top of page

New Cyber Laws Impose New Business Obligations

16 Oct 2024

Australia’s federal government last week introduced much-anticipated legislation to parliament which will revolutionise Australia’s cyber security preparedness.  If passed as expected, the new laws will impose new compliance and reporting requirements on local businesses.


Govt Intent

Designed to protect businesses and consumers from the growing scourge of cyber crime, the Cyber Security Act 2024 is Australia’s first standalone cyber security legislation.


Introducing the Act, Minister for Cyber Security, Tony Burke, said that – like IT systems themselves - legislation needed to be hardened to protect national security and economic stability. He described the package as providing a clear legislative framework for contemporary, whole-of-economy issues which would identify and respond to new and emerging cyber threats.


Seven Initiatives

There are seven initiatives under the 2023-2030 Australian Cyber Security Strategy which collectively address gaps in current legislation to:


  • Mandate minimum cyber security standards for smart devices;

  • Introduce mandatory ransomware reporting for certain businesses to report ransom payments;

  • Introduce a ‘limited use’ obligation for the National Cyber Security Coordinator and the Australian Signals Directorate; and

  • Establish a Cyber Incident Review Board.


SOCI Reforms

The legislation will also progress and implement reforms under the Security of Critical Infrastructure Act 2018 (SOCI Act):


  • Clarifying existing obligations in relation to systems holding business critical data;

  • Simplifying information sharing across industry and Government;

  • Introducing Government powers to direct entities to address serious deficiencies within their risk management programs; and

  • Moving regulation for the security of telecommunications into the SOCI Act.


The SOCI Act reforms will also expand current Government assistance measures to ensure Government can step in as a last resort to manage the consequences of significant incidents.


Govt Empowered

Changes to government assistance measures will empower the Government to gather information or direct entities to take or refrain from certain actions, on authorisation from the Minister for Home Affairs, in response to a serious incident.


Characterising the legislation as a significant step towards his government’s vision of becoming a world leader in cyber security by 2030, Tony Burke said:


“We know government has to lead the way on cyber, but we also know we can’t do it alone. This is why these new laws have been consulted extensively with business.


“To achieve Australia’s vision of being a world leader in cyber security by 2030, we need the unified effort of government, industry and the community.”


New Business Obligations

Legal firm A&O Shearman cautioned that the new Cyber Bill will introduce several new critical areas of compliance and reporting.  It said businesses must take heed of these new obligations, and ensure they put in place robust cyber security measures.


•   Ransomware Reporting Obligations: Entities impacted by cyber security incidents and making ransomware payments must report these payments within 72 hours. The aim of this obligation is to improve the detection and response to ransomware incidents, thereby reducing their impact. Failure to report can result in civil penalties.


• Security Standards for Smart Devices: The Cyber Bill mandates that manufacturers and suppliers of smart devices comply with specified security standards. This is crucial for businesses involved in the production or distribution of smart devices. Non-compliance can result in compliance notices, stop notices, and recall notices. These measures are designed to ensure that smart devices are secure and do not pose a risk to users.


Protected or Limited Use of Incident Information: The Cyber Bill includes provisions to ensure that information provided about cyber security incidents is used or disclosed only for permitted purposes, with strict limitations on using this information for civil or regulatory actions against the reporting entity.


• Cyber Incident Review Board: The Cyber Bill establishes a Cyber Incident Review Board tasked with reviewing certain cyber security incidents and making recommendations. The Board has the authority to request and require documents from entities. Non-compliance may result in civil penalties.


A&O Shearman said organisations should make sure they implement security standards in compliance with the specified security measures currently provided for in the Cyber Bill, and make sure they can comply with the ransomware reporting obligations, including the timelines foreseen in the Cyber Bill.


Meeting New Requirements

Criminal syndicates target organisations which haven’t adequately protected their data transfers and systems access. Defending against them requires a multi-layered strategy which includes robust data transfer protection, multifactor authentication and employee training.


Managed File Transfer (MFT) solutions such as the class-leading GoAnywhere MFT encrypt data at rest and in transit, complying with the highest data security standards - including the US’s and Europe’s stringent HIPAA, HITECH, PCI DSS, SOX, and GDPR.


MFT manages inbound and outbound file transfers across an organisation, using industry-standard file transfer protocols such as SFTP, FTPS, and AS2 to send files securely, and encryption standards such as Open PGP and AES to protect data in transit and at rest.


GoAnywhere MFT also provides audit reports, which will help organisations meet new reporting and compliance needs. All file transfer and administrator activity is stored and easily searchable. To help organisations report on file transfer activity and remain compliant with the new legislation, these audit logs can be automatically generated and provided as PDFs.


Advanced Threat Protection and Adaptive Loss Prevention add a further layer of defence. SFT Threat Protection enables safe collaboration with external parties, preventing malware from entering an organisation, and reducing the risk of employees losing or mishandling sensitive data.


Local Expertise on Hand

Generic Systems Australia are your local experts in Managed File Transfer solutions.  We’ve assisted dozens of organisations across the Asia-Pacific region to secure their data and keep cybercriminals at bay.


If you’d like to discuss improving your cybersecurity, please feel welcome to contact me, Bradley Copson. I’m always happy to have an obligation-free discussion, explain how simply we can transition you from outdated software and approaches, and offer you a zero-cost Proof of Concept.

bottom of page