Insight,

Cybersecurity,Telecommunications,Data Centres & Cloud,

An Omnibus Cyber Security and Infrastructure Package

14 October 2024

Our People
KWM Kinetic
Owl Advisory
AU | EN
Current site :    AU   |   EN
Australia
EN |
China
JP | ZH | EN |
China Hong Kong SAR
ZH | EN |
Japan
JP | ZH | EN |
Singapore
ZH | EN |
United States
EN |
Global
ZH | EN |

Tell me in 2 minutes

The Government has released a legislative package that implements a range of initiatives aimed at improving Australia’s cyber security consistent with its 2023-2030 Cyber Security Strategy. These initiatives include improving the security of Internet of Things (IoT) devices, establishing a ransomware payment reporting regime, implementing limited use protections for information given to certain agencies, establishing a board to investigate serious cyber security incidents and, making changes to security of critical infrastructure legislation relating to data storage systems, treatment of protected information and regulation of critical telecommunications assets.   

Background

On 9 October 2024, the Government introduced its legislative package to implement key reforms to support its 2023-2030 Cyber Security Strategy. That strategy was first introduced by the previous Minister for Cyber Security, Clare O’Neill, in November 2023 following a consultation process that began in February 2023. Importantly, the change in the Minister responsible for Cyber Security has not changed the strategic direction of the strategy.

The legislative package generally implements the initiatives set out in the Legislative Reforms Consultation Paper (Consultation Paper) released in December 2023, that we discussed here.  

Broadly the key reforms in the legislative package are below. Click on each reform to jump to the relevant section, or continue reading to see all.

CYBER SECURITY BILL 2024 - (CYBER SECURITY BILL)
AMENDMENTS TO SECURITY OF CRITICAL INFRASTRUCTURE ACT 2018 - (SOCI ACT)
INTELLIGENCE SERVICES AND OTHER LEGISLATION AMENDMENT (CYBER SECURITY) BILL 2024 - (INTELLIGENCE SERVICES BILL)

Secure-by-design standards for smart devices

Data storage systems and business critical data

Limited use obligation for information provided to the Australian Signals Directorate (ASD)

Ransomware payment reporting

Extension of Government powers beyond cyber incidents

Limited use obligation for information provided to the National Cyber Security Coordinator (Coordinator)

Simplifying Protected Information

Establishing a Cyber Incident Review Board (CIRB)

Power to vary CIRMP

Extra-territoriality and application to non-legal persons

Consolidation of telecommunications security requirements in SOCI Act

Secure-by-design standards for smart devices

Context

The Consultation Paper set out the Government’s concern that ‘IoT’ devices that are directly or indirectly connectable to the Internet (such as TVs, fridges, wearables and doorbells) continue to be used by cyber threat actors to target consumers. This is an issue of scale, with reportedly 33.8 connected ‘smart devices’ per household in Australia by 2025. It is also an accelerated issue with IoT devices becoming ubiquitous.

The Government believes that the current voluntary Code of Practice for securing IoT Devices has had low levels of adoption across industry. It sees an opportunity to improve the security of IoT devices in line with the international market, including the United Kingdom (through its Product Safety and Telecommunications Infrastructure Act 2022) and the European Union (through its Cyber Resilience Act).

The rules may set security standards for connectable devices

The Cyber Security Bill establishes a framework to allow rules to prescribe mandatory security standards for products that can directly or indirectly connect to the internet (relevant connectable products) that will be acquired in Australia in specified circumstances.

The power to prescribe security standards are purposefully broad. The Government has not yet clarified what it might prescribe as ‘default’ or ‘built-in’ security features for such devices. Given that the Government has been heavily influenced by the UK approach, it is possible that we will see:

  • prohibitions on overly simple default passwords,
  • more transparency with consumers on the ‘support period’ of security on devices to make better informed purchasing decisions, and
  • a requirement to have a mechanism for reporting of security vulnerabilities to manufacturers.

