Business Insight

Redefining cyber readiness – Three ways to outpace Australia's new cyber laws 

Computer grid

    Article first published on 10 October 2024 to report on new cyber laws as introduced. It has been updated to reflect that the new laws as passed.

    What you need to know

    • The Australian Parliament has passed a suite of new laws to build greater cyber resilience.
    • New laws include:
    • a new Cyber Security Act 2024 dealing with ransom payment reporting, new security standards for smart (IoT) devices, limits on how cyber agencies use cyber incident information, and the creation of a Cyber Incident Review Board; and 
    • amendments to security of critical infrastructure laws, including requirements relating to business critical data, enhancing government assistance measures (“step in powers”) and introducing a power to direct critical infrastructure entities to address serious deficiencies within their risk management program.
    • The new laws arrive at a time when regulators such as the OAIC and ASIC have indicated that they are focused on increasing their cyber and data breach enforcement activities and are looking to hold organisations to account for failures to adopt reasonable steps to safeguard systems and data.
    • Simply reacting to the new rules will not be enough to outpace cyber risk, or regulatory and public expectations around how cyber risks are managed. We explore three essential cyber uplift activities that will help you address incoming cyber laws, but more importantly address underlying cyber risks.

    What you need to do

    • De-risk ransom – Cyber extortion remains a pervasive threat, and payment of a ransom demand remains the least viable (and least reliable) response. Mandatory reporting does not legalise ransom payments, ameliorate a ransom attack or meet heightened policy and public expectations. De-risk the ransom threat with a carefully considered and thoroughly tested risk-based approach to ransom payment decision-making and planning.
    • Limited use provisions are not a “safe harbour” – New restrictions on how cyber agencies use information inform just one part of cyber crisis communications strategy. In a significant cyber incident, your stakeholder list is long, and requires a scale of communications and legal infrastructure that is rarely built into crisis response plans. Build and test your capability to confidently communicate with cyber agencies, regulators, government, the media, customers, and the public, without creating further down-stream reputation or legal risks.
    • Outpace regulator expectations before your next incident – Managing cyber risk is now a normal part of doing business – this means understanding that a breach is a case of "when", not "if". Understand the evolving expectations of regulators, and measure your cyber maturity against them. We provide a quick guide to the "new normal" of regulator expectations and how to establish a defensible position in a post incident investigation through redefining readiness.
    • Read more about Redefining Cyber Readiness – including a deeper dive into key changes to critical infrastructure legislation.

    New cyber security and critical infrastructure legislation 

    The Australian Parliament passed a suite of cyber security legislation on 25 November 2024. The new laws have been a long time coming – originally signalled as part of Australia's 2023-2030 Cyber Security Strategy, with proposals clarified through ongoing consultation.

    Updating policies and playbooks to respond to new laws will not be enough to build the cyber readiness and maturity now expected by regulators, the market and the public – and to successfully navigate an increasingly hostile cyber threat environment.

    In this article, we'll take a closer look at three key areas addressed by the reforms – and explain why adapting to the legislation is just one part of thorough and comprehensive planning for cyber incidents:

    • obligations to report ransom payments don't change the fact that paying a ransom remains a legal, operational and reputation hurdle and in many cases is your least viable (and least reliable) option;
    • new rules for how cyber agencies can use information are just one piece of your cyber crisis stakeholder management plan; and
    • while cyber regulation is changing, regulators already have heightened expectations – we provide a quick guide to the "the new normal" of regulatory expectations.

    What are the new reforms, and when do they apply?

     

    The reforms are included in the Cyber Security Act 2024, the Intelligence Services and Other Legislation Amendment (Cyber Security) Act 2024, and the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Act 2024.

    1. Paying a ransom is still the least viable (and least reliable) option

    The new Cyber Security Act requires organisations to report the payment of ransoms within 72 hours, a step back from earlier proposals to also report ransom demands (although ransom threats and other security incidents may be reportable under other regimes like security of critical infrastructure legislation or privacy laws).

