A new Cyber Security Act is set to be unveiled in Parliament’s next sitting from 12 August, as reported by the ABC. The proposed Act would require Australian businesses and government bodies to disclose when they make a ransom payment to cybercriminals in the event of a hack, or face penalties of up to AU$15,000 for failing to notify.

The current proposal exempts small businesses at the same AU$3 million threshold as the Privacy Act’s rules, though some believe the threshold is too low – the Australian Chamber of Commerce and Industry argues the rules should only apply to businesses with an annual turnover exceeding AU$10 million.

This bill would be in addition to the Cyber Resilience Service and Cyber Health Check services for small business expected to be operating by the end of 2024 as well as the Cyber Wardens Program currently operating that provides online cyber security training, designed to assist small businesses prevent and recover from cyber-attacks.

Under the proposed bill, Australia would also adopt international benchmarks in relation to connected consumer objects or ‘IoT devices’ (such as home security cameras and smartphone-controlled appliances). Standards already in place in the US and the UK seek to limit the amount of data businesses and governments collect through such devices and reduce the data at risk in the event of a cyber breach.

More information is yet to be released about the proposed Cyber Security Act, but in the meantime, you can be prepared by:

• Implementing a recognised cyber security framework such as NIST or ASD’s Essential 8.
• Ensuring you have a Data Breach Response Plan and keeping it up-to-date.
• Conducting annual cyber health checks: do you know what state your cyber security is currently in?
• Keeping records of processing activities and make sure your organisation actively reviews its information holdings.

Lauren Hrysomallis also contributed to this article.