The intention is to align the prescribed standards with global standards

The Explanatory Memorandum acknowledges that prescribed standards may closely follow global best practice that Australia agrees should apply to smart devices available, or are reasonably expected to be made available, in Australia. The policy intent behind this is to align with international partners and uplift industry to develop smart devices that incorporate baseline cyber security settings for devices available, or that could reasonably be expected to be available, in Australia.

Manufacturers and suppliers must only supply relevant connectable devices that comply with the prescribed standards

Obligations will be imposed on manufacturers to manufacture relevant connectable products, or comply with other obligations, in accordance with the prescribed standards. They will also be required to issue statements of compliance with the prescribed standards.

Suppliers of relevant connectable products in Australia will have a corresponding obligation not to supply relevant connectable products that are non-compliant with the prescribed standards and not to supply relevant connectable products without the applicable statement of compliance.

The enforcement regime is intended to be light touch

The enforcement regime is intended to be ‘light touch’. It gives the Secretary the power to issue enforcement notices, designed to encourage engagement with manufacturers and suppliers and to uplift industry best practice. Before issuing the enforcement notices, the Secretary will provide opportunities for manufacturers and suppliers to remediate non-compliance.

While there are no civil penalties for non-compliance, the Secretary has the power to issue a range of notices, including in recall notices for non-compliance devices.

Ransomware payment reporting

Context

As foreshadowed, the Government proposes to introduce a ransomware payment reporting obligation to enable it to get better information on the size and scale of the ransomware problem in Australia. Pleasingly, the scope of the reporting obligation has been significantly narrowed from that initially proposed in the Consultation Paper to a more manageable and targeted obligation.

Who has to report?

The ransomware payment reporting obligation only applies to a reporting entity, being:

  • an entity carrying on business in Australia that has annual turnover that exceeds a threshold to be specified (likely to be $3 million), and
  • a responsible entity for a critical infrastructure asset that is under an obligation to notify cyber security incidents under Part 2B of the SOCI Act.

What has to be reported?

If a reporting entity is subject to a cyber security incident and has received a demand from an extorting entity to benefit from the incident – the making of a payment by or on behalf of the reporting entity to the extorting entity (ransomware payment) as well as certain other information relating to the incident and communications with the extorting entity.

When does a report have to be made?

Within 72 hours of making the ransomware payment.

Ransomware payment reports can only be used and disclosed for limited purposes

The Cyber Security Bill includes limited use provisions that restrict the use and disclosure of information contained in a ransomware payment report. Broadly, these uses and disclosures are limited to assisting the reporting entity, a Commonwealth body or a State body (subject to State consent) to respond to, mitigate or resolve the incident, advising Ministers and performance by certain bodies of their statutory functions.

There are also secondary limitations on use and disclosure by recipients of ransomware payment reports.

There are important protections given to a ransomware payment report

Importantly:

  • With limited exceptions, information in a ransomware payment report cannot be used or disclosed to investigate or enforce a breach of law (other than a criminal offence) by the reporting entity,
  • with limited exceptions, the provision of information in a ransomware payment report is expressed not to affect any claims for legal professional privilege in that information,
  • with limited exceptions, information in a ransomware payment report is not admissible in evidence against the reporting entity in proceedings for civil or most criminal offences, tribunal proceedings or proceedings for any breaches of laws (including the common law), and
  • neither the entity, nor its officers, employees or agents, are liable to an action or other proceeding for damages for or in relation to an act done or omitted in good faith in making a ransomware payment report.

Limited use rights for coordinator

The role of the Coordinator has been formalised

The Cyber Security Bill formalises in legislation the role of the Coordinator as being responsible for leading the whole of Government response to coordinating and triaging action in relation to a significant cyber security incident and advising the Minister for Cyber Security and the Government on that whole of Government Response.

Limited use applies to information voluntarily given to the Coordinator

The limited use provisions apply where information about a significant cyber security incident is voluntarily given to the Coordinator (Relevant Information) by an impacted entity that carrying on business in Australia or that is a responsible entity for a critical infrastructure asset.

