A Cyber Security Bill 2024 (Cyber Bill) has been tabled in Australia's Federal Parliament. The Cyber Bill sets out a legislative framework to help address broad, whole-of-economy cyber security issues and to enable the Australian Government to respond to new and emerging cyber security threats. It is part of a broader package of Australian cyber security reforms, including in relation to its existing security requirements on Government intelligence and critical infrastructure.
The Cyber Bill proposes a number of cyber security compliance obligations including in relation to the manufacture and supply of smart devices and cyber security incident reporting, which we summarise below. It is worth noting that the Cyber Bill has extra-territorial application and we therefore expect that it will be of interest to New Zealand organisations carrying on business in Australia or that manufacture or supply smart devices to the Australian market.
Summary of key provisions in the Cyber Bill
The Cyber Bill, as currently drafted:
- Mandates that manufacturers and suppliers of smart devices in Australia that are internet or network-connectable (ie IoT devices) must comply with specified security standards. It is not yet clear what these security standards will look like, but they must be effective, proportionate and responsive to changes in technologies and the evolving cyber threat landscape. The explanatory memorandum accompanying the Cyber Bill states that forecasts indicate that each Australian household will have an average of 33.8 smart devices by 2025 and so, depending on how robust the relevant security standards are, it is likely that they may have some impact on consumers and Australia's cyber resilience more generally. Non-compliance with the requirements may result in compliance, stop or recall notices.
- Introduces a mandatory reporting requirement for ransomware and cyber extortion payments for organisations carrying on business in Australia. Reports will need to be made to the Australian Cyber Security Centre within 72 hours of a payment being made, or the organisation becoming aware that a payment has been made. There will be restrictions on how the information provided as part of these reports can be shared and used by other Australian Government entities (including regulators).
- Will establish a National Cyber Security Coordinator to coordinate and triage whole-of-government responses to significant cyber security incidents, including collaboration with industry, the private sector and State and Territory governments. The Cyber Bill will also introduce a Cyber Incident Review Board to act as an independent, advisory body to conduct no-fault, post-incident reviews of significant cyber security incidents in Australia. The Cyber Incident Review Board will also be able to give recommendations to Government and industry to strengthen Australia's cyber resilience.
What does it mean for us?
The Cyber Bill may well have some implications for organisations carrying on business in Australia and/or manufacturing or supplying smart devices in Australia. More generally though, the Cyber Bill reflects trends internationally (including in the United Kingdom and European Union) and provides an interesting point of comparison for New Zealand's relatively light touch cyber and data security regulation.
Please get in touch with one of our team if you have any queries.
