst" or describe themselves as being affiliated with Ashurst. Some members of the Ashurst Group are limited liability entities.

The services provided by Ashurst Risk Advisory Pty Ltd do not constitute legal services or legal advice, and are not provided by Australian legal practitioners in that capacity. The laws and regulations which govern the provision of legal services in the relevant jurisdiction do not apply to the provision of non-legal services.

For more information about the Ashurst Group, which Ashurst Group entity operates in a particular country and the services offered, please visit www.ashurst.com

This material is current as at 6 August 2024 but does not take into account any developments to the law after that date. It is not intended to be a comprehensive review of all developments in the law and in practice, or to cover all aspects of those referred to, and does not constitute legal advice. The information provided is general in nature, and does not take into account and is not intended to apply to any specific issues or circumstances. Readers should take independent legal advice. No part of this publication may be reproduced by any process without prior written permission from Ashurst. While we use reasonable skill and care in the preparation of this material, we accept no liability for use of and reliance upon it by any person.

The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
Readers should take legal advice before applying it to specific issues or transactions.