On November 25, 2024, the Australian Parliament passed significant reforms to bolster the nation’s cyber security posture, forming part of a strategic effort to position Australia as a global leader in cyber security by 2030.
The new laws include the Cyber Security Act 2024, the Intelligence Services and Other Legislation Amendment (Cyber Security) Act 2024, and the Security of Critical Infrastructure Amendment Act 2024.Key provisions in these reforms include the introduction of mandatory cyber security standards for smart devices, the requirement for certain businesses to report ransom payments, and the establishment of a Cyber Incident Review Board (CIRB) to analyze major cyber incidents and recommend improvements. Additionally, the reforms enhance the government’s ability to assist critical infrastructure during disruptions, expand information-sharing between industry and government, and refine the security framework for telecommunications.
These measures aim to close existing legislative gaps, promote better cyber incident management, and ensure Australia’s preparedness in the face of evolving cyber threat
Key measures in the reforms include:
- Mandatory cyber security standards for smart devices to protect consumers.
- Requirements for certain businesses to report ransom payments to improve threat intelligence.
- A new “limited use” rule for the National Cyber Security Coordinator and the Australian Signals Directorate to facilitate faster information sharing during cyber incidents.
- The creation of a Cyber Incident Review Board (CIRB) for post-incident reviews and recommendations.
We reached out to industry experts to gather their insights on the recently passed Cyber Security reforms:
Simon Howe, Area Vice President – ANZ, ExtraHop
“The Cyber Security Act embraces collaborative efforts and fosters a culture of cyber resilience. It provides a robust framework to further advance the priority and focus of cyber security within Australian organisations. Mandatory reporting of ransomware payments is a material change which will provide consumers and businesses with transparency in their dealings with organisations.
“The expansion of assets captured under the SOCI Act will also further reinforce resilience in critical infrastructure and government agencies operating in the region. With more opportunities and guardrails to reduce cyber risk and ensure smooth operation of essential services, the Cyber Security Act will bolster Australia’s well-being.”
Christopher Hills, Chief Security Strategist, BeyondTrust
The Australian Federal Government’s comprehensive cyber security legislation outlined in the reforms on 25 November 2024 shows progress towards its commitment to maturing cybersecurity reform to protect against cyber crime. However, it still leaves several pockets of question that need to be addressed.
In regards to Security Standards of IoT devices and the Minister having power to mandate security standards, the legislative rules are still to be detailed, leaving this area still open in regards to what the standards are or will be. In terms of requiring suppliers to provide a statement of compliance, what this means in practice is still to be determined? With several compliance standards already in place around the world across several industries, cyber incidents, crime, and breaches still occur even for those entities who follow or meet compliance mandates. The success of the security standards of and for IoT devices will hinge on how well the standard will be detailed and how well the compliance mandates will be enforced.
With regards to Cyber Incident Review Boards, although the current state is by voluntary request which has proven unsuccessful, in order to be effective, they must outline specific requirements and there must be accountability in terms of how the review board chooses to enforce. This will ultimately result in additional cost, time, and effort in order to successfully accomplish, leaving that burden to who? The business, people, organisation, or government?
The mandatory reporting of ransomware payments is another step in the right direction, but its success will depend on the execution and how it will provide accountability. While it outlines broadly any organisation who is responsible for critical infrastructure, where is the line drawn and who ultimately is making that decision for what is considered critical infrastructure vs what is not. Additionally, when it comes to the private sector and designation of annual $3 million, this might just paint a target for threat actors and how they choose to target entities, presuming they now can potentially aim for targets valued at less than $3 million.
While there are several good pieces that can be taken away from this, the modernisation of government to establish cyber security legislation is a step in the right direction. Its success will be in its ability to continue defining, executing, and holding accountable moving forward. It is one thing to put legislation in place, upholding it is another.
Pieter Danhieux, Co-Founder and CEO, Secure Code Warrior
Australia’s new Cyber Security Act (2024) is a vital step forward in protecting our critical infrastructure and assets. With state-sponsored cyber threats, organised cyber crime and espionage on the rise all over the world, now is the time for us to abandon complacency and move forward together with a precision, preventative approach to securing our digital future.
In addition, the new regulatory guidance surrounding the security of IoT devices has been a long time coming, but signals a global trend towards manufacturer accountability for insecure software. Enforcement of compliance and transparency are crucial steps in the right direction, but ultimately, software vendors need to embrace their role in leading the charge against exploitable vulnerabilities by investing in security upskilling for developers, and managing the inherent risk untrained personnel bring to the table. With DevSecOps dictating that security is a shared responsibility, enablement and ongoing guidance should be central to every enterprise security program and beyond.
Gareth Cox, Vice President Sales APJ, Exabeam
Exabeam is encouraged with the progress of cyber security reform in Australia and the framework put in place with the new Cyber Security Act. Exabeam’s Threat Detection Incident Response Survey launched in conjunction with IDC earlier this year found that 60% of companies stated they only had 62% visibility into their IT environments.
Increasingly, in order to adhere to the new legislation, organisations will need to call upon the expert guidance of vendors and consultants to support deployment of a data -driven, multi-layer cyber security strategy for aspects of the legislation such as critical infrastructure security and IoT device security which will require proactive threat detection, incident response and overall data governance.