Relevant Information can only be used or disclosed for limited purposes

The Coordinator is subject to ‘limited use’ provisions that apply to Relevant Information. Importantly, these are not ‘safe harbours’ that give an impacted entity protection from the consequences of a cyber security incident.

The limited use provision means that the Coordinator can only use or disclose Relevant Information to assist the impacted entity to respond to, mitigate or resolve the incident or for a set of permitted cyber security purposes. Broadly, these uses and disclosures are limited to assisting the reporting entity, a Commonwealth body or a State body (subject to State consent) to respond to, mitigate or resolve the incident, preventing or mitigating material risks to Australia or critical infrastructure assets, advising Ministers and performance by certain bodies of their statutory functions.

As is the case with ransomware payment reports, there are secondary limitations on use and disclosure by persons who receive Relevant Information from the Coordinator. These generally mirror the limitations imposed on the Coordinator.

There are important protections given to disclosures of Relevant Information

As is the case with ransomware payment reports:

  • with limited exceptions, the Coordinator or any person who receives Relevant Information cannot use or disclose the information to investigate or enforce a breach of law (other than criminal offences) by the impacted entity,
  • with limited exceptions, the provision of Relevant Information is expressed not to affect any claims for legal professional privilege in that information, and
  • with limited exceptions, Relevant Information is not admissible in evidence against the reporting entity in proceedings for civil or most criminal offences, tribunal proceedings or proceedings for any breaches of laws (including the common law).

Limited use rights for ASD (and ACSC)

Context

Consistent with the limited use right in relation to the Coordinator, the legislative package also creates a limited use right in relation to information given to the ASD. This would also apply to the ACSC which is a part of the ASD.

The ASD limited use right has not been included in the Cyber Security Act but has been incorporated into the Intelligence Services Act that sets out the functions and powers of ASD.

ASD limited use only applies to certain information

The ASD limited use provisions apply where information about a cyber security incident is voluntarily given to the ASD by an impacted entity, is created by the ASD in performing its functions or is Relevant Information given to the ASD by the Coordinator (ASD Limited Use Information).

ASD Limited Use Information can only be used or disclosed for limited purposes

The limited use provisions restrict ASD in its use or disclosure of ASD Limited Use Information. Broadly, these uses and disclosures are limited to performance of ASD’s functions, assisting the reporting entity, a Commonwealth body or a State body (subject to State consent) to respond to, mitigate or resolve the incident, advising Ministers and performance by certain bodies of their statutory functions.  

As is the case with the limited use rights on Relevant Information given to the Coordinator, there are secondary limitations on use and disclosure by persons who receive ASD Limited Use Information from ASD. These generally mirror the limitations imposed on ASD.

There are important protections given to disclosures of ASD Limited Use Information

As is the case with Relevant Information given to the Coordinator:

  • any person who receives ASD Limited Use Information cannot use or disclose the information to investigate or enforce a breach of law by the impacted entity, other than a breach of a law that is a criminal offence,
  • with limited exceptions, the provision of ASD Limited Use Information is expressed not to affect any claims for legal professional privilege in that information, and
  • with limited exceptions, ASD Limited Use Information is not admissible in evidence against the reporting entity in proceedings for civil or most criminal offences, tribunal proceedings or proceedings for any breaches of laws (including the common law).

Establishment of Cyber Incident Review Board (CIRB)

Context

Possibly inspired by the concept of the Transport Safety Bureau, the Cyber Security Bill establishes the CIRB as a new independent statutory advisory body within the Department of Home Affairs portfolio to conduct no-fault, post-incident reviews of significant cyber security incidents in Australia. The CIRB will provide recommendations to industry and Government for improved cyber security practices and undertake a review of the vulnerabilities that led to a significant cyber security incident.

Membership of the CIRB

The CIRB will consist of a Chair and up to 6 other standing members. It may also establish an Expert Panel to assist it in undertaking reviews of significant cyber security incidents. It will establish a separate review panel for each incident it reviews.

