Business Insight

Redefining cyber readiness – Australia passes its first Cyber Security Act

By John Macpherson, Emma Butler, Clare Doneley and Andrew Hilton

20 December 2024

Share Share
Microchip image
Share

    Article first published on 28 November 2024. It has been updated to reflect that the new laws received royal assent.

    What you need to know

    • The Australian Parliament passed a package of cyber security and security of critical infrastructure bills on 25 November 2024.
    • The package was passed with the support of major parties, despite criticism of the limited time available to consider and debate the reforms.
    • In this update, we provide a quick reference for when different parts of the package take effect, highlight some key changes made to the bills in Parliament, discuss key observations on Australia's cyber risk environment from Australia's cyber and critical infrastructure agencies, and provide an update on Australia's first round of critical infrastructure risk management program reporting.
    • Read more about how you can respond to the evolving cyber regulatory and risk environment at Redefining Cyber Readiness.

    What you need to do

    • Simply reacting to the new rules will not be enough to outpace cyber risk, or regulatory and public expectations around how cyber risks are managed.
    • Three essential cyber uplift activities that will help you address new cyber laws, but more importantly address underlying cyber risks.
    • In our separate article Redefining cyber readiness – Three ways to outpace Australia's new cyber laws we explore three essential cyber uplift activities that will help you address new cyber laws, but more importantly address underlying cyber risks.
    Three ways to outpace new cyber-laws 

    Australia's new cyber laws have been passed

    The Australian Parliament passed a package of cyber security and critical infrastructure legislation on 25 November 2024, bringing targeted measures to support Australia's 2023-2030 Cyber Security Strategy.

    The reforms are included in the Cyber Security Act 2024, the Intelligence Services and Other Legislation Amendment (Cyber Security) Act 2024, and the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Act 2024.

    When do new laws take effect?

    The new laws received assent on 29 November 2024, applying either on 30 November 2024, or on a date to be specified within either 6 or 12 months – as explained below.

     

    How were the bills changed?

    The package of bills was amended to address key recommendations of the Parliamentary Joint Committee for Intelligence and Security (PJCIS), including the following.

    1. Expanded admissibility protections

    Three additional types of information will not (in general) be admissible as evidence against an entity that provides that information:

    • mandatory ransom payment reports;
    • information voluntarily provided to the National Cyber Security Coordinator in relation to both major and minor cyber incidents; and
    • certain information provided to the Cyber Incident Review Board – information and documents requested from the CIRB, documents the entity is compelled to provide to the CIRB, and information contained in a draft review report.

    These changes will provide additional comfort to entities engaging with cyber agencies. Understanding how limited use and admissibility provisions operate and operationalising them in incident response playbooks will help drive effective and responsible engagement with less friction.

    However, this is only one part of a complex information management puzzle. Read our earlier update for the kinds of questions you may need to field in the first 72 hours of an incident.

    2. A broader CIRB

    Explanatory materials were revised to clarify that standing members of the Cyber Incident Review Board do not need to be members of the public service – introducing opportunities for a broader field of experts.

    3. Statutory reviews

    Just like operational resilience measures, cyber and critical infrastructure laws are not "set and forget".

    Adopting recommendations from the PJCIS, the bills were amended to:

    • allow the PJCIS to review the operation, effectiveness and implications of the Cyber Security Act 2024 as soon as practicable after 1 December 2027; and
    • delay the PJCIS review of the operation, effectiveness and implications of the Security of Critical Infrastructure Act 2018 by 2 years – to commence no later than 2 December 2026 (instead of 2 December 2024). To support the 2026 PJCIS review, the PJCIS also recommended that an independent review be commenced no later than 1 November 2025.

    An update on the cyber threat environment

    As Australia's new cyber and critical infrastructure laws worked their way through Parliament, the Australian Signals Directorate published its Annual Cyber Threat Report 2023-2024, and the Cyber and Infrastructure Security Centre published its second Critical Infrastructure Annual Risk Review.

    Annual Cyber Threat Report 2023-2024 

    The second Cyber and Infrastructure Security Centre Critical Infrastructure Annual Risk Review 2023-2024 assesses 30 specific hazards over the 5 Critical Infrastructure Risk Management Program, graphically plotting risk in terms of plausibility and damage.

    Critical Infrastructure Annual Risk Review 2023-2024 

    Managing critical infrastructure risks

    Australia’s critical infrastructure providers have completed their first round of mandatory reporting on Critical Infrastructure Risk Management Programs (CIRMPs). The Cyber and Infrastructure Security Centre (CISC) has completed an initial trial audit of those CIRMPs and intends to progress to a formal audit program.

    Like the trial, the formal audit is expected to be a “desktop” audit, conducted virtually. Entities selected for audit will be contacted progressively.