Anthony Daniel, Regional Director Australia, New Zealand and the Pacific Islands, WatchGuard Technologies
The introduction of these new cybersecurity reforms by the Australian Federal Government is a significant development for businesses across the country. With the increasing frequency and sophistication of cyber threats, it’s critical that organisations not only meet the new compliance requirements but also adopt a proactive, risk-based approach to cybersecurity.
The legislation’s emphasis on mandatory reporting of cyber incidents, as well as stronger obligations for protecting critical infrastructure, will require businesses to invest in robust cybersecurity frameworks, threat detection systems, and incident response plans. For many organisations, this will mean revisiting their cybersecurity posture and ensuring that they are prepared to handle emerging risks.
While the reforms present challenges, they also provide an opportunity for Australian businesses to align with global best practices and build resilience against cyberattacks. The regulatory landscape will likely continue to evolve, and companies that prioritise cybersecurity as a core business function will be better positioned to manage the risks and benefits of an increasingly digital world. Ultimately, this legislation is a wake-up call for Australian businesses to take a more proactive stance on cybersecurity, not only to comply with the law but to protect their reputation, assets, and customer trust in a rapidly changing threat landscape.
Ashwin Ram, Cyber Security Evangelist, Office of the CTO, Check Point Software Technologies
The Cyber Security Bill 2024 represents a step forward in helping Australian organisations enhance their cyber resilience.
One of key areas covered in this Bill is the introduction of compliance with security standards for smart devices. This is particularly critical as last year the Check Point Research Team recently reported a 41% increase in the average number of weekly attacks per organisation targeting IoT devices compared to previous years, a trend that is likely to persist. With 63% of enterprises, 92% of industrial organisations, and 82% of healthcare organisations relying on IoT, networks are inundated with unmanaged IoT devices, each serving as a potential entry point for hackers and exposing companies to cyber-attacks.
Securing IoT devices is challenging due to the diverse vulnerabilities they present, such as legacy operating systems, hardcoded or weak passwords, and unpatched software. The Cyber Security Bill 2024 is attempting to address some of these issues by mandating that manufacturers ensure devices meet security standards if they are intended for sale in Australia, while also requiring them to provide necessary documentation and security features. Additionally, suppliers will only be permitted to sell devices that comply with these standards. These measures collectively aim to close critical security gaps for internet connected devices used in Australia.
Another key provision of this bill requires entities affected by ransomware incidents to report payments made to cyber extortionists within 72 hours. This requirement is designed to improve transparency and enable a more coordinated response to such threats. Businesses will need to provide detailed information, including the payment made, the nature and impact of the cybersecurity incident, the extortion demand, and any communications with the threat actor about the incident or payments. As a result, Australian organisations must review and update their incident response playbooks and refine their reporting processes to ensure they can efficiently collect and share ransom payment information with the relevant Commonwealth body.
Osh Ranaweera, Connect and Secure Solutions Manager, Atturra
With the recent updates to the Australian Cyber Security Bill, it’s cleat that the Australian government is focusing heavily on national security. The introduction of IoT security standards and cyber incident security reporting reinforces this focus with the legislation zooming in on the importance of where data lives. Indeed, network and service provider security incidents that were part of the Telecommunication Act 1997 and consolidated under the SOCI Act outline these efforts.
Today, businesses plays a critical role in the leakage of sensitive data and this is of importance to national security. A major emphasis now on SOCI will ensure that business data security is regulated and governed and this can only be of benefit to the country, businesses and consumers.
Morey Haber, Chief Security Advisor, BeyondTrust
Australia’s recent enactment of comprehensive cyber security legislation marks an incremental advancement in protecting the nation’s digital infrastructure. This legislative introduces mandatory reporting of cyber incidents, establishes stringent penalties for non-compliance, and defines clear responsibilities for organisations. These measures are essential for any cybersecurity maturity model and are intended to strengthen Australia’s electronic defenses against the escalating frequency and sophistication of cyber-attacks.
However, the legislation’s coverage could be enhanced by providing clear definitions in several key areas:
- Critical Infrastructure: The current definition encompasses sectors like energy, water, and transportation. This may not be sufficient as the digital landscape advances. Indeed, it is imperative to broaden this scope to include emerging sectors such as cloud service providers, data centres, financial organisations, and medical care services. These entities are integral to national security and economic stability of every nation, and their inclusion by definition would help ensure a more comprehensive approach for the situation.
- Internet of Things (IoT): The legislation should expand IoT devices to include OT (Operational Technology) as well. Attacks against manufacturing and physical automation devices are increasingly prevalent and often vulnerable to cyberattacks due to simplicity, age, and lack of best practices like patch management. By establishing specific security standards and protocols for IoT and OT devices, future legislation can mitigate attack vectors, thereby enhancing overall cyber-security.
- Ransomware: While the legislation has specific requirements for disclosure of ransomware payments, it is a well-established security best practice to never pay a ransomware settlement. Organisations should strive to mitigate the risks of ransomware by following the Essential Eight and verify disciplines like Backup / Recover, Privileged Access Management, Least Privileged Access, and Application Control all work correctly to avoid a ransomware incident. While disclosure may be required, more focus should be focused on prevention and recovery versus details of disclosure if all appropriate steps are taken first.
Keep up to date with our stories on LinkedIn, Twitter, Facebook and Instagram.
