Blog HEader

Check Our Latest News

A Corp Technology Support

Check Out Our Latest News

What the New Australian Cybersecurity Laws Mean for Small to Medium Businesses

On November 25, 2024, the Federal Government passed a groundbreaking suite of legislative reforms aimed at bolstering Australia’s cyber resilience. This Comprehensive Cyber Security Legislation, comprising the Cyber Security Act 2024, the Intelligence Services and Other Legislation Amendment (Cyber Security) Act 2024, and the SOCI Amendment Act, introduces significant changes to the way businesses, including Small to Medium Businesses (SMBs), must approach cyber security.

For SMBs, the implications of these laws are particularly important, as they aim to enhance preparedness and accountability in the face of increasing cyber threats. Here’s what you need to know.

 

1. Mandatory Reporting of Ransomware Payments

One of the most impactful changes is the mandatory reporting of ransomware payments, which applies to businesses with an annual turnover exceeding $3 million. If your SMB makes a ransomware payment, you’ll need to report it to the Department of Home Affairs and the Australian Signals Directorate (ASD) within 72 hours.

Why it Matters for SMBs:

  • Accountability: SMBs are no longer able to quietly pay ransoms without regulatory oversight. This reporting requirement could influence whether paying a ransom is seen as a viable option.
  • Preparation: SMBs must ensure their incident response plans explicitly include these new reporting obligations.
  • Compliance Risks: Failure to report incurs penalties of up to $93,900, highlighting the need for immediate understanding and adherence to these laws.

2. Voluntary Information Sharing for Cybersecurity Incidents

The legislation introduces a voluntary reporting regime, allowing businesses to share details of cyber incidents with the newly established National Cyber Security Coordinator (NCSC).

Benefits for SMBs:

  • Guidance and Support: The regime is designed to foster collaboration, offering SMBs access to government expertise in managing and mitigating cyber threats.
  • Limited Use Protections: Shared information will be used strictly for assistance and not for enforcement, though SMBs should still exercise caution regarding the data they disclose.

3. Cyber Incident Review Boards (CIRB)

The Cyber Incident Review Board (CIRB) will independently review significant cyber incidents, providing recommendations for preventing future occurrences.

How It Affects SMBs:

  • Lessons Learned: Insights from CIRB reviews can help SMBs strengthen their own defenses by learning from incidents affecting other organisations.
  • Proactive Measures: SMBs with strong cyber defenses and documented incident responses may benefit from positive recommendations or guidance resulting from CIRB evaluations.

4. Security Standards for IoT Devices

The Cyber Security Act empowers the government to mandate security standards for Internet of Things (IoT) devices. Manufacturers and suppliers will need to provide statements of compliance for devices sold in Australia.

Implications for SMBs:

  • Product Selection: SMBs must ensure any IoT devices used in their operations meet these new standards, as non-compliant devices could pose security risks and potential liability.
  • Vendor Accountability: Expect greater scrutiny on suppliers of IoT devices to ensure compliance with mandated standards.

5. Enhanced SOCI Act Coverage

The SOCI Amendment Act now includes data storage systems as critical infrastructure assets and shifts obligations to ensure that hazards beyond cyber threats—like software bugs or physical defects—are mitigated.

Considerations for SMBs:

  • Supply Chain Dependencies: If your SMB depends on third-party data storage providers, you’ll need to understand their obligations under the SOCI Act and how these impact your business.
  • Broader Risk Management: SMBs should incorporate a wider range of risks into their IT management strategies, considering not only cyberattacks but other vulnerabilities as well.

What Should SMBs Do Next?

Here are practical steps SMBs can take to align with the new regulations:

  1. Update Cyber Incident Plans: Ensure your response plans include processes for mandatory reporting, including ransomware payments, and consider engaging legal counsel for compliance guidance.

  2. Enhance Board-Level Awareness: Educate executives and board members on the implications of paying ransoms, particularly in light of directors’ duties to act in the organisation’s best interests.

  3. Audit IoT Devices: Review all IoT devices in use and confirm they meet or exceed anticipated security standards.

  4. Engage with CIRB Outputs: Stay informed about the findings and recommendations from the Cyber Incident Review Board, applying them to strengthen your own defenses.

  5. Leverage Government Resources: Consider the voluntary reporting regime as a way to access assistance during incidents and mitigate further risks.