The CIRB will investigate important cyber security incidents

The CIRB will investigate a cyber security incident if a referral is made by the Minister for Cyber Security, the Coordinator or an entity impacted by the incident. It can also investigate an incident if a member of the CIRB makes a referral.

However, the investigation can only be undertaken if the cyber security incident is important enough to meet specified criteria including where it is novel or has seriously prejudiced the social or economic stability of Australia, the defence of Australia or national security.

Importantly it is not a function of the CIRB to apportion blame in relation to a cyber security incident or to provide the means to determine the liability of any entity in relation to a cyber security incident.

The CIRB has complete discretion in the performance of its functions and is not subject to direction by any person in relation to them.

The CIRB has powers to compel production of documents

The CIRB may request entities as well as Commonwealth or State bodies to voluntarily produce information for a review of an incident. However, it also has the power to compel entities involved in an incident to produce documents relevant to the review.

The CIRB must produce draft, protected and final review reports

The CIRB will generally produce 3 reports:

  • a draft review report with its preliminary findings,
  • a final review report that excludes sensitive information. This report will be made generally and publicly available, and
  • a protected review report that includes sensitive information redacted from the final review report.

Information can only be used or disclosed for limited purposes

Like the Coordinator, the CIRB is subject to ‘limited use’ provisions that apply to information given to the CIRB (CIRB Information). This means that the CIRB can only use or disclose CIRB Information for specific purposes. Broadly, these purposes are limited to performance of CIRB functions, advising Ministers and performance by certain bodies of their statutory functions. There are secondary limitations on use and disclosure by persons who receive CIRB Information. These mirror the limitations imposed on the CIRB.

CIRB Information cannot be used for enforcement

CIRB Information cannot be used for the purposes of assisting an investigation or enforcement of a breach of any laws by the entity that provided the information, other than a breach of Part 5 of the Cyber Security Bill, or a breach of a law that is a criminal offence. This does not apply to information contained in the public final review report.

There are important protections given to disclosures of CIRB Information

As is the case with ransomware payment reports:

  • with limited exceptions, the CIRB or any person who receives CIRB Information cannot use the information to investigate or enforce a breach of law (other than criminal offences) by the impacted entity,
  • with limited exceptions, the provision of CIRB Information is expressed not to affect any claims for legal professional privilege in that information,
  • with limited exceptions, CIRB Information is not admissible in evidence against the entity that provided the information in proceedings for civil or most criminal offences, tribunal proceedings or proceedings for any breaches of laws (including the common law), and
  • neither the entity who provided the information, nor its officers, employees or agents, are liable to an action or other proceeding for damages for or in relation to an act done or omitted in good faith in compliance with a direction from the CIRB to produce documents.

Application of Cyber Security Bill

The Cyber Security Bill has extra-territorial effect

The Cyber Security Bill explicitly applies both inside and outside of Australia. The rationale for this is because cyber security incidents do not respect the boundaries of nation states. An entity located in Australia may procure services from an entity located in another jurisdiction that is subject to a cyber security incident. An entity may be operating in both Australia and other jurisdictions and be impacted by a cyber security incident.

The Cyber Security Bill applies to non-legal persons

The Cyber Security Bill will also extend to entities that are non-legal persons and confers rights and imposes obligations on persons who are accountable persons for those entities. These include partnerships, trusts and unincorporated associations.

This means that for non-legal persons, liability for contravening the Cyber Security Bill extends to all accountable persons who committed the offence, aided, abetted, counselled or procured the offence, or were knowingly involved in the offence. 

Documents given to the Coordinator are FOI exempt

Under changes to the Freedom of Information Act 1982 (Cth) made under the amendments to the Intelligence Services Act, the Minister and agencies are exempt from the FOI Act in relation to documents given to the Coordinator under Part 4 of the Cyber Security Bill.

Extension of SOCI Act to cover data storage systems and business critical data

Context

With some recent major cyber security incidents, it became apparent that some definitions of critical infrastructure assets in the SOCI Act did not include data storage systems and data that were important to the operation of those assets. This means that the Government assistance powers to seek information or give directions may not technically have applied to those data storage systems and business critical data. This has been addressed in the proposed changes to the SOCI Act.

