Australia has traditionally been lagging the rest of the world when it comes to cyber security legislation. There continues to be the Notifiable Data Breaches scheme, which has been in place since February 2018, where data breaches of individuals personal information needs to be reported to the Office of the Australian Information Commissioner (OAIC) but only just recently we now have new legislation for Cyber.
In November 2023 the Cyber Security Legislative Package was formed. The 2023-2030 Australian Cyber Security Strategy is the roadmap to realise the Australian Governments vision of becoming world leader in cyber security by 2030.
As part of this strategy, on the 29 November 2024, the Cyber Security Act 2024 received Royal Assent and became Law.
What You Need to Know
- Ensure Cyber Security Standards For Smart Devices Are Set: Manufacturers and suppliers of smart devices in Australia must ensure that the devices meet specified security standards relevant for that product. This will involve a statement of compliance to be provided to the regulator.
The regulator may then conduct testing to verify the statement of compliance and if there is a failure to comply the regulator may publish a notice in the public domain which could cause reputational damage.
- Mandatory Ransomware Payment Reporting: Reporting requirements are enforced where a ransom has been paid to a threat actor for entities carrying on a business in Australia with a revenue over $3M.
The report must be made within 72 hours of the ransomware payment being made, the entity making the payment is liable irrespective of how the attack occurred, even via a third-party organisation.
- Limited Use for the National Cyber Security Coordinator: This component of the Cyber Security Act establishes a limited use obligation on the National Cyber Security Coordinator to provide confidence that the information shared by affected businesses without fear of the information being provided to regulators or law enforcement for use in regulatory or law enforcement proceedings, unless the affected businesses have committed a criminal offense.
- Cyber Incident Review Board: The establishment of an Independent Statutory Advisory Body that will conduct no-fault, post-incident reviews of significant cyber security incidents in Australia to make recommendations to the government on actions to prevent, detect, respond to or minimise the impact of similar cyber security incidents in the future.
How to Protect Your Organisation
- Regular Cyber Risk Assessments: Identify vulnerabilities through comprehensive assessments to stay ahead of potential threats and ensure mitigation strategies are up to date.
- Strong Incident Response Plans: A clear, tested incident response strategy can turn a potential crisis into a manageable situation, reducing both impact and cost.
- Keep Software and Systems Updated: Regularly update all software and systems to protect against known vulnerabilities. This includes applying patches and updates as soon as they are available.
- Threat Intelligence: Ensure the collection, analysis, and application of information about potential and existing cyber threats. This helps organisations anticipate, detect, and respond to cyber threats more effectively.
- Understand your 3rd party – and Supply Chain Risks: Third-party relationships may provide threat actors with an easier pathway into an organisation’s systems and networks. Vetting those supply chain partner’s cyber security resiliency and capability, including through their assurance of identity and access management, governance and risk management, and information asset management, will help understand any partner / supplier weaknesses and potential risk vectors.
What Happens If You Don’t Act
Failing to meet legislated expectations can expose your organisation to regulatory and legal risks, with potential fines and severe reputational damage. Customers and stakeholders expect robust data protection, and any failure in this area can significantly tarnish your brand’s credibility.
It is important to recognise that any information contained in this document, or the links shared are general in nature and does not constitute legal advice. Readers are encouraged to obtain legal advice that applies to their particular circumstances.
How blueAPACHE Can Support You
At blueAPACHE, we support our clients by helping to build a robust risk management framework which adequately addresses its security risk, and ensures controls are implemented to protect our client’s key assets, thereby enhancing their cyber resilience.
blueAPACHE helps our clients with scenario-based simulations to assess response processes and recovery with gaps identified for improvement and remediation.
Complimenting this our ISO27001-certified practices across our entire emPOWER portfolio, ensures that our infrastructure meets the highest standards of information security. This certification demonstrates our commitment to maintaining rigorous cybersecurity measures and helps you align with compliance requirements.
Our vCISO (Virtual Chief Information Security Officer) capability provides a cost-effective, strategic oversight tailored to your organisation’s needs. This service ensures you remain compliant, resilient, and prepared to navigate today’s complex regulatory landscape.
For further assistance or to discuss your cybersecurity needs, please reach out to us here.