The Cyber Security Bill 2024 was introduced to the Australian Federal Parliament on 9 October and, if passed, will become the first standalone cyber security act aimed at protecting local businesses and consumers from the rising tide of cyber crime.
It has several potential implications, especially for businesses across Australia:
- Businesses exceeding the turnover threshold will be required to report cyber incidents. As of now, the exact turnover threshold has not been officially finalised. This figure will serve as a pivotal criterion for mandating cyber incident reporting.
- The current iteration of the Bill provides no definitive answer on whether you are required to report if you DO NOT pay the ransom. Businesses may face the dilemma of paying a ransom to recover critical data while also being obligated to report the incident within 72 hours of payment.
- There is some information about protection from reporting the details of a breach on this Bill but it is not intended to be a “safe harbour” to avoid legal liability. In other words, while there may be certain circumstances where businesses can avoid disclosing certain sensitive information, they might still subject to the overall legal framework governing cyber security and incident reporting.
At this moment, the final details of the Bill are all still under consideration in parliament but it would be prudent to ensure you have an adequate backup strategies and strong cyber security measures in place to avoid this scenario altogether.
Here's a quick summary of the Bill:
- Ransomware payments must be reported if:
- An incident is a cyber security incident.
- The incident has a direct or indirect impact on a reporting business entity.
- A demand for payment is made to benefit from the incident.
- The reporting business entity, or another entity acting on its behalf, has made a ransomware payment.
- Reporting business entities are defined as:
- Carrying on a business in Australia.
- Having an annual turnover exceeding a specified threshold in the previous financial year.
- Excluding Commonwealth bodies, State bodies, and responsible entities for critical infrastructure assets.
- The turnover threshold triggering reporting is:
- Not specified in the Bill.
- Likely to be determined by rules made under the Cyber Security Bill 2024.
- Reports must be submitted within 72 hours of making the ransomware payment or becoming aware of it.
- Reports must include details about the incident, the ransom demand, the payment, and any communication with the extorting entity.
- Information in ransomware payment reports is protected:
- It can only be used for specific purposes.
- It is inadmissible in civil or regulatory actions against the reporting entity, except in cases related to the reporting obligations or criminal offences.
This Bill shows that the Australian Government recognises the need for cyber security regulation and it could be the first of many new requirements organisations may need to meet in the future.
Disclaimer: The information provided in this article is for general informational purposes only and does not constitute legal advice. Please consult with an attorney for advice regarding your specific circumstances.