Australia’s new Cyber Security Act 2024

---

Key Provisions of the Cyber Security Act 2024

1. Mandatory Ransomware Payment Reporting

Organisations with an annual turnover exceeding AUD $3 million or those operating critical infrastructure are now required to report any ransomware payments made in response to cyber incidents. These reports must be submitted to the Department of Home Affairs and the Australian Signals Directorate within 72 hours of payment . This measure aims to enhance transparency, facilitate better threat assessment, and discourage ransom payments by shedding light on the frequency and impact of such incidents.

2. Security Standards for Smart Devices

The Act mandates that manufacturers and suppliers of smart devices—those capable of connecting to the internet—comply with minimum security standards. These standards, to be specified in Ministerial rules, require suppliers to provide a statement of compliance for devices sold in Australia . This initiative seeks to reduce vulnerabilities in the rapidly expanding Internet of Things (IoT) ecosystem.

3. Limited Use Obligation

To encourage collaboration between the private sector and government during cyber incidents, the Act introduces a ‘limited use’ obligation. This provision restricts how information voluntarily provided to the National Cyber Security Coordinator can be used and disclosed, thereby promoting business confidence in sharing sensitive information without fear of misuse .

4. Establishment of the Cyber Incident Review Board (CIRB)

The Act establishes the Cyber Incident Review Board, tasked with conducting post-incident reviews of significant cybersecurity events. The CIRB has the authority to compel information and specific documents from entities involved in a cyber incident when voluntary cooperation is insufficient . The board’s findings aim to inform best practices and improve national cyber resilience.

---

Implications for Australian Businesses

The Cyber Security Act 2024 imposes new obligations on businesses, particularly those exceeding the AUD $3 million turnover threshold or operating critical infrastructure. Compliance will necessitate the development and implementation of robust cybersecurity policies, incident response plans, and staff training programs. Failure to adhere to the Act’s provisions could result in legal repercussions and reputational damage.

Moreover, the mandatory reporting of ransomware payments and the CIRB’s investigative powers underscore the importance of transparency and accountability in cybersecurity practices. Businesses must be prepared to engage with government agencies and provide necessary information during cyber incident investigations.

---

Conclusion

The Cyber Security Act 2024 represents a comprehensive approach to enhancing Australia’s cybersecurity posture. By introducing mandatory reporting, setting security standards for smart devices, and fostering collaboration between the private sector and government, the Act aims to mitigate cyber threats and protect national interests.

Australian businesses must assess their cybersecurity frameworks and ensure compliance with the new legislation. Proactive engagement with the Act’s provisions will not only fulfill legal obligations but also contribute to a more secure and resilient digital environment for all Australians.

Cooper Mills