New cyber incident response obligations for Australian organisations

Part 3 of the Cyber Security Bill imposes mandatory ransomware payment reporting obligations on two categories of entities:

• Category 1—entities that:
  • carry on business in Australia with an annual turnover for the previous financial year that exceeds the turnover threshold (which is likely to be $3 million)¹;
  • are not federal or state bodies; and
  • are not defined as responsible entities for a critical infrastructure asset under the SOCI Act.
• Category 2—responsible entities for a critical infrastructure asset to which Part 2B of the SOCI Act Practically, this means almost all responsible entities will be caught given Part 2B applies to most critical infrastructure asset classes. This means these responsible entities will be caught even where their annual turnover does not exceed the turnover threshold, or where they are federal or state bodies.

The reporting obligation is triggered where:

• the incident is a cyber security incident that has occurred, is occurring or is imminent;
• the incident has had, is having or could reasonably be expected to have an impact on the reporting entity;
• the extorting entity makes a demand in an attempt to benefit from the incident; and
• the reporting entity provides, or is aware that another entity has provided on their behalf, a payment or benefit to the extorting entity directly related to the demand.

Reports must be made to the designated federal body (which will be set out in the rules and if not, will be the Department of Home Affairs and the ASD) within 72 hours of making or becoming aware of the ransomware payment.

The rationale for mandatory reporting is the Government's limited visibility over threats to the private sector and the current underreporting of ransomware payments.

A ransomware reporting regime has previously been supported by both major parties so we expect this reporting regime will receive bipartisan support.

Two key elements of the Government's proposal are:

• reporting obligations will be triggered on payment of a ransom, rather than on awareness of an extortion attempt, or commencement of negotiations with threat actors; and
• the reporting obligations extend to cyber theft extortion (holding data hostage), not just ransomware (locking functionality).

Restrictions on use of ransomware payment reports

Importantly, the Cyber Bill makes clear that ransomware payment reports may only be used or disclosed by the designated federal body or a secondary entity (if such reports are disclosed by the designated federal body), in limited circumstances. Relevantly, the designated federal body must not use or disclose the relevant information it obtains for the purposes of investigating or enforcing any contravention by the reporting business entity of a federal, state or territory law (other than a law that imposes a penalty for a criminal offence).

To the extent that payment of a ransom is an offence under a criminal sanctions, terrorism financing or other financial crime law, federal or state bodies will be permitted to record, use or disclose the information.

Admissibility in proceedings

The Cyber Bill clarifies that information in ransomware payment reports is inadmissible in a broad range of proceedings—including for certain criminal proceedings, civil proceedings for contraventions of civil penalties and proceedings for breaches of any federal, state or territory laws (including the common law). Whilst this provision does not amount to safe harbour from all criminal liability, it does provide broad comfort that information (which is not subject to LPP) may not be admitted in legal proceedings.

Importantly, because this protection is specifically expressed to attach to information provided by the reporting entity, careful consideration will need to be given in circumstances where a group of companies has suffered an incident.

Claims of legal professional privilege

The Cyber Bill also expressly states that information provided in a ransomware payment report does not affect a claim of LPP that anyone may make in relation to information in any proceedings. The express LPP carveout is important as statutory provisions that abrogate legal professional privilege must do so expressly and unambiguously.² However, the position as to whether and when provision of information the subject of LPP to government agencies constitutes a waiver of LPP is far from settled.³ Further, the protections in respect of LPP are not as broad or far reaching as those in respect of the admissibility of evidence (see below). Accordingly, careful consideration will need to be given prior to the disclosure of any material to which LPP may apply.

Part 4 of the Cyber Security Bill implements a framework for voluntary disclosure of information to the Cyber Coordinator in relation to cyber security incidents.

The Cyber Coordinator may use information that is voluntarily disclosed to it in relation to a cyber security incident that is not a significant cyber security incident for relatively limited purposes (ie directing the reporting entity to other services that may be able to assist, coordinating a whole-of-government response where necessary and informing relevant ministers).⁴

If the information disclosed relates to an incident that is a significant cyber security incident, the purposes for which the information may be used and disclosed by the Cyber Coordinator are broader. These include Permitted Cyber Security Purposes (eg for purposes relating to: (i) preventing or mitigating material risks to a critical infrastructure asset or national security, and (ii) the performance of the functions of an intelligence agency or an enforcement body).⁵

A cyber security incident will be a significant cyber security incident if:

• there is a material risk that the cyber security incident has seriously prejudiced, is seriously prejudicing or could reasonably be expected to prejudice the social or economic stability of Australia or its people, the defence of Australia or national security; or
• the incident is, or could reasonably be expected to be, of serious concern to the Australian people.

