Australia's New Cybersecurity Laws: Are Australian Businesses Ready for the 72-Hour Ransom Reporting Deadline?

As cyber threats are becoming the norm, Australia has finally taken the bold move of launching its first stand-alone Cyber Security Act. Hon Tony Burke MP, the minister responsible for cyber security, is promoting this ground-breaking policy with the intention of enhancing national imperatives and coordinating cyber security practices across sectors. For the businesses operating in Australia, this act is a watershed moment as it defines operational standards, important requirements and clawbacks to close loopholes.

I thought about two questions up front as I read the Act

1) What does this act of the law mean for Australian businesses?

2)?? And how do they go about responding to these changes?

In this issue, I’ll look at the provisions of the Act, where it is needed, its likely effects, and how Australian businesses need to be in place to roll out the changes in order to create more cyber-resilient businesses.

An Overview of Australia’s First Cyber Security Act

Australia has made true history by adopting a standalone cyber security policy and this means greater standards for resilience and transparency when facing advanced attacks. Cybersecurity has always been an embedded requirement; however, the different protocols were always contained in different Acts, making it somewhat decentralised. This Act is an attempt to bring order out of chaos.

The Act is integrated into the Australian Cyber Security Strategy for the period 2023-2030 and contains seven fundamental elements aimed at improving the overall national security and safeguarding essential assets. This piece of legislation includes, among others, the creation of a Cyber Incident Review Board (CIRB), an obligation to notify if paying ransoms, and minimum required cybersecurity protections for smart devices. In this way, these measures seek to reduce weaknesses, incident repetition and promote security literacy in different sectors.

The Role of the Cyber Incident Review Board (CIRB)

The composition of the Cyber Incident Review Board (CIRB) is established as one of the key elements of the new law. This Board will evaluate cyber activities and events that could impact Australian national security or broadly raise substantial public concern. By virtue of this role, the Board shall have the authority to require organisations subject to cyber incidents to submit detailed reports on how such incidents occurred and how they were subsequently managed.

The reviews will definitely be useful to both state and industry since they will be able to promote how to improve security within an organisation. Looking towards the future, the board’s strategic document will serve to eliminate the need for a repetition of the same breach.

Expanding focus of SOCI Act to include Security of Critical Infrastructure Data Systems

Another major development of the new legislation is the amendment of the Security of Critical Infrastructure Act (SOCI Act) to include data systems that support critical services. The SOCI Act which came into effect in 2018, had a narrower perspective of addressing the physical and operational security of critical infrastructure. However, the characteristics of essential services like energy, healthcare, and finance are that they are supported by digital networks, which in turn are being infiltrated by cybercriminals and compromise these critical services, which are crucial in the fight against cybercrime.

The Act for the first time prohibits organisations that control data systems relevant for critical infrastructures unchecked deregulation. The measure ensures that the government has far-reaching powers over the digital networks, which, if compromised, could lead to endangering the lives of citizens or the creation of security threats on a national level.

With the extension of the SOCI Act to include data systems, the government can now implement heightened cybersecurity measures on sectors which are relatively ‘soft’ in undergoing a cyber-war.

Organisations in these sectors would now be thankful for the system amendment that now establishes hefty penalties for failure to protect the organisations’ data systems. Corporations will have to change their perspective and be more secure. In other words, leaving room for loopholes is not an option since governmental organisations will now have authority to fill any gaps in risk management work programs where Australia’s national security is a concern.

Compulsory notification within 72 hours of all ransom payments made during cyber incidents

In the name of regulating businesses that are engaged in cybercrime activity, the Act states businesses and organisations should report to the relevant authorities about companies that have made ransom payments to cybercriminals. This needs to be done within 72 hours of making that payment. This provision is aimed at organisations operating data systems sustaining Australia’s critical infrastructure. It is part of a wider plan to prevent ransomware attacks and to discourage companies from paying ransoms, which only encourages cybercriminals.

This has implications for shifting the dynamics of cybersecurity in that most organisations have been reluctant to come forward and report that a ransomware attack has occurred owing to fear of loss of image. The law places the onus on the businesses as well as mandates them to notify ASD, ACSC, and relevant law enforcement authorities if a ransomware payment has been made within the designated period.

In other words, businesses will need to ensure that communication and response mechanisms are effective enough during a cybersecurity incident.

I encourage you to review your Cybersecurity Incident Response Plan if you have one.

Cybersecurity Considerations for the Smart Devices

The growth of the Internet of Things (IoT) has undoubtedly made smart devices easier to use in businesses. These could be GPS trackers, Internet-connected cameras, or other smart devices. Most of these devices are poorly secured. In this respect, the law now places the responsibility of ensuring that imported smart devices into the Australian market have appropriate levels of security features that adequately protect them from cyber threats.

This provision makes it mandatory for the manufacturers to ensure certain basic features of security are built into the smart devices before they are sold to businesses or consumers. By putting these requirements in place, the government’s intention is to contain the threats posed by the IoT gadgets and contain them early.

Business Strategies Against These Changes

The launch of the Cyber Security Act highly invites different organisations to revise their operational strategies in regard to cyber security and update them in line with new requirements. Suitable actions include, among others:

1.?? Carry out an extensive assessment of the cyber security prevailing in your organisation: Assessing the level of cyber security enables your organisation to pinpoint the weaknesses before a cybercriminal does.

2.?? Review and update by adjusting their risk management approaches: Although I never recommend any business paying a ransom (not to forget its not legal), eventually it’s a business decision. The business should now be aware of the requirement to report ransom payments within 72 hours.

3.?? Conduct regular staff training and awareness: Training employees is an important factor in any cyber security strategies. Organisations need to offer consistent training on issues like threats, reporting mechanisms for incidents, and strategies for locking away sensitive information.

4.?? Consult with professionals in cybersecurity: Because the new regulations are complicated, organisations must seek assistance from qualified cybersecurity professionals who can help with adherence and applying proper security controls.

5.?? Always check which regulations are active at the moment: Cybersecurity is a dynamic discipline, and knowledge of new laws will assist companies in remaining compliant with regulations and reduce the risk emerging threats.

The above steps will support your organisation to comply with Cyber Security Act and improve your resilience towards cybersecurity threats.

Towards The Future: Fostering a Cyber Resilience Culture

Australia's new Cyber Security Act is not just a regulatory milestone; it stands as a model for nations worldwide, setting the bar high for corporate transparency, responsibility, and resilience in the face of growing cyber threats. For businesses, this is more than a compliance requirement—it’s an opportunity to cultivate a culture of proactive defence, accountability, and security in the digital age.

As we move further into an increasingly digital world, the significance of robust cybersecurity will only intensify. Australia is leading the charge towards a safer, more secure future, with businesses playing a pivotal role in safeguarding the nation’s critical assets against cyber risks.

For Australian organisations, the message is clear: cybersecurity is no longer a matter of choice but an executive imperative. In this new era of rapid digital transformation, the organisations that rise to the challenge today will be the ones that thrive in the future—setting the pace for growth and innovation in a secure, resilient landscape.

If you are concerned about how the new cybersecurity laws impact your business, let's have a chat.

Until we meet again, stay Cybersafe !!

Signing Off

Dr Kiran Kewalramani

Cyber Ethos - CEO

1800 CETHOS (1800 238 467)