.png){kind=avatar}
%20(14)%20(1).png)
On 25 November 2024, the Federal Government passed significant cyber security legislation. These reforms, fast-tracked following recommendations from the Parliamentary Joint Committee on Intelligence and Security (PJCIS), reflect proposals set out in the 2023–2030 Cyber Security Strategy Action Plan.
The legislative package comprises three key acts:
- Cyber Security Act 2024 (Cyber Security Act)
- Intelligence Services and Other Legislation Amendment (Cyber Security) Act 2024
- Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Act 2024 (SOCI Amendment Act)
While the reforms include several updates, we have done our best to distill the reforms down to the top few likely to affect your business.
Mandatory Reporting of Ransomware Payments
Ransomware attacks have become a growing concern for Australian businesses, prompting the government to mandate the reporting of any ransom payments. Under the Cyber Security Act 2024, organisations must report such payments within 72 hours to the Department of Home Affairs and the Australian Signals Directorate (ASD).
Who is affected?
This obligation applies to:
- Critical infrastructure entities.
- Businesses operating in Australia with an annual turnover exceeding AU$3 million.
Failure to comply can result in penalties of up to AU$93,900. Importantly, this requirement is necessary only upon payment of a ransom, not on receiving a ransomware demand. As a result, boards and executives must weigh the risks of paying (e.g., encouraging future attacks) versus the operational impacts of non-payment (e.g., loss of data or systems).
Voluntary Reporting
The legislation seeks to encourage a collaborative approach to cyber defence through a voluntary reporting regime. Organisations can share information about cyber incidents with the newly established National Cyber Security Coordinator (NCSC) to receive guidance and assistance.
For significant cyber incidents—those with potential to affect national security or economic stability—the NCSC may coordinate broader government responses. Organisations can benefit from shared intelligence without the fear of public exposure or additional regulatory scrutiny, thanks to the limited use protections outlined in the legislation.
Limited Use Protections
A key feature of the reforms is the Limited Use Protection for information disclosed under both mandatory and voluntary reporting obligations. This ensures:
- Information provided cannot be used as evidence in criminal, civil penalty, or civil proceedings, including breaches of common law.
- Details cannot be used to enforce unrelated legal breaches, such as anti-money laundering or sanctions violations.
However, these protections are not a "safe harbour". Other regulators can still obtain the same information through their own investigatory powers or mandatory reporting obligations under laws like the Privacy Act or SOCI Act. Additionally, the government may use the disclosed information to assist other entities facing similar threats.
Key Takeaways for Businesses
The Cyber Security Legislation introduces significant changes that businesses must adapt to. Here are the critical actions you should prioritise:
- Update cyber response plans: Ensure your processes address mandatory ransomware reporting requirements and timelines.
- Test decision-making frameworks: Prepare executives and boards to evaluate the risks of ransom payments versus the consequences of non-payment.
- Leverage voluntary reporting: Use the NCSC framework to seek government assistance and contribute to collective cyber defence.
- Review protections and risks: Understand the limits of the new limited use protections and prepare for overlapping reporting obligations under other laws.
At The Virtual IT Department, we specialise in helping organisations navigate complex compliance requirements and enhance their cyber security posture.
If you're unsure how these reforms affect your business, or you need help updating your cyber response plans, get in touch with us today.
%20(15)%20(1).png)
%20(14)%20(1).png)
%20(8)%20(1).png)
