Navigating the Incoming Cyber Reforms: A CISO’s Guide

Published by Hema Berggren, Strategy and Consulting on 23 October 2024

The Federal Government released a landmark legislative package to uplift cyber security regulation in accordance with the 2023-2030 Australian Cyber Security Strategy. The package proposes a new standalone Cyber Security Bill 2024 (Cyber Security Bill) and material amendments to the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act).

Translating cyber regulatory requirements into effective cyber controls across people, processes, and technology is challenging. It requires careful analysis and planning to align compliance requirements with practical cyber security measures and organisational risk management practices.

Cyber Security Bill

New secure-by-design standards will be imposed on the manufacturers of IoT devices. 

• What? The Minister will mandate cyber security standards via Ministerial rules for ‘relevant connectable products’ (e.g., IoT and smart devices). The manufacturers of ‘relevant connectable products’ will need to comply with the security standard requirements for the relevant product. 
• Why? Many IoT devices rely on open interfaces, run on low-processing power and are not designed with cyber security capabilities. These devices are often vulnerable to compromise and form part of an organisation’s attack surface. 
• Next steps? The Government has not released the draft rules. It is possible the rules will impose restrictions on weak default settings (such as generic, duplicated or weak passwords), and increase protections for personal data.

Certain businesses will be required to mandatorily report ransomware payments. 

• What? This obligation will apply to a ‘reporting business entity’. This means an entity carrying on business in Australia with an annual turnover exceeding a specified threshold, or a responsible entity for critical infrastructure with obligations under Part 2B of the SOCI Act. These entities will be required to give a designated Commonwealth body a report within 72 hours of making a ransomware payment.
• Why? The current reporting of ransomware and cyber extortion is limited. The Government wants to improve its visibility over the scope and impact of these attacks.
• Next steps? CISOs should update their ransomware playbooks to include steps to prepare and deliver a mandatory ransomware payment report. This playbook will need to be tested to ensure it integrates into wider cyber incident response plans. 

Organisations can voluntarily report information to a National Cyber Security Coordinator (Coordinator).

• What? The Cyber Security Bill legislates the role of the Coordinator in relation to cyber security incidents. The Coordinator’s role is to lead whole of Government coordination and triage actions to respond to ‘major cyber security incidents’. In some circumstances, information provided to the Commissioner will be covered by ‘limited use’ provisions. These are intended restrict how the Coordinator can on-share and use the information across Government. 
• Why? There is concern that engagement between industry and Government during cyber incidents has reduced. The ‘limited use’ regime is designed to manage industry concerns that sharing information with Government creates exposure to regulatory action and legal proceedings. 
• Next steps? CISOs should update their cyber incident stakeholder mapping to include the Coordinator. This should include identifying the person(s) responsible for engaging the Coordinator during an incident.

A new Cyber Incident Review Board (CIRB) will conduct post-incident reviews of ‘significant cyber security events’.

• What? The CIRB will act as an independent, advisory board to review significant cyber security incidents and compile reports. The reports will include recommendations to Government and industry.
• Why? The Government does not have a consistent method of gathering information about the actions that could have been taken to prevent, detect, respond to or minimise the impact of cyber security incidents.
• Next steps? CISOs should ensure their own post-incident review process captures the types of information that CIRB may require.

SOCI Act Amendments

Data storage systems that hold ‘business critical data’ will be treated as part of the critical infrastructure asset. 

• What? A data storage system will form part of a critical infrastructure asset when it is used in connection with the main asset, stores or processes ‘business critical data’, and impacts to the system could have a ‘relevant impact’ on the critical infrastructure asset. The positive security obligations imposed on critical infrastructure assets will extend to cover these data storage systems. 
• Why? This amendment addresses uncertainty about whether the positive security obligations extend to the technologies and systems which enable critical infrastructure assets to operate. 
• Next steps? CISOs should ensure that their organisations maintain a comprehensive register of their data storage systems. This will involve identifying operational systems which hold ‘business critical data’, then assessing whether vulnerabilities to that system could have a ‘relevant impact’ on critical infrastructure. 

There is a revised definition of ‘protected information’.

• What? The amendments clarify that ‘protected information’ includes a document or information which would or could cause harm to the defence of Australia, the social or economic stability of Australia, contains confidential commercial information, or prejudices the security of the critical infrastructure asset. 
• Why? The current definition of ‘protected information’ includes a broader suite of information relating to critical infrastructure assets. It has challenged the ability of responsible entities to share information with their employees, contractors and Government. 
• Next Steps? CISOs should ensure the revised definition of ‘protected information’ is incorporated into information classification and handling policies and practices.

The Government can issue a direction to vary Critical Infrastructure Risk Management Programs (CIRMPs). 

• What? A relevant official may give a responsible entity a written direction to vary the entity’s CIRMP to address one or more serious deficiencies. 
• Why? The Department of Home Affairs has indicated that it intends to have a stronger assurance and audit focus for the CIRMP obligations. 
• Next Steps? CISOs should ensure their CIRMP and cyber and information security risk management practices align to the requirements in the Security of Critical Infrastructure (Critical infrastructure risk management program) Rules 2023.

The existing Government Assistance Framework has expanded. 

• What? The current Government Assistance Framework empowers the Government to respond to ‘serious cyber security incidents’. The amendment removes some references to ‘cyber’. This expands the Government Assistance Framework to cover non-cyber incidents and manage the consequential impacts of incidents to other critical infrastructure assets.
• Why? The amendment enables Government to support non-cyber incidents (e.g., terrorism events and natural disasters). 
• Next Steps? CISOs should clearly identify key personnel who could engage with Government during any type of serious incident which could have a ‘relevant impact’ on a critical infrastructure asset.

The SOCI Act obligations have been expanded to include telcos. 

The amendments incorporate elements of the Telecommunications Sector Security Reforms (TSSR) into the SOCI Act. For more information, see our latest insight here.