The Government has introduced the Cyber Security Bill 2024 and the Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024 into the House of Representatives to require reporting of cyber security incidents.
UPDATE: Both Bills finally passed both Houses on 25 November 2024 and given Royal Assent on 29 November 2024.
The ransomware reporting obligation will commence on 30 May 2025.
If passed the Cyber Security Bill will:
- Establish the power to mandate security standards for smart devices that are either internet- or network-connectable;
- Introduce a mandatory reporting obligation for entities who are affected by a cyber incident, receive a ransomware demand and elect to make a payment or give benefits in connection with that cyber security incident;
- Establish a ‘limited use’ obligation that restricts how cyber security incident information provided to the National Cyber Security Coordinator during a cyber security incident can be used and shared with other government agencies, including regulators; and
- Establish a Cyber Incident Review Board to conduct post-incident reviews into significant cyber security incidents.
The Bill uses the definition of a cyber security incident in section 12M of the Security of Critical Infrastructure Act 2018.
The Bill covers when information is intercepted, an extortion demand is received and a payment is made in relation to that information.
The Bill will require a mandatory report to be made when:
- A cyber security incident has occurred, is occurring or is imminent and has had, is having or could reasonably be expected to have, a direct or indirect impact on a reporting business entity;
- An extorting entity makes a demand of the reporting business entity, or some third party directly related to the incident impacting the reporting entity, in order to benefit from the incident or the impact on the reporting business entity;
- The reporting business entity provides or is aware that another entity, directly related to the reporting entity, has provided a payment or benefit to the extorting entity that is directly related to the demand.
Reports will be made to the Department of Home Affairs through a portal available on cyber.gov.au, which is administered by Australian Signals Directorate (ASD)’s Australian Cyber Security Centre (ACSC).
These reports must be made within 72 hours of the payment being made, or the reporting entity becoming aware of the payment being made.
The Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024 amends the Intelligence Services Act 2001, to legislate a limited use obligation to protect the information voluntarily provided to, or acquired or prepared by the Australian Signals Directorate (ASD) during an impacted entity’s engagement in relation to a cyber security incident or a cyber security incident that may potentially occur.
If you found this article helpful, then subscribe to our news emails to keep up to date and look at our video courses for in-depth training. Use the search box at the top right of this page or the categories list on the right hand side of this page to check for other articles on the same or related matters.
Author: David Jacobson
Principal, Bright Corporate Law
Email:
About David Jacobson
The information contained in this article is not legal advice. It is not to be relied upon as a full statement of the law. You should seek professional advice for your specific needs and circumstances before acting or relying on any of the content.