    It is important to recognise:

    • the new ransom payment reporting obligation is not a "safe harbour";
    • paying a ransom may be an offence (for example, under sanctions laws, money laundering or terrorist financing laws) or may create other legal exposures for both organisations and directors; and
    • the decision to pay a ransom can involve significant legal, operational and reputational risk – and requires robust legal and risk assessment.

    While incident response playbooks will need to be updated to include ransom payment notification obligations and related governance, it is clear that paying a ransom remains the least viable (and least reliable) way of addressing cyber risk. Payment of a ransom does not guarantee data will be recovered, stolen data destroyed, or systems restored.

    Best practice requires organisations to:

    • have a clear understanding and assessment of what critical services and data they might need to pay a ransom to recover, in circumstances where there is no other adequate means of mitigating the risk of disruption or data loss; and
    • take all reasonable steps to protect those critical systems and data and have robust recovery and response plans in place that would mitigate the need to otherwise pay a ransom.

    ‘"De-risking ransom" is a risk-based approach that aims to identify the high-risk systems and data where a company might need to consider paying a ransom, and ensures there is adequate security, business continuity, data retention, and harm mitigation/remediation in place. Doing so reduces the occasions where organisations may consider paying a ransom.

    Being subject to a ransom demand is a known risk – if you do not have a sophisticated approach to readiness, response and recovery, you may be open to criticism that you are not managing the risk. In the current cyber climate, it is one of the most foreseeable risks an organisation can face, and readiness is more than a policy on payment.

    2. "Limited use" is not a safe harbour – and only one part of cyber crisis stakeholder management

    The new laws introduce several "limited use" information control frameworks that are subtly but importantly different – limiting the use, recording and disclosure of information by cyber agencies to encourage closer engagement by industry.

    Different use, recording and disclosure restrictions can apply depending on whether information is:

    • held by the Australian Signals Directorate (ASD), the National Cyber Security Coordinator (NCSC) or the Cyber Incident Review Board (CIRB);
    • included in a ransom payment report;
    • provided or obtained voluntarily or under a legal obligation;
    • held by the NCSC and relates to a major or minor cyber security incident (or not); or
    • is provided or obtained on some other basis.

    These factors can also determine whether information may be admissible as evidence.

    Importantly, some information can't be used for certain regulatory investigation or enforcement purposes, but these protections won't necessarily prevent criminal investigations.

    The Government has taken pains to point out that the limited use regime is not a safe harbour – regulators may continue to exercise their existing powers including in the case of Australia's privacy regulator, new investigation and enforcement options introduced as part of a generational change in privacy regulation in Australia.

    These new "limited use" protections, if properly understood and operationalised in incident response playbooks, can allow more effective and responsible engagement with cyber agencies, with less friction.

    While removing barriers to engagement with cyber agencies has been a long-standing priority, it is only one part of a complex information management puzzle.

    Despite efforts to harmonise regimes, a cyber incident will usually involve mandatory and voluntary interactions with a range of regulators under different regimes.

    In the midst of a cyber incident, organisations are under pressure for extremely high levels of transparency – not only from cyber agencies, government and regulators, but from business partners, suppliers, banks, partners, the media as well as customers and the broader public.

    There is a lot of pressure to provide assurances, with high levels of confidence, that you are secure. Customers, suppliers and third parties may stop doing business with you until you are able to provide those assurances.

    Decisions about what to disclose, when, and to whom can have significant implications for operational security, regulatory compliance, litigation risks, privilege, and stakeholder trust.

    The right approach requires a combination of internal information management and assessment (to know what you know, versus what you suspect), strong communication and decision-making protocols, and effective and efficient legal guidance. And importantly, the right approach must be coordinated, streamlined, well-understood and tested.

    This is not organisational discipline that can or should be developed mid-incident – it needs to be part of thorough and comprehensive planning.

