Redefining cyber readiness – Three ways to outpace Australia's new cyber laws 

What you need to know

• The Australian Government has introduced a suite of new bills to build greater cyber resilience.
• New laws include:

• a new Cyber Security Bill dealing with ransom payment reporting, new security standards for smart (IoT) devices, limits on how cyber agencies use cyber incident information, and the creation of a Cyber Incident Review Board; and 
• amendments to security of critical infrastructure laws, including requirements relating to business critical data, enhancing government assistance measures (“step in powers”) and introducing a power to direct critical infrastructure entities to address serious deficiencies within their risk management program.

• The bills (which have already been subject to extensive industry consultation) have been referred to the Joint Parliamentary Committee on Intelligence and Security, which will likely accept public submissions and hold hearings.
• The new laws arrive at a time when regulators such as the OAIC and ASIC have indicated that they are focused on increasing their cyber and data breach enforcement activities and are looking to hold organisations to account for failures to adopt reasonable steps to safeguard systems and data.
• Simply reacting to the new rules will not be enough to outpace cyber risk, or regulatory and public expectations around how cyber risks are managed. We explore three essential cyber uplift activities that will help you address incoming cyber laws, but more importantly address underlying cyber risks.

What you need to do

• De-risk ransom – Cyber extortion remains a pervasive threat, and payment of a ransom demand remains the least viable (and least reliable) response. Mandatory ransom reporting does not legalise ransom payments, ameliorate a ransom attack or meet heightened policy and public expectations. De-risk the ransom threat with a carefully considered and thoroughly tested risk-based approach to ransom payment decision-making and planning.
• Limited use provisions are not a “safe harbour” – New restrictions on how cyber agencies use information inform just one part of cyber crisis communications strategy. In a significant cyber incident, your stakeholder list is long, and requires a scale of communications and legal infrastructure that is rarely built into crisis response plans. Build and test your capability to confidently communicate with cyber agencies, regulators, government, the media, customers, and the public, without creating further down-stream reputation or legal risks.
• Outpace regulator expectations before your next incident – Managing cyber risk is now a normal part of doing business – this means understanding that a breach is a case of "when", not "if". Understand the evolving expectations of regulators, and measure your cyber maturity against them. We provide a quick guide to the "new normal" of regulator expectations and how to establish a defensible position in a post incident investigation through redefining readiness.

New cyber security laws before Parliament

The Australian Government introduced a suite of cyber security legislation on 9 October 2024. The new bills are a long time coming – originally signalled as part of Australia's 2023-2030 Cyber Security Strategy, with proposals clarified through ongoing consultation.

Updating policies and playbooks to respond to the bills will not be enough to build the cyber readiness and maturity now expected by regulators, the market and the public – and to successfully navigate an increasingly hostile cyber threat environment.

In this article, we'll take a closer look at three key areas addressed by the reforms – and explain why adapting to the cyber bills is just one part of thorough and comprehensive planning for cyber incidents:

• obligations to report ransom payments don't change the fact that paying a ransom remains a legal, operational and reputation hurdle and in many cases is your least viable (and least reliable) option;
• new rules for how cyber agencies can use information are just one piece of your cyber crisis stakeholder management plan; and
• while cyber regulation is changing, regulators already have heightened expectations – we provide a quick guide to the "the new normal" of regulatory expectations.

The reforms are included in the Cyber Security Bill 2024, the Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024, and the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024.

1. Paying a ransom is still the least viable (and least reliable) option

The new laws will require organisations to report the payment of ransoms within 72 hours, a step back from earlier proposals to also report ransom demands (although ransom threats and other security incidents may be reportable under other regimes like security of critical infrastructure legislation or privacy laws).

It is important to recognise:

• the new ransom payment reporting obligation is not a "safe harbour";
• paying a ransom may be an offence (for example, under sanctions laws, money laundering or terrorist financing laws) or may create other legal exposures for both organisations and directors; and
• the decision to pay a ransom can involve significant legal, operational and reputational risk – and requires robust legal and risk assessment.

While incident response playbooks will need to be updated to include ransom payment notification obligations and related governance, it is clear that paying a ransom remains the least viable (and least reliable) way of addressing cyber risk. Payment of a ransom does not guarantee data will be recovered, stolen data destroyed, or systems restored.

Best practice requires organisations to:

• have a clear understanding and assessment of what critical services and data they might need to pay a ransom to recover, in circumstances where there is no other adequate means of mitigating the risk of disruption or data loss; and
• take all reasonable steps to protect those critical systems and data and have robust recovery and response plans in place that would mitigate the need to otherwise pay a ransom.

‘De-risking ransom’ is a risk-based approach that aims to identify the high-risk systems and data where a company might need to consider paying a ransom, and ensures there is adequate security, business continuity, data retention, and harm mitigation/remediation in place. Doing so reduces the occasions where organisations may consider paying a ransom.

