New announcements made ahead of Federal Government’s updated Cyber Security Strategy release

Cyber note – New developments:

• Australian businesses to report cyber ransom demands under proposed no-fault system
• New cyber-risk reporting requirements for Australian telcos

With its updated Cyber Security Strategy expected to be released next week, the Federal Government has set the scene, by making a number of early announcements. What is telling is that these announcements were not made by the Minister for Communications, but rather by the Minister for Home Affairs, the Honourable Ms Clare O’Neil.

Cyber Ransom Demands Reporting

The first announcement foreshadows changes to the way businesses will need to deal with a cyber ransom demand moving forward. Although not surprising, in a first for Australia, businesses will soon be compelled to report ransomware incidents, demands or payments under a no-fault system, whereupon they would receive guidance and support from the Government with no penalties. Further details are expected to be released within the government’s broader Cyber Security Strategy next week on the proposal, including identification of any thresholds and/or exemptions that might apply to the mandatory reporting, as well as better clarity as to how the ‘no-fault system’ being proposed will work in practice.

It is also unclear how SMEs which, according to cyber security firms, form the majority of ransomware victims, would be impacted by the proposal, which will require legislative change in order to be put into effect, foreshadowed by detailed industry and regulator consultation. The proposal reflects the focus that the Federal Government has on ransomware (having joined a 40-nation pledge not to pay ransomware demands made against government agencies).

However, there are mixed messages as it still appears reluctant to impose a complete ban on ransomware payments (in line with draft legislation that had been proposed in the past, such as the Ransomware Payments Bill 2021 (Cth), opting instead to strongly discourage such payments and provide support in order to make alternative options more attractive to Australian businesses. This also follows extensive discussion between business leaders and the Department of Home Affairs, with Minister Clare O’Neil clearly stating that “Australia is not yet ready for an outright ban of ransomware payments”.

Telcos to be required to Report Cybersecurity Measures

In another development reflecting the Government’s response to the evolving cyber-threat environment, Ms O’Neil also foreshadowed another material change, announcing that telecommunications companies will soon be categorised as ‘critical national infrastructure’ (CNI) providers, alongside hospitals, ports and energy companies, and will therefore be subject to the same rules as CNI providers under the Security of Critical Infrastructure Act 2018 (Cth), which was most recently amended late last year.

The effect of this will be to require telecommunications companies to update the Federal Government on their cybersecurity measures, processes and precautions. It will also have a considerable knock-on impact for the broader ICT industry and supply chain, who are suppliers to the industry. This comes on top of the numerous regulatory changes to their core businesses.

News of these upcoming changes also comes just days after a cyber attack against one of the nation’s largest maritime freight operators, DP World Australia, who would join companies such as Medibank and BlueScope in a growing list of cyber-attack victims.

Companies who are not yet cyber-ready would be well advised to review their cyber security and data protection resilience and posture to ensure that they can tackle an increasing threat-filled environment, and are positioned for compliance with the legislative changes coming their way.

What’s next?

The Government will introduce this early-warning regime for ransomware attacks as part of a broader, seven-year Cyber Strategy, which is expected to also include a playbook for ransomware and a strategy for Australian companies to respond to cyber criminals.

The Federal Government’s Cyber Security Strategy is expected to be released next week, following Prime Minister Mr Albanese’s return from the APEC summit in San Francisco.

For support or for additional information on any of these changes, please contact our team.

If you found this insight article useful and you would like to subscribe to Gadens’ updates, click here.

Authored by:

Sinead Lynch, Partner
Antoine Pace, Partner
Dudley Kneller, Partner
Raymond Huang, Lawyer