    Trial audits have indicated four key CIRMP compliance challenges:

    • Updating the Register of Critical Infrastructure Assets - Keeping the register up to date means having processes to monitor for changes in circumstances and trigger action – for example, a change in the ownership structure of an asset. The register is an important tool for the CISC to understand critical infrastructure interdependencies, to model the effects of disruption scenarios, and to provide insights back to the critical infrastructure community.

    • Late reporting of cyber incidents - Significant incidents must be reported in 12 hours, and other relevant incidents in 72 hours. Rapid incident reporting helps prevent threat actors using the same tactics to target other organisations. For practical tips on managing cyber incident response and reporting, read our earlier publication Mandatory cyber incident reporting now live for Australia’s critical infrastructure.

    • Identification of critical workers - Identifying critical workers and having a clear process to identify critical workers can be a challenge, particularly where third-party service providers are involved. Understanding who your critical workers are is an essential part of addressing personnel risks including insider threats, but can be extremely difficult to navigate. Effectively addressing critical worker risk means understanding and mitigating constraints, and building a cooperative security culture - for example, by involving workers in co-designing processes.

    • Notifying outsourced data providers that they hold business critical data - The new legislation package won’t change the existing obligation to notify outsourced data storage or processing service providers that they hold business critical data. Giving this notice helps make sure that service providers comply with their own critical infrastructure obligations. An effective process requires good internal visibility of how business critical data is used and shared, but also visibility of trigger events when this might change (for example, onboarding of new providers, or changes in work scope, data flows, or the criticality assessment of data).

    To "sign off" on a CIRMP annual report, a Board or other governing body has to satisfy itself that a CIRMP has been developed in accordance with critical infrastructure laws, and appropriately manages risk. In preparation for coming audits, as well as next year’s annual CIRMP reporting cycle, consider how to support your Board or governing body to confidently make this assessment. Organisations use different methods of validating CIRMPs – but it is clear that external validation is the gold standard. Self-assessment can suffer from a positivity bias, or focus on known issues or well-understood risks and threats.

    You can read a run-down of CIRMP requirements and readiness in our previous publication SOCI CIRMP – are you ready?

    The critical infrastructure enforcement agenda

    The CISC's focus for 2023-2024 financial year is still very much on education and building a culture of compliance.

    Enforcement activity will focus on what the CISC sees as egregious non-compliance – such as intentional misconduct , misleading or deceptive behaviour, or a deliberate willingness not to engage on critical infrastructure obligations.

    Examples of such conduct could include providing misleading or deceptive information in the Register of Critical Infrastructure Assets, such as knowingly withholding or providing incorrect information about ownership of assets.

    Similarly, misleading, or deceptive statements in Critical Infrastructure Risk Management Plan (CIRMP) reporting will be in the spotlight - for example, claiming that a report has been signed off by a Board that has not in fact considered the report.

    Want to know more?

    Three ways to outpace new cyber laws
    1. De-risk ransom
    • Cyber extortion remains a pervasive threat, and payment of a ransom demand remains the least viable (and least reliable) response.
    • Mandatory ransom reporting does not legalise ransom payments, ameliorate a ransom attack or meet heightened policy and public expectations.
    • De-risk the ransom threat with a carefully considered and thoroughly tested risk-based approach to ransom payment decision making and planning.
    2. Streamline and co-ordinate cyber crisis comms
    • New restrictions on how cyber agencies use information inform just one part of cyber crisis communications strategy.
    • In a significant cyber incident, your stakeholder list is long, and requires a scale of communications and legal infrastructure that is rarely built into crisis response plans.
    • Build and test your capability to confidently communicate with cyber agencies, regulators, government, the media, customers, and the public, without creating further down-stream reputation or legal risks.
    3. Outpace regulator expectations before your next incident
    • Managing cyber risk is now a normal part of doing business – this means understanding that a breach is a case of "when", not "if".
    • Understand the evolving expectations of regulators, and measure your cyber maturity against them.
    • In our previous article, we provide a quick guide to the "new normal" of regulator expectations and how to establish a defensible position in a post incident investigation through redefining readiness.

    New Cyber Security Act:
    Mandatory reporting of ransom payments (not threats) within 72 hours – commences within 6 months.
    “Limited use” is not a safe harbour – and only one part of cyber crisis stakeholder management. Cyber agencies will only use information received for a defined “limited use” (and not eg for regulatory enforcement). Applies now.
    Security standards for “smart” connectable devices – aligned to overseas requirements, with flexibility built into the regime – commences within 6 months.
    A new Cyber Incident Review Board to conduct no-fault reviews of significant incidents – commences within 6 months.
    Formalised National Cyber Security Coordinator – applies now.


