The reforms aim to improve the protection and resilience of Australia’s critical infrastructure and digital economy from cyber threats.
Legislative options to address gaps in current regulatory frameworks are:
• Mandating a security standard for consumer-grade Internet of Things (IoT) technology to incorporate basic security features by design and help prevent cyber attacks on Australian consumers;
• Creating a no-fault, no-liability ransomware reporting obligation to improve our collective understanding of ransomware incidents across Australia;
• Creating a ‘limited use’ obligation to clarify how the ASD and the Cyber Coordinator use information voluntarily disclosed during a cyber incident, in order to encourage industry to continue to collaborate with the Government on incident response and consequence management; and
• Establishing Cyber Incident Review Board to conduct no-fault incident reviews and share lessons learned to improve our national cyber resilience.
Options to reform the Security of Critical Infrastructure Act 2018 (SOCI Act) to address gaps identified following recent major cyber security incidents are:
• clarifying obligations for critical infrastructure entities to protect data storage systems that store ‘business critical data’, where vulnerabilities in these systems could impact the availability, integrity, reliability or confidentiality of critical infrastructure;
• introducing a last resort consequence management power for the Minister for Home Affairs to authorise directions to a critical infrastructure entity (with safeguards in place and where no other powers are available) in relation to the consequences of incidents that may impact the availability, integrity, reliability or confidentiality of critical infrastructure;
• simplifying information sharing to make it easier for critical infrastructure entities to respond to high-risk, time-sensitive incidents;
• providing a power for the Secretary of Home Affairs or the ‘relevant Commonwealth regulator’ to direct a critical infrastructure entity to address deficiencies in its risk management program; and
• consolidating security requirements for the telecommunications sector under the SOCI Act.
If you found this article helpful, then subscribe to our news emails to keep up to date and look at our video courses for in-depth training. Use the search box at the top right of this page or the categories list on the right hand side of this page to check for other articles on the same or related matters.
Author: David Jacobson
Principal, Bright Corporate Law
About David Jacobson
The information contained in this article is not legal advice. It is not to be relied upon as a full statement of the law. You should seek professional advice for your specific needs and circumstances before acting or relying on any of the content.