What the New Cyber Security Act Means for Australian Businesses - de.iterate

Practical Steps to Ensure Compliance

The introduction of Australia’s first Cyber Security Act is a pivotal moment in the nation’s efforts to strengthen its digital defences. For Australian businesses, this legislation brings with it new responsibilities, particularly in how they manage cyber security risks, report incidents, and protect sensitive data.

So, what does this mean for Australian businesses, and how can they ensure compliance?

Key Provisions Affecting Businesses

The Cyber Security Act introduces several key measures that businesses must adhere to, regardless of their size or industry. The most notable changes are outlined below.

Mandatory Ransomware Payment Reporting

• What It Is: Entities with an annual turnover above a certain threshold (to be determined) are required to report ransomware payments to the Australian Signals Directorate within 72 hours of payment.
• Why It Matters: This measure aims to track cyber criminal activities and understand the financial impact of ransomware. It also discourages ransom payments by increasing transparency.
• Action Required: Establish internal protocols to report any ransomware payments promptly. Consider developing a ransomware response plan that minimises the likelihood of needing to make such payments.

Security Standards for Connectable Products

• What It Is: Manufacturers and suppliers must ensure that products connecting to the internet or networks (e.g., smartphones, IoT devices) comply with new security standards.
• Why It Matters: This ensures a baseline level of security for devices, protecting both businesses and consumers from vulnerabilities.
• Action Required: Review product lines to ensure compliance with the forthcoming security standards. Implement secure default settings, unique passwords, regular security updates, and data encryption.

Enhanced Obligations for Critical Infrastructure

• What It Is: Organisations in critical sectors must strengthen programs securing individuals’ private data and may face additional risk management requirements.
• Why It Matters: Protecting critical infrastructure is vital for national security and economic stability.
• Action Required: Assess current security measures, update risk management programs, and ensure compliance with the Security of Critical Infrastructure Act enhancements.

Voluntary Reporting and Information Sharing

• What It Is: Businesses impacted by significant cyber security incidents can voluntarily report information to the National Cyber Security Coordinator, with protections limiting how this information is used.
• Why It Matters: Encourages collaboration and information sharing without fear of legal repercussions, enhancing collective cyber resilience.
• Action Required: Develop internal policies to facilitate voluntary reporting when appropriate. Understand the protections in place to safeguard shared information.

Cyber Incident Review Board Cooperation

• What It Is: A new board with the power to conduct no-fault investigations into major cyber incidents and make recommendations.
• Why It Matters: Aims to improve industry-wide practices by learning from significant incidents.
• Action Required: Be prepared to cooperate with investigations. Use insights from published reports to enhance your own cyber security measures.

Practical Steps for Compliance

With the introduction of these new requirements, businesses must take a proactive approach to ensure compliance. Here are some practical steps to get started.

Review and Update Cyber Security Policies

Businesses should review their existing cyber security policies and ensure they are up to date with the new legislative requirements. This includes incorporating mandatory security standards for smart devices and establishing protocols for ransomware payment reporting.

Implement Stronger Cyber Security Measures

Organisations should invest in stronger cyber security tools and practices, such as firewalls, encryption, and multi-factor authentication (MFA). These measures will help mitigate the risk of cyber attacks and ensure compliance with minimum security standards.

Train Employees on Cyber Security Best Practices

Cyber security isn’t just about technology—it’s about people. Providing regular training to employees on cyber security best practices will help reduce the risk of breaches caused by human error.

Establish a Ransomware Response Plan

With ransomware attacks on the rise, businesses should establish a formal ransomware response plan. This plan should outline how to handle attacks, including when and how to report any payments made to the ASD, ensuring compliance with the 72-hour reporting window.

Review Supplier and Partner Compliance

Organisations should assess the cyber security practices of their suppliers and partners, and ensure that any contractual agreements include provisions for compliance with the new legislation.

Engage with Cyber Security Experts

Given the complexities of the new laws, businesses may want to engage with cyber security experts to ensure they are meeting all compliance requirements. This includes conducting regular security audits and risk assessments to identify and address vulnerabilities. If you need help, reach out to de.iterate today.

Looking Ahead

The introduction of the Cyber Security Act marks a turning point in how Australia manages its digital security. For businesses, this legislation provides both challenges and opportunities. By taking the necessary steps to comply, businesses not only reduce their risk of cyber incidents but also demonstrate their commitment to protecting their customers, partners, and operations.

In the coming months, businesses should prepare for the full implementation of the new requirements. While compliance may require investment in new systems and processes, the long-term benefits of a safer, more resilient business environment will be worth it.