Critical Infrastructure Assets now specifically include data storage systems

A critical infrastructure asset now includes a data storage system:

  • that is owned or operated by the responsible entity for the critical infrastructure asset, and is used in connection with the asset,
  • stores or processes critical business data , and
  • in respect of which, a hazard that has a material risk of impacting the data storage system also carries a material risk of causing a relevant impact on the asset.

Importantly, it appears that the critical infrastructure asset will not include critical data storage or processing assets for which another entity is the responsible entity or data storage assets that have been outsourced to a third party. This is because the relevant data storage system is not owned or operated by the responsible entity for the critical infrastructure asset.

Effect of change

The effect of this extension of the definition of critical infrastructure asset is that:

  • registrations of ownership and operational information under Part 2 of the SOCI Act will need to be updated to include data storage systems,
  • notifications of cyber security incidents will extend to incidents affecting data storage systems (although we would expect that these would have had a relevant impact on the asset anyway), and
  • critical infrastructure risk management plans will need to cover data storage systems.

The changes will take effect on the earlier of a date to be fixed by Proclamation and 6 months after Royal Assent is received. It will apply to critical infrastructure assets that are in existence before the change takes effect, as well as any new critical infrastructure assets.

Extension of government powers beyond cyber security incidents

Context

The existing government assistance powers in Part 3A of the SOCI Act only apply where there is a serious cyber security incident and are limited to responding to the incident and resolving the technical factors of that incident.

As a result of some recent major incidents, the Government considers that this does not adequately consider or address non-cyber incidents nor the consequential impacts of incidents on other critical infrastructure assets.

The amendments are therefore intended to use the SOCI Act framework to give the Government the power to respond to incidents caused by disruptions to critical infrastructure assets. Incidents could be natural or man-made, so long as they impact the availability, integrity and reliability of the critical infrastructure asset. This includes incidents from all types of hazards, such as cyber and information hazards, physical and natural hazards, personnel hazards, and supply chain hazards. 

Only Information Gathering and Direction Powers extend to non-cyber incidents

In general terms, the amendments mean that:

  • the power to issue information gathering directions apply to incidents more broadly, not just cyber security incidents,
  • the power to issue an action direction to a relevant entity to do or omit to do something, also applies to incidents more broadly.

However, the extension of Government assistance powers does not extend to the power to give intervention requests under which ASD has the right to ‘step in’ to the computer systems of a responsible entity for a critical infrastructure asset. This means that the step-in power remains limited to the occurrence of a serious cyber security incident.

Simplification of protected information provisions

Context

One of the parts of the SOCI Act that responsible entities have had significant difficulty in interpreting and implementing on a practical day to day basis has been the provisions that relate to use and disclosure of Protected Information. This has partly been because of the breadth of the definition of Protected Information, and how that interacts with information (particularly risk management information) that entities need to appropriately use and disclose as part of their normal operations, or as part of their commercial arrangements in dealing with their critical infrastructure assets.

Definition of protected information has been narrowed

In response to concerns from industry, the definition of protected information has now been narrowed – the existing definition has largely been replicated in a new concept of ‘relevant information’, while protected information is now defined by reference to likely harm to the national interest, commercial sensitivity and impact on critical infrastructure assets.

A responsible entity’s ability to deal with its Protected Information has been made less restrictive

New provisions have been included that clarify that a relevant entity for a critical infrastructure asset can use or disclose protected information to operate its asset or for the entity’s own business, professional, commercial or financial affairs.

Power to direct CIRMP variation

The Government has realised that there is a gap in terms of its power to enforce critical risk management obligations. While responsible entities are required to have a critical infrastructure risk management plan (CIRMP) and to provide annual reports attesting that it is up to date, the Cyber and Infrastructure Security Centre (CISC) has no power to compel the responsible entity to vary the CIRMPs if the CIRMP is considered deficient.

