Cybersecurity 2025

AUSTRALIA Trends and Developments Contributed by: Dennis Miralis and Jack Dennis, Nyman Gibson Miralis

action” will be determined by CISC’s Compli - ance and Enforcement Framework “and the published regulatory posture”. Watch this space. Cyber Security Act The Cyber Security Act was an Australian-first: legislation specifically aimed at cybersecurity. It introduced standards for smart devices, new reporting obligations, and also established two new roles: • the National Cyber Security Coordinator (NCSC) responsible for co-ordinating whole- of-government action in response to signifi - cant cybersecurity incidents, policies and capabilities; and • the Cyber Incident Review Board (CIRB), an independent advisory body that will under - take reviews of certain cybersecurity inci - dents on a no-fault basis. Information-gathering routes under the Cyber Security Act include: • obligatory ransomware reporting: see below; • CIRB compulsive powers: the CIRB has the power to compel information and documents from entities believed to be “involved in a cyber security incident” (subject to a request for information having been made); and • voluntary reporting: see below. Information-gathering: ransomware reporting 2021-22 research suggests only one in five Australians are reporting ransomware attacks to authorities. This statistic undoubtedly needs updating with the increased prevalence of attacks and access to technology. The Cyber Security Act mandated reporting when ransomware payments (or other benefits) are demanded for certain entities. This obliga -

tion joins the ranks of a slowly growing set of confined reporting obligations. This currently includes those imposed on critical infrastruc - ture assets in respect of certain cybersecurity incidents (irrespective of ransomware payments) under the SOCI Act; on APRA-regulated enti - ties in respect of material information security incidents. Outside these regimes, the Australian government relies on their own detection of such incidents, and more likely, voluntary reporting. This ransomware obligation is just one more confined patch in Australia’s patchwork of obli - gations. This obligation is imposed only on a “reporting business entity”, which is defined by reference to the Australian business’ previous year’s turnover (the number undetermined at writing) or by being specific critical infrastruc - ture assets. Therefore, the true extent to which these new obligations will be felt across Aus - tralian businesses (beyond critical infrastruc - ture) remains to be determined (by the yet-to- be-published rules). The threshold will likely be determined with reference to the cybersecurity threat landscape as well as the compliance capabilities, costs and other burdens on Austral - ian businesses. Speculatively, this may match the threshold under the Privacy Act, so as to include small businesses. This set-up grants the Australian government flexibility to adjust obli - gations according to the perceived needs but will likely result in a gap in the obliged reporting where there is a ransomware. That is without even acknowledging that these obligations only arise where there is a “ransom” demanded in the first place (albeit irrespective of the type of benefit, not only payments; and also irrespective of actual payment of the demand). This piece is just one of many that makes up the puzzle of Australia’s cybersecurity and attempts to balance several aspects including security,

CHAMBERS.COM