On 26 November 2024, Australia’s Cyber Security legislation was passed by both houses of Parliament yesterday as part of a package of legislative reforms, which were expedited following the recommendations of the Parliamentary Joint Committee on Intelligence and Security. This includes the Cyber Security Act 2024, the Intelligence Services and Other Legislation Amendment (Cyber Security) Act 2024 and the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Act 2024.
The key measures of the Cyber Security Act 2024 include:
- Mandatory 72-hour reporting obligation for entities who receive a ransomware demand and make a payment in connection with that cyber security incident;
- ‘Limited use’ obligation restricting the information provided to the National Cyber Security Coordinator (NCSC) during a cyber incident, being provided to another Commonwealth body for investigation or enforcement not related to the Bill.
- Establishing a Cyber Incident Review Board (CIRB) to conduct no-fault post-incident reviews of significant cyber security incidents. The Board is modelled on similar bodies, including the U.S. Cyber Safety Review Board, and will also make recommendations for both government and organisations to enhance Australia’s cyber resilience.
- Enabling the government to establish mandatory security standards for smart devices. The aim is to bring Australia into line with international best practice and enhance consumer security, such as prohibiting universal default passwords on smart devices.
Access the Cyber Security Act 2024 here