The amendments give the CISC the power to require a responsible entity to vary a CIRMP to address a serious deficiency. This is a deficiency that poses a material risk to national security, the defence of Australia, or the social or economic stability of Australia.

Consolidation of telecommunications security requirements in SOCI Act

Context

At the time the scope of the SOCI Act was significantly extended in 2021, a decision was made by the Government to incorporate certain SOCI obligations in relation to critical telecommunications assets in licence conditions issued under the Telecommunications Act 1991 (Cth) (Telco Act). This was in part in recognition of the fact that carriers and carriage service providers had existing obligations to protect their assets and to their best to assist Government in relation to national security and the enforcement of the criminal law.

The current Government has now decided to reverse that decision and to regulate the telecommunications sector with the other critical infrastructure sectors under the SOCI Act. This has involved moving and amending the bulk of Part 14 of the Telco Act into the SOCI Act.

Responsible entities must protect critical telecommunications assets

The amendments do not themselves specify the critical telecommunications assets that will be subject to the new Telco SOCI obligations. These assets will be defined in rules – noting that the assets may be prescribed by class.

The key protection obligations imposed on responsible entities for critical telecommunications assets reflect the provisions of section 313 of the Telco Act, uplifted and modified for the SOCI Act. These include an obligation on them for the purposes of security to:

  • so far as reasonably practicable, to protect the asset to ensure:
  • the confidentiality of communications carried on and information contained on the asset, and
  • the availability and integrity of the asset,
  • comply with a telecommunications critical risk management plan and the requirement to maintain competent supervision of, and effective control over, the asset.

The obligation to maintain competent supervision and effective control of the asset are aimed at ensuring that responsible entities for critical telecommunications assets build security considerations into their supply chain arrangements with suppliers of equipment, services and support arrangements, particularly where data and/or service delivery operation or support is to be provided from offshore locations.

Responsible entities must notify changes to services or networks

The provisions of existing section 314A Telco Act have been modified and enhanced in the SOCI Act. Responsible entities must notify the Secretary of any change or proposed change to a telecommunications system that is likely to have a material adverse effect of its capacity to comply with its obligations to protect its critical telecommunications asset. This change is not intended to apply retrospectively and doesn’t apply to existing systems.

Minister can direct the cessation of services if prejudicial to security

Similar to existing section 315B of the Telco Act, the Minister for Cyber Security can give a direction to a responsible entity not to use or supply or cease use or supply of carriage services if it is considered prejudicial to security. The direction cannot be expressed to apply to the supply of services to a particular person or a particular class of person.

 

Getting lost in the changing landscape of tech regulatory requirements?

View our resources developed by our experts to help you stay on top of the latest tech developments.

This easy-to-use and regularly updated timeline will help you stay on top of important developments across key areas of tech-related regulation, including GenAI.

OPEN THE TRACKER

Our GenAI regulatory map will help you to understand and keep up with this fast moving regulatory and stakeholder landscape.

OPEN THE MAP
Categories

KEY CONTACTS

LATEST THINKING
Insight
AI governance in government: Is your agency ready for the ANAO’s spotlight?
The Australian National Audit Office’s (ANAO) has recently emphasised the importance of agencies having effective and specific AI governance frameworks. This was the key message coming out of the ANAO’s performance audit report on the ATO’s Governance of Artificial intelligence.

14 March 2025

Insight
B Corps: To B or not to B
We explain what a B Corp is, how to become a B Corp and some of the benefits and challenges of obtaining this certification.

13 March 2025

Insight
The Cyber Security and Critical Infrastructure Rules have now been registered
Following a period of consultation on rules to support the Government’s Omnibus Cyber Security and Critical Infrastructure package discussed here, 4 of the 6 proposed rules have now been registered.

13 March 2025

EXPLORE LATEST THINKING
OUR PEOPLE
LOCATIONS
MEDIA CENTRE
CAREERS
ABOUT US
KWM KINETIC
OWL ADVISORY BY KWM
Explore Our Expertise
Explore insights
Explore Our Insights

Advertising and Targeting Cookies