On 9th October 2024, the Australian Government tabled the Cyber Security Bill 2024 (the Bill) in the Federal Parliament. While the Security of Critical Infrastructure Act 2018 already imposes cybersecurity obligations on owners and operators of critical infrastructure, the Bill is the first Australian law specifically designed to strengthen cybersecurity in the public and private sectors.  

The Bill proposes a number of cyber security compliance obligations in relation to the manufacture and supply of smart devices. Manufacturers and suppliers of smart devices which are internet or network-connectable (IoT devices) (referred to as ‘relevant connectable products’) must comply with specified security standards including providing a statement of compliance for devices they manufacture or supply.  

Furthermore, any entity which is subjected to ransomware or cyber extortion is required to report this to the Australian Cyber Security Centre within 72 hours of a payment being made, or the organisation becoming aware that a payment has been made.  

The Bill establishes a Cyber Incident Review Board to conduct post-incident reviews into significant cyber security incidents. The Bill has an extra-territorial application whereby it is expected that it will be of interest to New Zealand organisations with business operations in Australia or that manufacture or supply smart devices to the Australian market. At the outset, the Bill significantly impacts how organisations in Australia manage their cybersecurity practices, especially those operating in critical sectors and other industries handling sensitive or business-critical data. The following sectors shall be impacted:  

  • Organisations classified under the Security of Critical Infrastructure Act (SOCI) namely healthcare providers, financial institutions and telecommunications companies would be required to adhere to stricter cyber security standards 
  • Businesses involved in production, distribution or sale of smart devices must comply with specific security requirements such as publish information about the smart device before sale.  

Australia, through this Bill, is taking forth strong organisational and systemic measures against security threats and cyberattacks. It remains to be seen how the legislation will shape up and be enforced. HewardMills’ experts can support your teams with data protection strategies to stay compliant with this new legislation, should it come into force.  

 

If you would like to discuss this topic or anything else data protection and privacy-related, please contact us at dpo@hewardmills.com.