Being subject to a ransom demand is a known risk – if you do not have a sophisticated approach to readiness, response and recovery, you may be open to criticism that you are not managing the risk. In the current cyber climate, it is one of the most foreseeable risks an organisation can face, and readiness is more than a policy on payment.

2. "Limited use" is not a safe harbour – and only one part of cyber crisis stakeholder management

The bills introduce several "limited use" information control frameworks that are subtly but importantly different – limiting the use, recording and disclosure of information by cyber agencies to encourage closer engagement by industry.

Different use, recording and disclosure restrictions can apply depending on whether information is:

• held by the Australian Signals Directorate (ASD) or the National Cyber Security Coordinator (NCSC);
• included in a ransom payment report (and whether it is a mandatory part of that report);
• provided or obtained voluntarily or under a legal obligation;
• held by the NCSC and relates to a major cyber security incident (or not); or
• is provided or obtained on some other basis.

These factors also determine whether information may be admissible as evidence.

Importantly, some information can't be used for certain regulatory investigation or enforcement purposes, but these protections won't necessarily prevent criminal investigations.

The Government has taken pains to point out that the limited use regime is not a safe harbour – regulators may continue to exercise their existing powers (and in the case of Australia's privacy regulator, soon to be expanded powers) to take investigation and enforcement action.

These new "limited use" protections, if properly understood and operationalised in incident response playbooks, can allow more effective and responsible engagement with cyber agencies, with less friction.

While removing barriers to engagement with cyber agencies has been a long-standing priority, it is only one part of a complex information management puzzle.

Despite efforts to harmonise regimes, a cyber incident will usually involve mandatory and voluntary interactions with a range of regulators under different regimes.

In the midst of a cyber incident, organisations are under pressure for extremely high levels of transparency – not only from cyber agencies, government and regulators, but from business partners, suppliers, banks, partners, the media as well as customers and the broader public.

There is a lot of pressure to provide assurances, with high levels of confidence, that you are secure. Customers, suppliers and third parties may stop doing business with you until you are able to provide those assurances.

Decisions about what to disclose, when, and to whom can have significant implications for operational security, regulatory compliance, litigation risks, privilege, and stakeholder trust.

The right approach requires a combination of internal information management and assessment (to know what you know, versus what you suspect), strong communication and decision-making protocols, and effective and efficient legal guidance. And importantly, the right approach must be coordinated, streamlined, well-understood and tested.

This is not organisational discipline that can or should be developed mid-incident – it needs to be part of thorough and comprehensive planning.

Consider how your organisation could confidently respond to requests from third parties (including in your supply chain), customers, and regulators in the first 72 hours of an incident, such as:

• What data do you hold (and what data belongs to your supplier/customer)?
• What connectivity is there between your environment and a third party environment?
• When did you first become aware of this incident?
• What is the nature of the incident, have you been hacked and is it a ransomware attack?
• Has data been exfiltrated? If so what/how much?
• Have you engaged an independent incident response company to conduct an investigation. Will you provide their interim and final reports?
• Have you identified the initial vector of compromise and any control failures that led to the compromise?
• Describe the steps you have taken to contain the incident?
• What regulatory bodies have you notified/do you intend to notify?
• What additional controls have been put in place since the incident?
• Do you have MFA/endpoint monitoring in place across all your assets?
• Can you provide a summary of open action items from recent internal security reviews?
• What is your recovery timeframe and is this outside your recovery tolerance?
• What encryption do you have in place for all data?
• What network segregation did you have in place?

3. Cyber regulation is changing – but regulators have already changed

Cyber threats are no longer a new and unknown risk. The message from various regulators is consistent – patience is running thin for organisations that have failed to de-risk pervasive cyber threats.

After a strong focus on education, uplift, and warnings in recent years, regulators are adjusting their posture to focus more on enforcement and assurance – to make sure that industry has received the message.

A common thread underlies the various regulators and regulatory regimes – what reasonable steps, and what reasonable investments, have you taken to safeguard systems and data and build cyber readiness, response and resilience?

Regulators expect, and expect you to be able to demonstrate, thorough and comprehensive planning and clearly thought-out risk management.

How you respond in times of crisis is important but is fundamentally constrained by the planning, strategies and capabilities you have already put in place.

Below is our quick guide to help you navigate the "the new normal" of regulatory expectations, including some red flag indicators to watch out for. It is critical for business to understand these expectations and have assurance mechanisms in place to defensibly demonstrate how they are being met.

Authors: John MacPherson, Partner, Ashurst Risk Advisory; Emma Butler, Partner; Andrew Hilton, Expertise Counsel; Thomas Suters, Graduate.