The federal government has introduced Australia’s inaugural Cyber Security Act as part of a broader legislative push to address rising cyberattacks. This new law is designed to boost the country’s cyber defenses and comes at a time when businesses are increasingly under threat from cybercriminals.
But the introduction of the Act hasn’t been without controversy. While the federal government has highlighted the importance of mandatory cybersecurity standards and ransomware reporting, some industry groups have expressed concerns over the potential compliance burden for businesses.
The lack of a ‘safe harbour’ provision – which would shield businesses from legal action after a cyber incident – has been a red flag for some.
Despite this, the government is pushing forward with the reforms, emphasising the need for strong, clear measures to protect the Australian economy.
So how will the Cyber Security Act 2024 actually work, and how might it affect the day-to-day operations of small businesses?
Mandatory security standards for smart devices
One of the standout measures of the Cyber Security Act 2024 is the introduction of mandatory cybersecurity standards for smart devices. These are also sometimes referred to as internet-of-thing (IoT) devices.
These are internet-connected devices such as security cameras, smart speakers and household appliances. As more devices become connected, they can pose serious security threats. This is because they offer more, often forgotten and unprotected, ways for bad actors to gain access to a network.
What’s new?
Previously, Australia only had voluntary guidelines for securing these devices, but under the proposed changes, the government can mandate specific security standards.
This includes measures such as banning universal default passwords, which have long been an easy target for cybercriminals.
These changes bring Australia in line with international standards, but businesses have raised concerns about the cost and complexity of meeting these new obligations.
How does this affect small businesses?
If your business uses or sells smart devices, you’ll need to ensure they comply with these new security standards.
This may require providing a statement of compliance verifying that your devices meet the new standards.
The Cyber Security Act will require mandatory reporting of ransomware payments
Ransomware attacks are a growing issue for businesses. While you tend to hear about this happening with larger businesses, SMEs are particularly vulnerable due to a lack of the cybersecurity resources and expertise.
The Cyber Security Act is introducing a mandatory reporting requirement for ransomware payments.
This new measure is aimed at creating a clearer picture of the ransomware landscape in Australia due to underreporting, which has been a consistent problem.
What’s new?
If your business is hit by a ransomware attack, and either pays the ransom or offer some other benefit to the bad actor, you will have 72 hours to report the payment to the Department of Home Affairs.
How does this affect small businesses?
You’ll have a relatively short window to report the details of the attack if you were to make a payment.
The government argues this will help it better understand and combat ransomware, however, some business groups have expressed concerns about the practicality of this reporting requirement.
This is of particular concern for some smaller businesses that may not have the resources to comply quickly.
Voluntary information sharing with the government
One of the more business-friendly aspects of the new law is the framework for voluntary information sharing with the government during cyber incidents. The government has acknowledged that some businesses are hesitant to report cyber incidents, fearing legal repercussions or regulatory blowback. To address this, the Act introduces protections around how shared information can be used.
What’s new?
Businesses can voluntarily share information about cyber incidents with the National Cyber Security Coordinator without fear that the information will be used against them. The information will only be used to help resolve the incident and won’t be passed on to other agencies for unrelated regulatory or enforcement actions.
How does this affect small businesses?
Knowing the information won’t be misused should encourage more businesses to report incidents, helping to create a more transparent and collaborative approach to cybersecurity without fear of reprimand or financial penalties.
No ‘safe harbour’ protection for the Cyber Security Act
Despite hopes from industry, the government has not introduced a ‘safe harbour’ provision in the new law.
This would have provided businesses with broad legal protection from fines or lawsuits after a cyber incident, such as failing to meet cybersecurity obligations.
What’s new?
There is no blanket protection for businesses that experience a cyberattack. Even though businesses are encouraged to report incidents and share information, they are still responsible for meeting all their existing legal and regulatory obligations.
How does this affect small businesses?
While voluntary information sharing offers some protection, businesses still need to ensure they comply with the laws that apply to them.
This means that, despite the protections for sharing cyber incident details, companies could still face legal consequences if they fail to meet their cybersecurity obligations before or after an attack. Small businesses will need to be extra vigilant about compliance.
Legal protections for reporting cyber incidents
Although the government rejected the idea of a safe harbour, it has included some protections for businesses that share information voluntarily during cyber incidents.
This ensures information reported to the government about a cyber incident cannot be used in civil or regulatory proceedings against the reporting business.
What’s new?
Any information your business provides to the government under the Cyber Security Act – such as details of a ransomware attack – will not be admissible in legal proceedings, except in cases involving criminal offences like providing false information.
How does this affect small businesses?
This offers at least some peace of mind when reporting incidents, encouraging businesses to be more transparent with the government without fear of facing legal consequences for the information they provide – depending on the circumstances of course.
Say hello to the Cyber Incident Review Board
High-profile cyber attacks, such as the Optus and Medibank breaches, have highlighted the need for better responses to cyber incidents in Australia.
To address this, the proposed law establishes a Cyber Incident Review Board that will review major incidents and provide recommendations to prevent future attacks.
What’s new?
The Review Board will investigate significant cyber incidents and offer advice to both the government and the private sector on how to improve cybersecurity practices.
This aligns with similar bodies in other countries, such as the Cyber Safety Review Board in the US.
How does this affect small businesses?
While the Review Board will focus on larger-scale incidents, the findings, advice and recommendations it publishes could be useful for small business cyber resilience as well.
TLDR: What do small businesses need to know about the Cyber Security Act 2024?
- IoT security standards: Make sure any connected devices your business uses or sells meet the new standards to avoid potential enforcement actions;
- Ransomware reporting: If your business is hit by ransomware, have a plan in place to report payments quickly and accurately within the 72-hour window;
- Volunteer information: Take advantage of the legal protections for sharing information with the National Cyber Security Coordinator, knowing it won’t be used against you if you haven’t broken other laws;
- Cyber Incident Review Board: Keep an eye on the findings from the Cyber Incident Review Board to strengthen your cybersecurity posture; and
- Legal obligations: Without safe harbour laws, it’s crucial to stay compliant with all relevant laws and regulations when responding to cyber incidents.
Never miss a story: sign up to SmartCompany’s free daily newsletter and find our best stories on LinkedIn.
Comments