The BGA Australia Team led by Managing Director Michael “Mick” McNeill, wrote an update to clients on the obligations that Australia’s Cyber Security Act imposed on companies.

Context

  • The Albanese Labor government has introduced the Cyber Security Bill 2024, which will impose mandates and obligations on companies in areas such as cyber incident reporting, ransomware and security standards for internet-connected devices. The legislation will apply within and outside of Australia. Cyber Security Minister Tony Burke told Parliament that “Australia needs a clear legislative framework that addresses whole-of-economy cybersecurity issues and positions us to respond to new and emerging threats.”
  • The bill will be referred to as the Parliamentary Joint Committee on Intelligence and Security. Minister Burke was appointed to the portfolio in July, and a new chair of the committee, Sen. Raff Ciconne, was elected October 8. The bill implements key initiatives under the 2023-2030 Australian Cyber Security Strategy (see BGA’s November 22, 2023, update here).

Significance

  • The bill establishes the power to mandate security standards for smart devices that are either internet or network connectable. The minister will have the ability to mandate security standards for smart devices, which are defined in the bill as relevant connectable products. This is the same definition found in the United Kingdom’s Product Safety and Telecommunications Act 2022. Burke said, “To date, smart devices have not been subject to mandatory cybersecurity standards or regulation in Australia. We’ve fallen behind our international counterparts in this regard.”
  • It also establishes a Cyber Incident Review Board to conduct post-incident reviews into significant cybersecurity incidents. The board will possess limited information-gathering powers only when voluntary requests for information have been unsuccessful. The minister for cybersecurity will have an oversight role in relation to board appointments; however, the board will otherwise be independent. The government has noted positive reviews of the U.S. Cyber Safety Review Board since its establishment in 2022.

Implications

  • Entities affected by cyber incidents will have a mandatory reporting obligation, receive a ransomware demand and elect to make a payment or give benefits in connection with that cybersecurity incident. Reports will be made to the Department of Home Affairs through a portal administered by the Australian Signal’s Directorate’s Australian Cyber Security Center. Burke said this “will help build our understanding of the ransomware threat that continues to cause large-scale harm to the Australian economy and national security.”
  • Entities that have sufficient connections to Australia under international law will also be subject to the act. This includes reporting business entities and manufacturers and suppliers of relevant connected products that may be located outside of Australia.

We will continue to keep you updated on developments in Australia as they occur. If you have any comments or questions, please contact BGA Australia Managing Director Michael “Mick” McNeill at mmcneill@bowergroupasia.com.

Best regards,

BGA Australia Team

A small ginko leaf

Managing Director

Mick is a highly-experienced government relations expert and trusted advisor on consensus building, conflict resolution and legislative developments. He has played an integral role in helping parties achieve desired outcomes in areas of national security, health policy, foreign policy and reputational crisis management, as well as media relations, communications campaigns, immigration and human rights. Mick has two decades’ experience working with government as a media analyst, political adviser and NGO advocacy manager. After a stint serving as an adviser to an Australian senator, Mick took on the role of the locally engaged senior political specialist at the U.S. Embassy in ... Read More