In relation to a significant cyber security incident, information disclosure is encouraged (but is not compulsory) if:

• an incident has occurred, is occurring or is imminent;
• the incident is a cyber security incident;
• the incident has had, is having or could reasonably be expected to have a direct or indirect impact on the impacted entity; and
• the impacted entity carries on business in Australia or is otherwise a responsible entity for a critical infrastructure asset.

Information provided to the Cyber Coordinator is subject to similar secondary disclosure restrictions and legal protections (eg in respect of the inadmissibility of information and the preservation of LPP) as provided for in respect of information disclosure relating to ransomware payments (see above).

In practice, entities often notify the Cyber Coordinator voluntarily. This framework formalises this process and, in particular, provides a number of important protections that we consider should result in a freer flow of information to the relevant agencies.

Notwithstanding this, and given the lack of safe harbour, careful consideration is still required in assessing what information is to be provided to the Cyber Coordinator—especially in respect of information that may be subject to LPP and is disclosed on a voluntary basis.

Part 5 of the Cyber Security Bill establishes the CIRB. Modelled off the Cyber Safety Review Board in the U.S., the CIRB will review certain cyber security incidents and make recommendations to government and industry about actions that could be taken to prevent, detect, respond to or minimise the impact of cyber security incidents.

The CIRB may:

• perform a review if the incident seriously prejudiced, or could reasonably be expected to seriously prejudice, the social or economic stability, defence or national security of Australia; and
• request (including compulsorily) documents from entities as part of its review.

Reviews are to be conducted by review panels consisting of the Chair of the CIRB, standing members of the CIRB and members of the Expert Panel (established by the CIRB) appointed to assist.

Although there are undoubtably benefits to the establishment of an independent advisory body to conduct no-fault, post-incident reviews of significant cyber security incidents in Australia, it will be important for organisations to consider the time and resources required to facilitate CIRB post incident reviews and potential exposure to the organisation (and at a board level) for non-compliance.

In respect of information obtained by the CIRB, the Cyber Bill sets out disclosure limitations in the context of the CIRB that are similar to those prescribed in relation to ransomware payment reporting and voluntary disclosure to the Cyber Coordinator (see above).

It is unclear whether the CIRB's powers to require the production of relevant information would extend to the power to require the production of material the subject of LPP. In any event, careful consideration should be given prior to the disclosure of any material (either on a voluntary or compulsory basis) that is subject to LPP.

Part 2 of the Cyber Security Bill enables the Government to define mandatory security standards for products acquired in Australia that can directly or indirectly connect to the internet (referred to as 'connectable products'). If the rules provide a security standard for a product:

• manufacturers must manufacture the product in compliance with the security standard, if they are aware or could reasonably be expected to be aware that the product will be acquired in Australia;
• manufacturers must comply with any other obligations relating to the product in the security standard;
• if the product does not comply, it must not be supplied in Australia if the Supplier is aware or could reasonably be expected to be aware that the product will be acquired in Australia;
• supply of products in Australia must be accompanied by a statement of compliance; and
• non-compliance may result in a stop notice and/or recall notice.

The rules-based model to implementing mandatory security standards provides flexibility to introduce and update security standards as required. This is important given technology is constantly evolving—product compliance may be achieved at the time of release, but may require updating in response to specific cyber security threats and risks. Interestingly, the voluntary Code of Practice: Securing the Internet of Things for Consumers (the Code of Practice), implemented by the Government in 2020 and which sets out guidance for IoT manufacturers aligned to the international ETSI EN 303 645 standard, has had low levels of adoption across industry.

Importantly, the rules and relevant security standards themselves have not yet been released. While we anticipate, based on the Consultation Paper, that the rules will impose cyber security standards 'consistent with the international market', the extent to which this is reflected in practice is to be determined. Promisingly, the definition of 'relevant connectable product' in the Cyber Security Bill⁶ is consistent with the Product Safety and Telecommunications Act 2022 (UK). The Cyber Security Bill also provides an ability to update the rules to address vulnerabilities,⁷ consistent with the Cyber Resilience Act 2024 (EU).

Part 1 of the SOCI Amendment Bill would expand the types of assets regulated as critical infrastructure assets under the SOCI Act to include data storage systems that hold business critical data. Under the proposed reforms, a data storage system is part of a critical infrastructure asset if:

• a responsible entity for a critical infrastructure asset owns or operates the data storage system;
• the data storage system is used (or is to be used) in connection with the critical infrastructure asset;
• business critical data is stored or processed by that system; and
• material risks of a hazard occurring to that system could impact that system in a way that could have a relevant impact on the critical infrastructure asset.

