New cyber security legislative package: How will it impact organisations?

Following on from its privacy and AI reforms last month, the Commonwealth government has released another package of proposed legislation to tackle cyber security issues. The bills include the Cyber Security Bill 2024 (the Bill) and amendments to the Intelligence Services Act 2001 and the Security of Critical Infrastructure Act 2018 (SOCI Act).
While the package proposes several reforms, the initiatives expected to have the most immediate practical impact on organisations are highlighted below.

Mandatory 72-hour reporting obligation for ransom payments
Organisations other than small businesses must report any payments made in response to a cyber ransom event to the Australian Signals Directorate within 72 hours. This requirement is a significant shift from an earlier proposal that suggested any incident be reported, even if no payment was made.

The obligation also recognises that there will be circumstances where making a payment could be justified and seeks to preserve the legal rights of the disclosing entity, for instance, by excluding waiver of privilege. While the government has not pursued a complete ban on payments, they strongly advise against payments to make Australia a less attractive target for ransomware attacks.

Security standards for smart devices
New security requirements will apply to smart devices that form part of the Internet of Things. Manufacturers and suppliers of internet-connected products, such as televisions, speakers, watches and doorbells, will now need to meet the security standards for those devices. These may be in the form of secure default settings, unique device passwords, regular security updates and encryption of sensitive data. The details of the relevant standards and how they will interact with other existing product regulations are yet to be finalised.

Regulated use of information submitted to National Cyber Security Coordinator
There will be rules in place to govern how organisations use information submitted to the National Cyber Security Coordinator to ensure such information is used appropriately. This protection will not extend to a full "safe harbour" that was called for in many submissions made during the government's consultation process.

Instead of granting an organisation total immunity for the information it provides to the authorities after a cyber incident, the proposed rules will reassure them that the information can only be used and shared for prescribed purposes, such as assisting with incident response. Similar restrictions will apply to the Australian Signals Directorate when it receives such information, under the Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024. 

New Cyber Incident Review Board
A new Cyber Incident Review Board will be established to review how cyber incidents are dealt with, including by compelling entities to produce information. This Board will assess certain types of major cyber incidents, such as those prejudicing Australia's defence or raising serious public concern, and identify learnings to share with government and industry to minimise further incidents. Any public finding that is made, though, is not to attribute fault or otherwise prejudice legal rights.   

SOCI Act extends to data systems associated with a critical infrastructure asset
The proposed amendments to the SOCI Act extend the legislation to apply to data systems associated with a critical infrastructure asset. It also introduces a new power for regulators to address significant weaknesses in entities' risk management programs when national security is at risk.