    New Critical Infrastructure (SoCI) reforms:
    Systems holding business critical data treated as part of the asset they support – commences within 6 months.
    Expanded "consequence management" powers – directions powers expanded to cover all disruptions (not just cyber incidents) and longer-term consequences of disruption (not just responding to cyber-attacks) – commences within 6 months.
    A "harms-based" approach to sharing protected information – making it easier for entities to share protected information to operate or mitigate risk in assets – commences within 6 months.
    Directions to remedy seriously deficient Critical Infrastructure Risk Management Programs (CIRMP) – commences within 6 months.
    Telecommunications obligations now part of the Security of Critical Infrastructure Act (SoCI) – commences within 12 months.

    Annual Cyber Threat Report 2023-2024
    Top 3 reported incidents for business
    • Email compromise resulting in no financial loss
    • Online banking fraud
    • Business email compromise (BEC) fraud resulting in financial loss
    Top 3 reported incidents for critical infrastructure and government
    • Compromised account or credentials
    • Malware infection (other than ransomware)
    • Asset, network or infrastructure
    Persistent state-sponsored cyber threats, using evolving tradecraft
    • Pre-positioning for later disruption (rather than traditional cyber espionage)
    • Exploitation of cloud platforms
    Operational technology risks for critical infrastructure
    • Attacks on operational (rather than information) technology assets on the rise
    • Likely to increase as legacy operational technology systems are integrated with ICT systems
    Australia is responding
    • Autonomous sanctions used for the first time against cyber crime
    • Australian protective domain name system blocked 21% more malicious domains
    • Domain Takedown Service requested removal of 49% more malicious domains
    Source: Ashurst and Annual Cyber Threat Report 2023-2024, Australian Signals Directorate (ASD)

    Critical Infrastructure Annual Risk Review 2023-2024
    A challenging risk landscape in 2024
    • Featuring frequent cyber incidents, ongoing foreign interference, the threat of politically motivated violence, ongoing global conflict, natural hazards – overlaid with increased social and economic interconnectivity and rapid uptake of new technology.
    Interdependency a key theme
    • Varying security maturity levels, regulation, approaches to information-sharing within and between critical sectors – as well as retrofitting new technologies into legacy infrastructure.
    • Interdependency can expose critical infrastructure to risks outside of their control (like supply chain dependencies) and create system-wide knock-on impacts across sectors.
    Top hazards
    • Higher plausibility / higher damage hazards include large-scale data breaches, AI augmented cyber threats, foreign interference, and biosecurity breach risk.
    • Social ecosystem level hazards also rate highly – like critical workforce and skills shortages and poor cyber literacy and awareness.
    Trends impacting future risk
    • Rapid technological change is creating skill and staffing shortfalls, including for skilled cyber security professionals.
    • More automation of critical operational decisions.
    • Supply chain disruptions (both domestic and international).
    • The race to 6G mobile may result in compromises or incomplete functionality, and integration into previously manual or independent processes risks lowering resilience in the case of disruption.
    • Supply chain traceability – Ongoing global instability and economic pressures may increase the risk of interception and modification of goods in supply chains.
    • Onshoring and nearshoring may have uncertain impacts – including whether local manufacturing will be competitive and possible consequences for trade relationships.
    • Space – Increasing risk that space object collisions could cause major service disruption, and low awareness of dependency on space technologies. Source: Ashurst and Critical Infrastructure Annual Risk Review 2023-2024, Cyber and Infrastructure Security Centre.

    image

    Business Insight

    Redefining Cyber Readiness

    Understand how you need to manage cyber security risk in light of the new Australian laws and heightened regulator expectations

    How to prepare

    This publication is a joint publication from Ashurst Australia and Ashurst Risk Advisory Pty Ltd, which are part of the Ashurst Group.

    The Ashurst Group comprises Ashurst LLP, Ashurst Australia and their respective affiliates (including independent local partnerships, companies or other entities) which are authorised to use the name "Ashurst" or describe themselves as being affiliated with Ashurst. Some members of the Ashurst Group are limited liability entities.

    The services provided by Ashurst Risk Advisory Pty Ltd do not constitute legal services or legal advice, and are not provided by Australian legal practitioners in that capacity. The laws and regulations which govern the provision of legal services in the relevant jurisdiction do not apply to the provision of non-legal services.

    For more information about the Ashurst Group, which Ashurst Group entity operates in a particular country and the services offered, please visit www.ashurst.com

    This material is current as at 20 December 2024 but does not take into account any developments to the law after that date. It is not intended to be a comprehensive review of all developments in the law and in practice, or to cover all aspects of those referred to, and does not constitute legal advice. The information provided is general in nature, and does not take into account and is not intended to apply to any specific issues or circumstances. Readers should take independent legal advice. No part of this publication may be reproduced by any process without prior written permission from Ashurst. While we use reasonable skill and care in the preparation of this material, we accept no liability for use of and reliance upon it by any person.

    The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
    Readers should take legal advice before applying it to specific issues or transactions.

    Key Contacts