    Consider how your organisation could confidently respond to requests from third parties (including in your supply chain), customers, and regulators in the first 72 hours of an incident, such as:

    • What data do you hold (and what data belongs to your supplier/customer)?
    • What connectivity is there between your environment and a third party environment?
    • When did you first become aware of this incident?
    • What is the nature of the incident, have you been hacked and is it a ransomware attack?
    • Has data been exfiltrated? If so what/how much?
    • Have you engaged an independent incident response company to conduct an investigation. Will you provide their interim and final reports?
    • Have you identified the initial vector of compromise and any control failures that led to the compromise?
    • Describe the steps you have taken to contain the incident?
    • What regulatory bodies have you notified/do you intend to notify?
    • What additional controls have been put in place since the incident?
    • Do you have MFA/endpoint monitoring in place across all your assets?
    • Can you provide a summary of open action items from recent internal security reviews?
    • What is your recovery timeframe and is this outside your recovery tolerance?
    • What encryption do you have in place for all data?
    • What network segregation did you have in place?

    3. Cyber regulation is changing – but regulators have already changed

    Cyber threats are no longer a new and unknown risk. The message from various regulators is consistent – patience is running thin for organisations that have failed to de-risk pervasive cyber threats.

    After a strong focus on education, uplift, and warnings in recent years, regulators are adjusting their posture to focus more on enforcement and assurance – to make sure that industry has received the message.

    A common thread underlies the various regulators and regulatory regimes – what reasonable steps, and what reasonable investments, have you taken to safeguard systems and data and build cyber readiness, response and resilience?

    Regulators expect, and expect you to be able to demonstrate, thorough and comprehensive planning and clearly thought-out risk management.

    How you respond in times of crisis is important but is fundamentally constrained by the planning, strategies and capabilities you have already put in place.

    Below is our quick guide to help you navigate the "the new normal" of regulatory expectations, including some red flag indicators to watch out for. It is critical for business to understand these expectations and have assurance mechanisms in place to defensibly demonstrate how they are being met.

    Regulator expectation

    Red flags

    Thorough and comprehensive planning

    Thorough and comprehensive planning in place for significant cyber incidents and a clearly thought-out risk management strategy.

    Refer to the AICD guidance “Governing through a cyber crisis” co-authored by Ashurst and the Cyber Security Cooperative Research Centre.

    Reactive and unplanned.

    Infrequent training and simulations, including at Board level.

    Cookie-cutter policies rather than sophisticated playbooks.

    Assuming that a cyber incident response plan is all you need in your suite of readiness planning.

    Prevent harm

    Act in the best interests of the individual victims of a cyber incident – support them to mitigate the risk of both financial and non-financial harm in a transparent and timely manner.

    No formal “risk of harm” assessment process.

    Excessive delays in notifications and/or a lack of support for victims.

    Accountability at the top

    Board and management teams will be held to account for failures in behaviours and security culture as well as failures of governance and risk management.

    Lack of understanding of individual responsibility and accountability.

    Delegation of accountability for risk management failures.

    Demonstratable improvements

    Boards need evidence of cyber remediation uplift activities and cannot rely on management “just telling them”. Management will be held accountable for providing sufficient evidence.

    Assurances without transparent evidence or effective and consistent reporting.

    Expecting old frameworks to remain current as cyber threats evolve.

    Self-assessment bias.

    Cyber washing

    Disclosures and assurances around cyber security must be accurate – and Boards must be satisfied that management reports are supported by evidence.

    Downplaying vulnerability, risk and potential harms.

    Optimism bias that is not supported by assurance, and expert advice.

    No rubber stamps

    Boards and management are expected to demonstrate a "curiosity of mindset" and have appropriate capabilities on Boards and leadership teams.

    Unwillingness or inability to challenge.

    People wearing too many hats, lack of specialist capabilities.

    Lack of training and expertise to support Board’s asking effective and adequate questions.

