The Australian government passed the new Cyber Security Act, recently approved by Parliament. This legislation introduces sweeping changes, including the requirement to report ransomware payments within 72 hours and adherence to security protocols for IoT devices.
One of the central provisions of the Australian Cyber Security Act compels organizations to notify the Australian Signals Directorate (ASD) to improve national cyber resilience by providing the ASD with real-time intelligence on ransomware trends, supporting law enforcement efforts to track cyber criminals, and strengthening Australia’s overall cybersecurity posture.Â
The government strongly discourages these payments. Yet, the Act acknowledges that there may be rare circumstances where a fee could be justified.
Importantly, businesses other than small enterprises must comply with this reporting requirement. For businesses, compliance with the Act is non-negotiable.
The law preserves companies' legal rights during the notification process, such as maintaining attorney-client privileges, which reassures organizations regarding safeguarding sensitive communications.
Another critical component of the Act is the introduction of enhanced security standards for Internet of Things (IoT) devices. Manufacturers of smart devices—including televisions, speakers, watches, and doorbells—are now required to adhere to new cybersecurity protocols.Â
These standards include provisions such as implementing unique passwords for all devices, utilizing secure default settings, and encrypting sensitive data. This initiative addresses the growing risks associated with the proliferation of connected technologies and aims to bolster consumer data protection.Â
While the specific details of these requirements are still being finalized, manufacturers must be prepared to align their products with stricter regulations.
The Act also establishes a Cyber Incident Review Board, tasked with evaluating significant cyber incidents that have implications for national security or public welfare. The board’s role is to assess how organizations respond to major cyber events and to provide recommendations for improving future responses.Â
Notably, the board will not assign blame or prejudice the legal rights of the organizations involved. Instead, it will focus on identifying lessons learned to enhance Australia’s collective cyber resilience.
The Cyber Security Act amends the Security of Critical Infrastructure Act 2018 (SOCI Act) to include data systems associated with critical infrastructure.
Additionally, businesses must continue to comply with existing regulations such as the Privacy Act and the SOCI regime. Directors and executives must weigh the risks associated with making ransom payments, considering both the legal implications and the potential for future targeting.
An IT outage affected some 15,000 car dealerships using CDK services across the U.S. The software provider CDK Global announced its intentions to pay the hefty ransom after the hackers demanded tens of millions for the decryption key in order to mitigate the incident.