Loading

Cyber Security Act

​​ ​ ​
 
Cyber Security Act 2024

Lieutenant General Michelle McGuinness CSC, Australia’s National Cyber Security Coordinator and Hamish Hansford, Deputy Secretary of Cyber and Infrastructure Security Group, discuss the four key measures of Australia’s first Cyber Security Act.


Michelle McGuiness CSC:

The Australian Government has introduced Australia’s first Cyber Security Act – a key step forward in uplifting Australia’s cyber security and the resilience of our critical infrastructure.

This is a large part of implementing the Cyber Security Strategy, addressing gaps in previous legislation to bring us in line with international best practice and ensure Australia is on track to become a global leader in cyber security by 2030.

Hamish Hansford:

So the Cyber Security Act does four things. Firstly it mandates minimum cyber security standards for smart devices and connectable products. So what are they? They are everything from baby monitors to smart watches, and manufacturers and suppliers of these products will be responsible for complying with the minimum standards and then be able to provide a statement of compliance to supply these goods in the Australian economy. So that’s a really big and important change. And it’s an important change because it will better protect Australian consumers and make us rely on secure products.

The second thing that the Act will do is establish mandatory ransomware reporting for certain businesses. And this is really because we don’t understand the true nature and quantum of payment to criminals and for people who are victims of cybercrime and this reporting requirement really does get us to understand the basis of the quantum in the economy and but also who is reporting, so we can better help you, better help understand the threat landscape and tailor advice back to you so that we can be continuously improving and disrupting the ransomware business model.

Michelle McGuiness CSC:

The third aspect is a limited use obligation that has been established under the Cyber Security Act for me and my team, as the National Cyber Security Coordinator, is to clarify and control how information provided voluntarily during a cyber incident may be shared or used.

This Limited Use provision will better enable me to lead whole-of-Government coordination in response particularly to significant cyber security incidents by providing assurance to impacted entities that information they share won’t be used for civil or regulatory action. It will improve my team’s ability to assist entities particularly early in their days of an incident response.

The final key feature of the Cyber Security Act is the establishment of the Cyber Incident Review Board. The Board will be empowered to conduct independent, no-fault, post-incident reviews of significant cyber security incidents.

The Board will issue findings and make concrete recommendations to aid in the prevention, detection, response and minimisation of future cyber incidents across our economy.

Independent in the performance of its functions and exercise of power, the Board will not interfere with ongoing incident response or regulatory, operational or law enforcement processes that will be surrounding the same incident.

Hamish Hansford:

And so through the efforts of government, and industry and indeed the community working together, we’re going to be really well positioned to try and prevent and respond to some of the threats that we will face over the coming years, and the Cyber Security Act is a really important component in this work.

Michelle McGuiness CSC:

You can find out more about the Cyber Security Act, including some really helpful factsheets at our website: homeaffairs.gov.au/cybersecurity.


​​

​​​​​On 29 ​November 2024, the ​ Cyber Security Act 2024 received Royal Assent and became Law.

The Cyber Security Act is part of the Cyber Security Legislative Package, which implements 7 initiatives under the 2023-2030 Australian Cyber Security Strategy.

The legislative package was informed by an extensive consultation process​. This includes:

  • the release of the Cyber Security Legislative Reforms Consultation Paper in December 2023
  • targeted consultation on an Exposure Draft package in September 2024.

The Act addresses legislative gaps to bring Australia in line with international best practice, ensuring Australia is on track to become a global leader in cyber security.

The Cyber Security Act includes measures to:

  • mandate minimum cyber security standards for smart devices
  • introduce a mandatory ransomware and cyber extortion reporting obligation for certain businesses to report ransom payments
  • introduce a Limited Use obligation for the National Cyber Security Coordinator to encourage industry engagement with the government following cyber incidents
  • establish a Cyber Incident Review Board to conduct reviews of significant cyber incidents and share lessons learned

Factsheets

Find out more about each measure in these factsheets:

Cyber Security Rules – Consultation

Subordinate legislation in the form of Rules is required to give effect to some of the measures under the Cyber Security Act 2024. The Department is conducting public consultation to develop these Rules from 16 December 2024 to 13 February 2025.​

For more information on the submission process, visit Consultation on Subordinate Legislation. You ca​n provide your submission to consultation on the subordinate legislation to the Cyber Security Act 2024 and Security of Critical Infrastructure Act 2018 until 5pm AEDT, Friday 14 February 2025 via the ​​consultation submission form.


The draft Rules and Explanatory Documents are linked here:

For more information and to make a submission, visit the Cyber Security Legislative Package – Consultation webpage.​






pop-up content starts
pop-up content ends