Navigating the new Cyber Security Act
As part of the goal to make Australia “the most cyber secure nation by 2030”, a Cyber Security Legislative Package was introduced into Federal Parliament on 9 October 2024 and passed on 25 November 2024.
The Legislative Package comprised three bills (Cyber Security Bill 2024, Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024, and Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024) which are set to come into effect in stages. The new cyber security laws also required amendments to the Freedom of Information Act 1982.
The aim of the package is to implement seven initiatives under the 2023-2030 Australian Cyber Security Strategy to address legislative gaps designed to bring Australia in line with international best practice and help ensure the nation is on track to become a global leader in cybersecurity.
The measures will:
- mandate minimum cybersecurity standards for smart devices
- introduce mandatory ransomware reporting for certain businesses to report ransom payments
- introduce ‘limited use’ obligations for the National Cyber Security Coordinator and the Australian Signals Directorate (ASD), and
- establish a Cyber Incident Review Board.
Cyber Security Act and ransomware
Ransomware attacks continue to plague Australian businesses. In FY24, ransomware attacks accounted for 11% of all cyber incidents responded to by the ASD (up from 8% in the previous year) and 71% of all extortion-related cybersecurity incidents.
According to IT solution provider One Cloud:
- 54% of Australian organisations were hit with ransomware attacks in 2024
- the average ransomware demand made towards Australian organisations is US$ 6.8 million, and
- ransomware incidents cost the Australian economy as much as $2.59 billion annually.
The standalone Cyber Security Act 2024 introduces several key changes of which businesses need to be aware, in particular with respect to ransomware payments.
While the Act does not prohibit the payment of a demand, it imposes reporting obligations if a payment is made.
Businesses with more than $3 million in revenue or those responsible for a critical infrastructure asset will be subject to the mandatory reporting obligation.
The victim business (“reporting business entity”) will need to make a report where an extorting entity demands a payment or benefit from them due to a cybersecurity incident and a payment is made.
A cybersecurity incident is broadly defined under the Cyber Security Act and includes not only ransomware attacks but other incidents including denial of service and malware attacks.
Victim organisations will be required to submit a ransomware payment report via the ASD portal, with details including:
- the contact and business details of the reporting business entity
- details of the cybersecurity incident and its impact on the business
- the value of the demand made by the extorting entity
- use of any third-party ransom negotiator (including their contact and business details), and
- any communications with the extorting entity relating to the incident, demand and the payment.
The report must be submitted within 72 hours of making the payment or benefit, or becoming aware that it has been made.
Failure to comply could result in a civil penalty offence, which means the reporting business could be subject to a fine of up to 60 penalty points.
This new obligation is in addition to any other reporting obligation that business has, such as the Notifiable Data Breach scheme under the Privacy Act, and other disclosure obligations such as the ASX’s continuous disclosure requirements, reports legal firm Clayton Utz.
To support responses to cyber security incidents, but also safeguard the confidentiality of reporting entities, the information in the ransomware payment report may be recorded, used and disclosed by a designated Commonwealth body but only for a number of prescribed purposes.
Anticipated benefits of mandated reporting include enhancing the Australian Government’s collection of ransomware and cyber extortion demands and payments, to inform government efforts to assess the overall ransomware threat, provide assistance to law enforcement, and, hopefully, disrupt and break the ransomware business model, notes law firm Colin Biggers & Paisley.
Preparing for the changes
The mandatory reporting obligation is set to come into effect on a date fixed by proclamation or, otherwise, within six months following Royal Assent (which was granted on 29 November 2024).
Organisations and businesses impacted by the new laws need to navigate the new compliance landscape and enhance their processes and procedures to ensure they comply with requirements. Actions may include the need to review and update trading terms and product documentation, cyber policies and incident response procedures.
In preparing for the changes, talk to your EBM Account Manager about your cyber security and data privacy obligations. Your broker can provide guidance on mitigating cyber risks (including ransomware attacks) and also discuss the options when it comes to cyber insurance.
Ransomware and insurance
While the Government maintains its position that ransoms should not be paid, it remains at the discretion of the ransomware victim as to whether to pay or not pay. The choice needs to be made by the organisation, taking economic, operational, reputational, statutory and ethical matters into consideration. Of course now, if the ransom is paid, the payment will need to be reported (subject to the organisation being required to do so under the new law).
Some cyber insurance policies include cover for the paying of a ransom demand, but the decision to pay rests with the policyholder, not the insurer. In the event that the policyholder decides to pay, the ransom is paid by the policyholder, not the insurer, and coverage, if provided, may see that payment partially or fully reimbursed.
Cyber insurance plays a key role in helping businesses mitigate cyber risks and recover in the event an attack occurs. Depending on the policy, the cover can include:
- Risk assessment and mitigation – insurers help to assess vulnerabilities and reinforce preventative measures in a business’ cybersecurity strategy.
- Financial support – where offered, the policy can provide a financial back-up to make ransom payments and safeguard the business’ financial stability.
- Post-attack recovery – helps businesses to recover lost data, restore services, and improve security to prevent future attacks.
Given the frequency and severity of ransomware attacks, some insurers are excluding ransomware cover, while others have raised premiums. The focus of cyber insurers has firmly shifted from reacting to a cyberattack to helping to prevent one from occurring in the first place.
Mitigating the ransomware threat
The adage “prevention is better than a cure”, holds true when it comes to ransomware. Businesses can take practical steps to help mitigate the risk of falling victim to an attack. These may include:
Conducting a cybersecurity audit
Undertake a comprehensive cybersecurity audit to:
- evaluate cybersecurity measures and their alignment with the new legislation
- identify gaps in compliance or incident response procedures and prioritise them for remediation
- review and update policies, plans, procedures and protocols, and
- ensure the business is adequately protected with the right insurances.
Establishing ransomware protocols
Boards and management may look to:
- ensure regulatory compliance, employee training, and incident response planning is integrated into a holistic cyber strategy (consider referring to the ASD’s Ransomware Playbook)
- determine the business’ position on paying ransoms (the requirement to report payments will need to be considered when deciding whether to pay a ransom) taking heed that paying a ransom may contravene other laws, such as sanctions or anti-money laundering legislation, and
- develop incident response plans with clear protocols including reporting and managing ransomware payments if this is the path the business will take if extorted.
Implementing ransomware best practice
Measures may include:
- keeping software and operating systems (OS) up-to-date
- installing anti-virus software and firewalls
- implementing least privilege access
- turning on ransomware protection
- using multi-factor authentication
- implementing endpoint security measures
- employing a business password manager or using unique passphrases
- minimising external-facing footprint
- securing servers, routers and wi-fi
- segmenting the network
- maintaining up-to-date back-ups (separate to the main network)
- employing data lifecycle management
- regularly performing penetration tests
- training employees on cybersecurity awareness and best practices, and
- creating an incident response plan.
Next steps
With the introduction of the mandatory reporting obligation set to come into effect within six months, boards and businesses should begin preparing for the new regime. Talk to your EBM Account Manager about your risk exposures and the insurance options available to help protect your business including cyber and liability covers.