Powered by MOMENTUM MEDIA
cyber daily logo
Breaking news and updates daily. Subscribe to our Newsletter

Home Affairs to grant businesses cyber ‘safe harbour’ protections

Australian businesses are set to gain new “safe harbour” protections that would allow them to share the details of a cyber attack against them with government cyber agencies without risking that information coming back to bite them in other investigations.

user icon Daniel Croft
Tue, 17 Sep 2024
Home Affairs to grant businesses cyber ‘safe harbour’ protections
expand image

Late last year, Deputy Prime Minister and Minister of Defence Richard Marles suggested that the government would potentially introduce “safe harbour” legislation, allowing them the confidence to reach out without the fear of punishment.

“I can understand why companies in that instance want to make sure that whatever ASD comes across is not ultimately then the subject of what any other agency in government might do,” said Minister Marles.

Now, Home Affairs and Cyber Security Minister Tony Burke is set to launch new legislation that will outline new cyber measures, including granting affected businesses a safe harbour for cyber security reporting.

============
============

“We will be incentivising industry to share more information about cyber threats via strong limited-use provisions,” Minister Burke is set to state at the second annual The Australian Financial Review Cyber Summit, according to speech notes seen by The AFR.

“In responding to cyber incidents, knowledge is power. These provisions will enable organisations to share information with ASD [Australian Signals Directorate] and the cyber co-ordinator, who can then assist with responses to cyber threats early, without the fear of that information being used in regulatory action against them.”

Alongside the safe harbour, the new legislation will make it mandatory for businesses that pay ransom to threat actors over a certain amount to disclose how much they have paid and to who.

In regard to the above mandate and previous discussions about banning ransomware payments, the government said it currently does not have the required understanding to ban them outright or combat the ransomware business model and that the new reporting will assist in developing that understanding.

Additionally, the government is set to launch a Cyber Incident Review Board, which will analyse cyber incidents and the lessons to be learnt from them. Board members are yet to be announced.

Craig Searle - global director, cyber advisory, at Trustwave - says the move is a step in the right direction, "however, there needs to be a consistent yardstick by which Australian corporations can measure themselves in order for directors to then assess the reasonableness of their response and address the concerns raised by the Australian Securities and Investment Commission (ASIC)."

"While the Essential Eight is undoubtedly effective as a set of preventative measures, it is very difficult and expensive even for mature and well-funded organisations to achieve, as evidenced in Australian National Audit Office (ANAO) reports such as 'Management of Cyber Security Supply Chain Risks'. It also does not address response and recovery. This means it is unlikely to be suitable as a nationwide measure of resilience without significant caveats being adopted," Searle said.


UPDATED 18/09/24 to add Trustwave commentary

Daniel Croft

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.