Redefining cyber readiness – Three ways to outpace Australia's new cyber laws
10 October 2024
10 October 2024
The Australian Government introduced a suite of cyber security legislation on 9 October 2024. The new bills are a long time coming – originally signalled as part of Australia's 2023-2030 Cyber Security Strategy, with proposals clarified through ongoing consultation.
Updating policies and playbooks to respond to the bills will not be enough to build the cyber readiness and maturity now expected by regulators, the market and the public – and to successfully navigate an increasingly hostile cyber threat environment.
In this article, we'll take a closer look at three key areas addressed by the reforms – and explain why adapting to the cyber bills is just one part of thorough and comprehensive planning for cyber incidents:
The reforms are included in the Cyber Security Bill 2024, the Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024, and the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024.
The new laws will require organisations to report the payment of ransoms within 72 hours, a step back from earlier proposals to also report ransom demands (although ransom threats and other security incidents may be reportable under other regimes like security of critical infrastructure legislation or privacy laws).
It is important to recognise:
While incident response playbooks will need to be updated to include ransom payment notification obligations and related governance, it is clear that paying a ransom remains the least viable (and least reliable) way of addressing cyber risk. Payment of a ransom does not guarantee data will be recovered, stolen data destroyed, or systems restored.
Best practice requires organisations to:
‘De-risking ransom’ is a risk-based approach that aims to identify the high-risk systems and data where a company might need to consider paying a ransom, and ensures there is adequate security, business continuity, data retention, and harm mitigation/remediation in place. Doing so reduces the occasions where organisations may consider paying a ransom.
Being subject to a ransom demand is a known risk – if you do not have a sophisticated approach to readiness, response and recovery, you may be open to criticism that you are not managing the risk. In the current cyber climate, it is one of the most foreseeable risks an organisation can face, and readiness is more than a policy on payment.
The bills introduce several "limited use" information control frameworks that are subtly but importantly different – limiting the use, recording and disclosure of information by cyber agencies to encourage closer engagement by industry.
Different use, recording and disclosure restrictions can apply depending on whether information is:
These factors also determine whether information may be admissible as evidence.
Importantly, some information can't be used for certain regulatory investigation or enforcement purposes, but these protections won't necessarily prevent criminal investigations.
The Government has taken pains to point out that the limited use regime is not a safe harbour – regulators may continue to exercise their existing powers (and in the case of Australia's privacy regulator, soon to be expanded powers) to take investigation and enforcement action.
These new "limited use" protections, if properly understood and operationalised in incident response playbooks, can allow more effective and responsible engagement with cyber agencies, with less friction.
While removing barriers to engagement with cyber agencies has been a long-standing priority, it is only one part of a complex information management puzzle.
Despite efforts to harmonise regimes, a cyber incident will usually involve mandatory and voluntary interactions with a range of regulators under different regimes.
In the midst of a cyber incident, organisations are under pressure for extremely high levels of transparency – not only from cyber agencies, government and regulators, but from business partners, suppliers, banks, partners, the media as well as customers and the broader public.
There is a lot of pressure to provide assurances, with high levels of confidence, that you are secure. Customers, suppliers and third parties may stop doing business with you until you are able to provide those assurances.
Decisions about what to disclose, when, and to whom can have significant implications for operational security, regulatory compliance, litigation risks, privilege, and stakeholder trust.
The right approach requires a combination of internal information management and assessment (to know what you know, versus what you suspect), strong communication and decision-making protocols, and effective and efficient legal guidance. And importantly, the right approach must be coordinated, streamlined, well-understood and tested.
This is not organisational discipline that can or should be developed mid-incident – it needs to be part of thorough and comprehensive planning.
Consider how your organisation could confidently respond to requests from third parties (including in your supply chain), customers, and regulators in the first 72 hours of an incident, such as:
Cyber threats are no longer a new and unknown risk. The message from various regulators is consistent – patience is running thin for organisations that have failed to de-risk pervasive cyber threats.
After a strong focus on education, uplift, and warnings in recent years, regulators are adjusting their posture to focus more on enforcement and assurance – to make sure that industry has received the message.
A common thread underlies the various regulators and regulatory regimes – what reasonable steps, and what reasonable investments, have you taken to safeguard systems and data and build cyber readiness, response and resilience?
Regulators expect, and expect you to be able to demonstrate, thorough and comprehensive planning and clearly thought-out risk management.
How you respond in times of crisis is important but is fundamentally constrained by the planning, strategies and capabilities you have already put in place.
