iscover
Kace O'NeillShare this article on:
Powered by
MOMENTUM
MEDIA
Cyber Security Minister Tony Burke recently proposed new legislation that would result in the country’s first standalone Cyber Security Act, but how will this affect Australian businesses?
As previously reported on Cyber Daily’s sister brand, Lawyers Weekly, Cyber Security Minister Tony Burke proposed new legislation to the lower house that would result in the country’s first standalone Cyber Security Act.
The new proposed legislation will introduce mandatory reporting for those who paid threat actors ransom, minimum cyber security standards for smart devices, and the establishment of a Cyber Incident Review Board, all as part of seven sections of the 2023–2030 Australian Cyber Security Strategy.
Along with this, the Commonwealth government has released another package of proposed legislation to tackle cyber security issues, following on from recent privacy and AU reforms.
HR Leader recently spoke to Dan Pearce, general counsel at Holding Redlich, about the potential impact the proposed legislation could have on Australian organisations.
Pearce first broke down what the legislation comprises.
“As part of the government’s new package to address cyber security, the proposed Cyber Incident Review Board’s role will be to review and assess major cyber incidents that impact Australia’s defence or cause serious public concern,” said Pearce.
“It will have the authority to request information from affected entities, allowing it to examine how incidents were handled and provide findings that help prevent future occurrences.
“While the board may share its findings with government and industry, any public reporting will not assign fault or prejudice legal rights. Through these reviews, the board aims to improve understanding and prevent similar incidents in the future.”
According to Pearce, the legislation will result in an extension of the Security of Critical Infrastructure Act’s reach to data systems in critical infrastructure.
“Amendments to the Security of Critical Infrastructure Act 2018 (SOCI Act) will extend the legislation to cover data systems associated with a critical infrastructure asset. The digital networks supporting essential services, such as utilities, healthcare, and finance, are increasingly vulnerable targets in cyber warfare,” said Pearce.
“By expanding the act’s reach, the government will have greater regulatory authority over data systems associated with critical infrastructure warfare that, if compromised, could disrupt national security or public safety.
“Additionally, these changes grant regulators a new power to address significant weaknesses in an entity’s risk management program when national security is at risk. For organisations, this means new obligations to protect these systems and respond to regulatory requirements.”
The proposed legislation also includes a mandatory 72-hour reporting for ransom payments, security standards for smart devices, and other facets that organisations must be aware of.
The legislation puts more of an onus on businesses and organisations to report acts of ransomware payments, for which Pearce believes organisations must strengthen their cyber security measures to ensure that they are able to abide by such regulations.
“The proposed cyber security legislation package introduces new requirements for organisations, especially those managing data systems related to critical infrastructure,” said Pearce.
“To prepare, organisations will need to review and strengthen their cyber security measures to ensure they meet these requirements, such as the new 72-hour deadline for reporting ransomware payments to the Australian Signals Directorate.
“This may involve assessing internal security measures, reviewing incident response plans, and preparing for increased regulatory requirements. By staying informed of these changes, organisations can better position themselves to comply with the legislation and manage potential cyber threats.”
This article was originally published on HR Leader.
Be the first to hear the latest developments in the cyber industry.
