What is the Australian Cyber Security Act?
The newly passed Australian Cyber Security Act is part of the reform laid out in the 2023–2030 Australian Cyber Security Strategy. The legislation aims to fill gaps in Australia’s overall cyber resilience and support the government’s ambition to become the most secure country globally. The legislation enacts seven measures from the Cyber Security Strategy to ensure Australians trust their digital products, disrupt the ransomware business model, assist Australian organisations during cyber security incidents, and promote continuous learning and enhancement of cyber practices, policies, and procedures.
What does the Australian Cyber Security Act mean for organisations?
The act introduces several new requirements, most notably, a new mandatory obligation for reporting ransomware payments and voluntary reporting for cyber incidents.
Mandatory ransomware payment reporting
Organisations of a specific size will be required to report ransomware payments to the Department of Home Affairs and the Australian Signals Directorate within 72 hours of payment. Failure to report these payments could result in a civil penalty of 60 penalty units. This obligation applies to organisations responsible for a critical infrastructure asset, Part 2B of the Security of Critical Infrastructure Act 2018 (Cth), and organisations with revenue over $3M annually. However, this may be adjusted in future.
Voluntary reporting of new cyber incidents
A new framework for the voluntary reporting of cyber incidents to be overseen by the National Cyber Security Coordinator (NCSC) has been introduced to encourage victims of cyber attacks to share information so that others can benefit from the knowledge. Any organisation operating in Australia can report a cyber incident. However, a “limited use” obligation restricts how NCSC can utilise the information.
Connected or IoT device security
The Australian government can now enforce security standards for connectable products, aka “Internet of Things” or “smart” devices. All global suppliers must comply with any legislation introduced to be able to supply their products to the Australian market.
Cyber Incident Review Board
A new Cyber Incident Review Board has been created to carry out no-fault and post-incident reviews, offer recommendations, and have the authority to compel entities to share information.
Impact on the SOCI ACT
In addition, the Security of Critical Infrastructure Act 2018 (SOCI Act) has been updated to clarify business-critical systems’ cyber security requirements (related to SOCI), expand government powers to assist critical infrastructure during cyber incidents and simplify cyber collaboration between government and business.
What steps must organisations take to ensure compliance?
- IT and security teams must immediately review any cybersecurity incident response plans.
- Implement changes where necessary, including the new mandatory ransomware payment reporting obligations.
- Critical infrastructure companies should review the changes to the SOCI Act to understand the updated requirements.
The new Cyber Security Act is critical in defending Australia against cyber threats. archTIS is proud to provide sovereign capability with world-class data-centric security solutions to help your organisation ensure the highest protection standards for managing sensitive data access and protection.
Contact us to learn more about how our information security solutions help meet a wide range of government and defence compliance requirements.