Below is our quick guide to help you navigate the "the new normal" of regulatory expectations, including some red flag indicators to watch out for. It is critical for business to understand these expectations and have assurance mechanisms in place to defensibly demonstrate how they are being met.
Regulator expectation | Red flags |
Thorough and comprehensive planning Thorough and comprehensive planning in place for significant cyber incidents and a clearly thought-out risk management strategy. Refer to the AICD guidance “Governing through a cyber crisis” co-authored by Ashurst and the Cyber Security Cooperative Research Centre. | Reactive and unplanned. Infrequent training and simulations, including at Board level. Cookie-cutter policies rather than sophisticated playbooks. Assuming that a cyber incident response plan is all you need in your suite of readiness planning. |
Prevent harm Act in the best interests of the individual victims of a cyber incident – support them to mitigate the risk of both financial and non-financial harm in a transparent and timely manner. | No formal “risk of harm” assessment process. Excessive delays in notifications and/or a lack of support for victims. |
Accountability at the top Board and management teams will be held to account for failures in behaviours and security culture as well as failures of governance and risk management. | Lack of understanding of individual responsibility and accountability. Delegation of accountability for risk management failures. |
Demonstratable improvements Boards need evidence of cyber remediation uplift activities and cannot rely on management “just telling them”. Management will be held accountable for providing sufficient evidence. | Assurances without transparent evidence or effective and consistent reporting. Expecting old frameworks to remain current as cyber threats evolve. Self-assessment bias. |
Cyber washing Disclosures and assurances around cyber security must be accurate – and Boards must be satisfied that management reports are supported by evidence. | Downplaying vulnerability, risk and potential harms. Optimism bias that is not supported by assurance, and expert advice. |
No rubber stamps Boards and management are expected to demonstrate a "curiosity of mindset" and have appropriate capabilities on Boards and leadership teams. | Unwillingness or inability to challenge. People wearing too many hats, lack of specialist capabilities. Lack of training and expertise to support Board’s asking effective and adequate questions. |
Demonstrate that frameworks work It is not good enough to have a framework in place – management must demonstrate how frameworks are effective and embedded, and how management are held accountable for failures. | Cookie cutter approach to managing cyber threats. Exceptions become the “norm”. No action is taken against “repeat offenders”. |
Testing and assurance Testing and assurance should be consistently challenging an organisation to improve their processes. | Testing the tools you implemented – rather than the threat you face. Poor quality, non-transparent reporting of adverse findings and open action items. Self-assessment bias. |
The buck stops at the Board There is a level of cyber security risk that must be managed as "business as usual" activity – but where cyber risk is outside of risk appetite, it is the Board's responsibility to manage the risk accordingly. | Risk appetite not clearly articulated and communicated. Lack of clear escalation. Lack of pressure testing, such as simulations and regular Board training. |
Authors: John MacPherson, Partner, Ashurst Risk Advisory; Emma Butler, Partner; Andrew Hilton, Expertise Counsel; Thomas Suters, Graduate.
Understand how you need to manage cyber security risk in light of the new Australian laws and heightened regulator expectations
How to prepareThis publication is a joint publication from Ashurst Australia and Ashurst Risk Advisory Pty Ltd, which are part of the Ashurst Group.
The Ashurst Group comprises Ashurst LLP, Ashurst Australia and their respective affiliates (including independent local partnerships, companies or other entities) which are authorised to use the name "Ashurst" or describe themselves as being affiliated with Ashurst. Some members of the Ashurst Group are limited liability entities.
The services provided by Ashurst Risk Advisory Pty Ltd do not constitute legal services or legal advice, and are not provided by Australian legal practitioners in that capacity. The laws and regulations which govern the provision of legal services in the relevant jurisdiction do not apply to the provision of non-legal services.
For more information about the Ashurst Group, which Ashurst Group entity operates in a particular country and the services offered, please visit www.ashurst.com
This material is current as at 10 October 2024 but does not take into account any developments to the law after that date. It is not intended to be a comprehensive review of all developments in the law and in practice, or to cover all aspects of those referred to, and does not constitute legal advice. The information provided is general in nature, and does not take into account and is not intended to apply to any specific issues or circumstances. Readers should take independent legal advice. No part of this publication may be reproduced by any process without prior written permission from Ashurst. While we use reasonable skill and care in the preparation of this material, we accept no liability for use of and reliance upon it by any person.
The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
Readers should take legal advice before applying it to specific issues or transactions.