    Demonstrate that frameworks work

    It is not good enough to have a framework in place – management must demonstrate how frameworks are effective and embedded, and how management are held accountable for failures.

    Cookie cutter approach to managing cyber threats.

    Exceptions become the “norm”.

    No action is taken against “repeat offenders”.

    Testing and assurance

    Testing and assurance should be consistently challenging an organisation to improve their processes.

    Testing the tools you implemented – rather than the threat you face.

    Poor quality, non-transparent reporting of adverse findings and open action items.

    Self-assessment bias.

    The buck stops at the Board

    There is a level of cyber security risk that must be managed as "business as usual" activity – but where cyber risk is outside of risk appetite, it is the Board's responsibility to manage the risk accordingly.

    Risk appetite not clearly articulated and communicated.

    Lack of clear escalation.

    Lack of pressure testing, such as simulations and regular Board training.

     

    Authors: John MacPherson, Partner, Ashurst Risk Advisory; Emma Butler, Partner; Andrew Hilton, Expertise Counsel; Thomas Suters, Graduate.

    New Cyber Security Act:
    Mandatory reporting of ransom payments (not threats) within 72 hours – commences within 6 months.
    “Limited use” is not a safe harbour – and only one part of cyber crisis stakeholder management. Cyber agencies will only use information received for a defined “limited use” (and not eg for regulatory enforcement). Applies now.
    Security standards for “smart” connectable devices – aligned to overseas requirements, with flexibility built into the regime – commences within 6 months.
    A new Cyber Incident Review Board to conduct no-fault reviews of significant incidents – commences within 6 months.
    Formalised National Cyber Security Coordinator – applies now.


    New Critical Infrastructure (SoCI) reforms:
    Systems holding business critical data treated as part of the asset they support – commences within 6 months.
    Expanded "consequence management" powers – directions powers expanded to cover all disruptions (not just cyber incidents) and longer-term consequences of disruption (not just responding to cyber-attacks) – commences within 6 months.
    A "harms-based" approach to sharing protected information – making it easier for entities to share protected information to operate or mitigate risk in assets – commences within 6 months.
    Directions to remedy seriously deficient Critical Infrastructure Risk Management Programs (CIRMP) – commences within 6 months.
    Telecommunications obligations now part of the Security of Critical Infrastructure Act (SoCI) – commences within 12 months.
    image

    Business Insight

    Redefining Cyber Readiness

    Understand how you need to manage cyber security risk in light of the new Australian laws and heightened regulator expectations

    How to prepare

    This publication is a joint publication from Ashurst Australia and Ashurst Risk Advisory Pty Ltd, which are part of the Ashurst Group.

    The Ashurst Group comprises Ashurst LLP, Ashurst Australia and their respective affiliates (including independent local partnerships, companies or other entities) which are authorised to use the name "Ashurst" or describe themselves as being affiliated with Ashurst. Some members of the Ashurst Group are limited liability entities.

    The services provided by Ashurst Risk Advisory Pty Ltd do not constitute legal services or legal advice, and are not provided by Australian legal practitioners in that capacity. The laws and regulations which govern the provision of legal services in the relevant jurisdiction do not apply to the provision of non-legal services.

    For more information about the Ashurst Group, which Ashurst Group entity operates in a particular country and the services offered, please visit www.ashurst.com

    This material is current as at 20 December 2024 but does not take into account any developments to the law after that date. It is not intended to be a comprehensive review of all developments in the law and in practice, or to cover all aspects of those referred to, and does not constitute legal advice. The information provided is general in nature, and does not take into account and is not intended to apply to any specific issues or circumstances. Readers should take independent legal advice. No part of this publication may be reproduced by any process without prior written permission from Ashurst. While we use reasonable skill and care in the preparation of this material, we accept no liability for use of and reliance upon it by any person.

    The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
    Readers should take legal advice before applying it to specific issues or transactions.