Redefining cyber readiness – Australia passes its first Cyber Security Act

Australia's new cyber laws have been passed

The Australian Parliament passed a package of cyber security and critical infrastructure legislation on 25 November 2024, bringing targeted measures to support Australia's 2023-2030 Cyber Security Strategy.

The reforms are included in the Cyber Security Bill 2024, the Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024, and the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024.

When will new laws take effect?

The bills currently await royal assent from the Governor-General, expected in a matter of weeks. The new laws will take effect either the day after assent, or on a date to be specified within either 6 or 12 months – as explained below.

How were the bills changed?

The package of bills was amended to address key recommendations of the Parliamentary Joint Committee for Intelligence and Security (PJCIS), including the following.

1. Expanded admissibility protections

Three additional types of information will not (in general) be admissible as evidence against an entity that provides that information:

• mandatory ransom payment reports;
• information voluntarily provided to the National Cyber Security Coordinator in relation to both major and minor cyber incidents; and
• certain information provided to the Cyber Incident Review Board – information and documents requested from the CIRB, documents the entity is compelled to provide to the CIRB, and information contained in a draft review report.

These changes will provide additional comfort to entities engaging with cyber agencies. Understanding how limited use and admissibility provisions operate and operationalising them in incident response playbooks will help drive effective and responsible engagement with less friction.

However, this is only one part of a complex information management puzzle. Read our earlier update for the kinds of questions you may need to field in the first 72 hours of an incident.

2. A broader CIRB

Explanatory materials were revised to clarify that standing members of the Cyber Incident Review Board do not need to be members of the public service – introducing opportunities for a broader field of experts.

3. Statutory reviews

Just like operational resilience measures, cyber and critical infrastructure laws are not "set and forget".

Adopting recommendations from the PJCIS, the bills were amended to:

• allow the PJCIS to review the operation, effectiveness and implications of the Cyber Security Act 2024 as soon as practicable after 1 December 2027; and
• delay the PJCIS review of the operation, effectiveness and implications of the Security of Critical Infrastructure Act 2018 by 2 years – to commence no later than 2 December 2026 (instead of 2 December 2024). To support the 2026 PJCIS review, the PJCIS also recommended that an independent review be commenced no later than 1 November 2025.

An update on the cyber threat environment

As Australia's new cyber and critical infrastructure laws worked their way through Parliament, the Australian Signals Directorate published its Annual Cyber Threat Report 2023-2024, and the Cyber and Infrastructure Security Centre published its second Critical Infrastructure Annual Risk Review.

The second Cyber and Infrastructure Security Centre Critical Infrastructure Annual Risk Review 2023-2024 assesses 30 specific hazards over the 5 Critical Infrastructure Risk Management Program, graphically plotting risk in terms of plausibility and damage.

Managing critical infrastructure risks

Australia’s critical infrastructure providers have completed their first round of mandatory reporting on Critical Infrastructure Risk Management Programs (CIRMPs). The Cyber and Infrastructure Security Centre (CISC) has completed an initial trial audit of those CIRMPs and intends to progress to a formal audit program.

Like the trial, the formal audit is expected to be a “desktop” audit, conducted virtually. Entities selected for audit will be contacted progressively.

Trial audits have indicated four key CIRMP compliance challenges:

• Updating the Register of Critical Infrastructure Assets - Keeping the register up to date means having processes to monitor for changes in circumstances and trigger action – for example, a change in the ownership structure of an asset. The register is an important tool for the CISC to understand critical infrastructure interdependencies, to model the effects of disruption scenarios, and to provide insights back to the critical infrastructure community.

• Late reporting of cyber incidents - Significant incidents must be reported in 12 hours, and other relevant incidents in 72 hours. Rapid incident reporting helps prevent threat actors using the same tactics to target other organisations. For practical tips on managing cyber incident response and reporting, read our earlier publication Mandatory cyber incident reporting now live for Australia’s critical infrastructure.

• Identification of critical workers - Identifying critical workers and having a clear process to identify critical workers can be a challenge, particularly where third-party service providers are involved. Understanding who your critical workers are is an essential part of addressing personnel risks including insider threats, but can be extremely difficult to navigate. Effectively addressing critical worker risk means understanding and mitigating constraints, and building a cooperative security culture - for example, by involving workers in co-designing processes.

• Notifying outsourced data providers that they hold business critical data - The new legislation package won’t change the existing obligation to notify outsourced data storage or processing service providers that they hold business critical data. Giving this notice helps make sure that service providers comply with their own critical infrastructure obligations. An effective process requires good internal visibility of how business critical data is used and shared, but also visibility of trigger events when this might change (for example, onboarding of new providers, or changes in work scope, data flows, or the criticality assessment of data).

To "sign off" on a CIRMP annual report, a Board or other governing body has to satisfy itself that a CIRMP has been developed in accordance with critical infrastructure laws, and appropriately manages risk. In preparation for coming audits, as well as next year’s annual CIRMP reporting cycle, consider how to support your Board or governing body to confidently make this assessment. Organisations use different methods of validating CIRMPs - but it is clear that external validation is the gold standard. Self-assessment can suffer from a positivity bias, or focus on known issues or well-understood risks and threats.

You can read a run-down of CIRMP requirements and readiness in our previous publication SOCI CIRMP – are you ready?

The critical infrastructure enforcement agenda

The CISC's focus for 2023-2024 financial year is still very much on education and building a culture of compliance.

Enforcement activity will focus on what the CISC sees as egregious non-compliance - such as intentional misconduct , misleading or deceptive behaviour, or a deliberate willingness not to engage on critical infrastructure obligations.

Examples of such conduct could include providing misleading or deceptive information in the Register of Critical Infrastructure Assets, such as knowingly withholding or providing incorrect information about ownership of assets.

Similarly, misleading, or deceptive statements in Critical Infrastructure Risk Management Plan (CIRMP) reporting will be in the spotlight - for example, claiming that a report has been signed off by a Board that has not in fact considered the report.

Want to know more?

• Redefining cyber readiness – Three ways to outpace Australia's new cyber laws (10 October 2024)
• Changes to the SOCI Act are on the horizon (22 October 2024)
• Australia cyber strategy – a bold regulatory reform agenda (24 November 2023)

This publication is a joint publication from Ashurst Australia and Ashurst Risk Advisory Pty Ltd, which are part of the Ashurst Group.

The Ashurst Group comprises Ashurst LLP, Ashurst Australia and their respective affiliates (including independent local partnerships, companies or other entities) which are authorised to use the name "Ashurst" or describe themselves as being affiliated with Ashurst. Some members of the Ashurst Group are limited liability entities.

The services provided by Ashurst Risk Advisory Pty Ltd do not constitute legal services or legal advice, and are not provided by Australian legal practitioners in that capacity. The laws and regulations which govern the provision of legal services in the relevant jurisdiction do not apply to the provision of non-legal services.

For more information about the Ashurst Group, which Ashurst Group entity operates in a particular country and the services offered, please visit www.ashurst.com

This material is current as at 28 November 2024 but does not take into account any developments to the law after that date. It is not intended to be a comprehensive review of all developments in the law and in practice, or to cover all aspects of those referred to, and does not constitute legal advice. The information provided is general in nature, and does not take into account and is not intended to apply to any specific issues or circumstances. Readers should take independent legal advice. No part of this publication may be reproduced by any process without prior written permission from Ashurst. While we use reasonable skill and care in the preparation of this material, we accept no liability for use of and reliance upon it by any person.

The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
Readers should take legal advice before applying it to specific issues or transactions.