This amendment is a direct response to the Optus and Medibank data breaches—in both cases there was a very large compromise of personal information, but the underlying critical infrastructure assets (ie the telco network and insurance business) continued to operate substantially unaffected. In practice, this meant the government assistance powers under the SOCI Act (eg the power to require the production of information in relation to an incident), were not available to the Government.

The proposed reform means a broader range of assets will be regulated by the SOCI Act and, therefore, regulated entities must consider these 'data storage systems' in light of their SOCI Act obligations.

The consequences of this seemingly minor amendment are widespread (given the number of obligations tied to the definition of a critical infrastructure asset). For example:

• entities will need to ensure (to the extent it is switched on) that their risk management program addresses these data storage systems as part of their critical infrastructure asset; and
• the government assistance powers (including the new consequence management powers) will apply to a broader range of incidents.

Part 2 of the SOCI Amendment Bill proposes to expand the current government assistance powers under the SOCI Act⁸ to apply to a broader range of incidents.

The effect of this amendment, if exercised by the Government, is that the Government will have the power to direct an entity to take action in response to incidents more broadly and not just cyber incidents.

This change will apply to critical infrastructure assets and will also indirectly affect critical infrastructure sector assets. The changes will mean the Government can mange the impact of incidents, particularly where those incidents have broader consequences for the Australian critical infrastructure ecosystem.

This power does not, however, amend the current intervention power afforded to the Government—that will still apply in a limited manner to cyber security incidents.

In our experience, organisations are generally best placed, motivated and have the most skills and resources to manage the consequences of an incident affecting their asset(s). Whilst the Department of Home Affairs acknowledged this in the Consultation Paper,⁹ it has proceeded with introducing greater powers for the Government to intervene in the wake of a broader range of incidents.

The amendment is a very broad executive power and has the potential to adversely impact organisations if exercised inappropriately. Whilst the threshold triggering this power is high (and includes the additional safeguards proposed under the SOCI Amendment Bill—namely that any authorisation relating to a direction to disclose personal information will require agreement from the responsible Minister for the Privacy Act), there is the potential that the Government may be able to inappropriately intervene and impose overly onerous obligations on an entity in the wake of an incident.

The Government has proposed a welcome amendment to the rules for using and disclosing protected information. The current protected information sharing regime under the SOCI Act is overly complicated and a little unclear.

In order to clarify when protected information can be disclosed and used, the Government has introduced a new definition of protected information tied to a harm-based threshold, and which now also includes a non-exhaustive list of 'relevant information'.

The SOCI Amendment Bill also clarifies that the use and disclosure of protected information will be authorised where that use or disclosure is:

• by a relevant entity (that is not the Government) and is conducted for a purpose related to the continued operation of the relevant asset, or to mitigate a risk to the availability, integrity, reliability or security of a critical infrastructure asset; and
• for the purpose of an entity's business, professional, commercial or financial affairs, where the protected information was obtained, generated or adopted by the relevant entity for the purpose of complying with the SOCI Act.

These clarifications align with the purpose of the current disclosure regime and largely address industry and regulated entities' concerns with the current protected information regime.

The changes (in particular the introduction of new section 43F) will ensure that entities can share protected information in the ordinary course of operating their asset(s) and their business, such as when engaging service providers or engaging in M&A activity (common circumstances where we have seen the current regime cause issues).

Part 4 of the SOCI Amendment Bill provides the Government with the ability to issue directions to 'address serious deficiencies' that are identified in a responsible entity's risk management program. The amendments also provide the Government with additional administrative oversight steps in respect of a critical infrastructure risk management program.

This amendment empowers the Government to issue written directions to an entity to amend its risk management program where it identifies a 'serious deficiency' (being a deficiency in the risk management program that poses a material risk to national security, the defence of Australia or the social or economic stability of Australia or its people). It also requires that entity to report on the relevant deficiency and the rectification activity employed in its risk management program annual report.

Importantly, the changes also attract new civil penalties where an entity does not comply with an amendment direction issued by the Government.

This amendment is consistent with the proposal in the Consultation Paper and is unsurprising given the Government's current risk management program enforcement mechanisms are limited to smaller, technical non-compliances. The new directions power is limited to identified 'serious deficiencies', which in our view is appropriate in the circumstances.

The proposal will limit the Government's ability to interfere with robust risk management programs which may differ in form from the Government's expectations, but will not provide the Government with a compliance enforcement mechanism if the relevant 'gaps' in an entity's risk management program do not pose a material risk to national security, the defence of Australia or the social or economic stability of Australia or its people.