- Need a Windows 10 alternative? Still miss XP? This Linux distro is for you - and it's free
- The best password generator of 2025: Expert tested
- Michigan Man Indicted for Dark Web Credential Fraud
- This $300 Motorola has a better display and battery life than iPhone 16e - at half the price
- Navigating the AI Era as a CCIE
Making Sense of Australia’s New Cybersecurity Legislation
Late last year, Australia’s Cyber Security Act 2024 received Royal Assent and became Law. It was a huge moment for cybersecurity legislation in Australia, serving as the country’s first-ever standalone cybersecurity law, addressing key legislative gaps, and bringing the country in line with international best practices. But what’s included in the Act? And what does it mean for businesses? Keep reading to find out.
Security Standards for Smart Devices
Internet of Things (IoT) devices are a huge part of our daily lives. Most of us will either use or know someone who uses smart devices like internet-connected televisions, watches, or baby monitors. And, as with any device connected to the internet, these technologies are vulnerable to cyber threats.
The Cyber Security Act 2024 reflects this reality, mandating that all manufacturers and suppliers of smart devices available in Australia comply with strict security standards. While the standards themselves aren’t finalized, they will emulate the UK’s regulations for smart devices, which include a ban on universal default passwords, a requirement to implement a means to manage reports of vulnerabilities, and an obligation to provide information about how long the device will be supported.
Under the Act, suppliers and manufacturers will be expected to produce a statement of compliance confirming that the device meets these requirements. If a device fails to meet these standards, the Secretary of Home Affairs has the power to issue:
- Compliance notices requiring the organizations to address non-compliance issues
- Stop notices requiring an entity to stop or refrain from doing a particular action or take a particular action; or, as a last resort
- Public recall notices requiring receiving entities to recall a device.
Manufacturers and suppliers will have a 12-month grace period to ensure devices comply with these standards.
Mandatory Ransomware Payment Reporting
The Cyber Security Act 2024’s mandatory ransomware payment reporting initiative is designed to help the Australian Government better understand the threat landscape and provide tailored advice to help organizations disrupt the ransomware business model, requiring relevant entities to report within 72 hours, among other details, the amount of the payment, the method of payment, and the identities of the attackers.
This initiative only applies to reporting business entities, which are organizations that do business in Australia with an annual turnover that exceeds $3 million, although this figure may be adjusted in the future. Failing to make a report within the specified period may result in a civic penalty fine of 60 penalty units, typically $19,800 for corporations.
Organizations must report ransomware payments on a yet-to-be-developed portal on the Australian Signals Directorate’s cyber.gov.au website. The initiative will come into force 6 months after the Act received Royal Assent on May 29, 2025.
Limited Use for the National Cyber Security Coordinator (NCSC)
This initiative limits how the National Cyber Security Coordinator (NCSC) (not to be confused with the UK’s National Cyber Security Center) and the National Office of Cyber Security can record, use, or disclose information entities voluntarily provide.
It aims to ensure that Australian organizations suffering a security incident feel comfortable engaging early and sharing information with the Australian government without having to worry about the NCSC passing on this information to regulators or law enforcement. Essentially, the initiative encourages open and honest reporting to improve response efforts.
The limited use initiative applies to information:
- Provided by businesses carrying on business in Australia
- Provided by responsible entities for a critical infrastructure asset under the Security of Critical Infrastructure Act
- About incidents that had, are having, or could reasonably be expected to have a direct or indirect on the reporting organization
- Voluntarily provided to the NCSC.
It’s important to understand, however, that limited use does not shield or immunize organizations from legal liability or replace mandatory obligations to report a cybersecurity incident.
Cyber Incident Review Board
Finally, the Cyber Security Act 2024 establishes the Cyber Incident Review Board (CIRB). The CIRB is an independent review body that will conduct no-fault, post-incident reviews of significant cyber security incidents in Australia.
Note that a “significant cyber security incident” is defined as one that is, or could reasonably be expected to be, of serious concern to the Australian people or one in which there is a material risk that the incident has seriously prejudiced, is seriously prejudicing, or could reasonably be expected to prejudice:
- The social or economic stability of Australia or its people
- The defense of Australia
- Australian national security
The CIRB will have the power to compel information from organizations involved in a security incident, but only if voluntary requests for information have been unsuccessful.
The Bottom Line
The key takeaway for most businesses is that, in the wake of a security incident, the Australian Government will expect them to hand over as much relevant information as possible. As such, organizations doing business in Australia should set up reporting mechanisms and incident response plans to streamline this process and avoid non-compliance penalties.
To find out more about how Forta can help your organization meet these new standards, check out our suite of compliance reporting solutions here.
