Australia has taken a significant step forward in cyber resilience with the passing of its first-ever Cyber Security Act on November 25. This groundbreaking law sets new standards for incident reporting, ransomware payments, and critical infrastructure protection, aligning with the nation’s Cyber Security Strategy 2023-2030.

Key Provisions:

1. 1. Mandatory Ransomware Payment Reporting: Organisations must report ransomware payments to the Department of Home Affairs and the Australian Signals Directorate within 72 hours. Failing to do so could result in a civil penalty of up to AUD $93,900. This applies to businesses with turnovers above AUD $3 million. Despite this mandate, the government advises against paying ransoms, as it fuels the cybercrime business model and does not guarantee data recovery or confidentiality.

1. 1. Voluntary Cyber Incident Reporting: A new framework encourages free information sharing on cyber incidents to benefit both private and public sectors. Reports, overseen by the National Cyber Security Coordinator (NCSC), can be used to prevent or mitigate risks to critical infrastructure and support intelligence or enforcement agencies.

Impact on Organisations:

• • Reporting Obligations: Organisations must adjust their incident response plans to comply with the new mandatory ransomware payment reporting requirements and the new voluntary reporting regime for cyber incidents.

• • Coordination with Government: During a cyber attack, organisations must be prepared to communicate with government authorities in new ways, particularly the NCSC.

Additional Measures:

• • IoT Device Security: The government will enforce security standards for Internet of Things devices. Global suppliers must comply with these standards to continue supplying to the Australian market.

• • Cyber Incident Review Board: Significant cyber incidents will be reviewed by this board, which will conduct no-fault post-incident reviews, provide recommendations, and have the power to compel entities to provide information.

• • Broader Legislative Package: The Cyber Security Act is part of a broader legislative initiative, including updates to the Security Of Critical Infrastructure (SOCI) Act 2019. The SOCI Act now classifies data storage systems holding business-critical data as critical infrastructure assets.

Experts advise IT and security leaders to review and update their cyber incident response plans. This includes integrating the new mandatory ransomware payment reporting obligations and coordination with the NCSC into their strategies. Organisations may also have overlapping reporting requirements under Australia’s privacy laws and the SOCI Act, in addition to continuous disclosure obligations if they are listed on the Australian Stock Exchange.