The Government has introduced three pieces of legislation regarding cyber security which will have some implications for some small businesses. The Cyber Security Bill introduces requirements for the security of smart devices (IoT devices), sets mandatory reporting requirements for ransomware, sets out the modalities for the coordination of significant cyber security incidents, and establishes a Cyber Review Board. More specifically:

• Ransomware payments must be reported by companies with an annual turnover of over $3 million.

• Information may be voluntarily provided to the National Cyber Security Coordinator for significant cyber security incidents. This information is subject to strict rules of use and disclosure and would be for the purposes of supporting the affected entity and other Australian interests.

• Relevant connected products may be subject to mandatory security standards, applicable to the manufacturers and suppliers. Rules (to come) would be able to set a standard for specific classes of connected devices and certificates of compliance, which must be provided.

• A Cyber Incident Review Board will be established to undertake reviews into certain cyber security incidents and make recommendations for future actions to prevent, detect, respond to or minimise future incidents.

Other Bills introduced include:

• Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024 – this amends the Security of Critical Infrastructure Act 2018 to support the response to serious incidents, and enhances cyber security obligations for critical telecommunications assets; and

• Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024 – the Bill amends the Intelligence Services Act 2001 regarding the communication and use of limited cyber security information.

We will keep you updated as the Bills progress through the Parliament but please get in touch if there are any questions about them.