Cybersecurity 2025

AUSTRALIA Trends and Developments Contributed by: Dennis Miralis and Jack Dennis, Nyman Gibson Miralis

would expect this new priority will build on the 2022 Federal Court decision of ASIC v RI Advice Group Pty Ltd [2021] FCA 1193. This change signals a potentially bigger shift. Data breaches and cybersecurity issues have generally been regulated from a privacy per - spective by the Office of the Australian Informa - tion Commissioner (OAIC). This area may be a hot spot to watch for regulator “pile-ons”. CISC audits The Cyber and Infrastructure Security Centre (CISC) considered 2022-2023 a learning and familiarisation period with the introduction of the Security of Critical Infrastructure (Applica - tion) Rules 2022. Then, in 2024, the CISC shift - ed its compliance focus from one primarily of education and awareness raising (2023-24) to a balance of education/awareness and compli - ance activities (2024-25). The SOCI Compliance Regulatory Posture was updated. In making this shift, the CISC conducted a limited series of trial audits with certain responsible entities “to test our processes for determining industry compli - ance with SOCI Act obligations”. The CISC has also announced that a formal audit programme to evaluate compliance with SOCI obligations will commence in 2024-2025. 2024 marked the first year that responsible entities (under the SOCI Act) were required to file annual reports per the SOCI (Critical infra - structure risk management program) Rules (LIN 23/006) 2023 (CIRMP). OAIC determination and guidance on facial recognition On 19 November 2024, the OAIC published a determination finding that retail chain Bunnings breached the Privacy Act 1988 (Cth) through its practices of automatically monitoring CCTV

footage, processing imagery of individuals’ fac - es, and storing the same on databases against allegedly known violent customers. This deter - mination is a major development in facial rec - ognition technology and biometric data under Australian law, and was also accompanied by new guidance, “Facial recognition technology: a guide to assessing the privacy risks”. Industry programs Industry-wise, an increasing number of sector and government partners are choosing to par - ticipate in ASD programs, including the ASD- Microsoft initiative to connect ASD’s Cyber Threat Intelligence Sharing platform with Micro - soft’s Sentinel platform. Joint advisories and investigations Internationally, Australia is pursuing a co-ordi - nated approach with its allies in the field of cybercrime where there have been co-ordinated international investigative and law enforcement efforts, resulting in the simultaneous sanctioning of entities. This was seen in 2024 with Operation Cronos, a co-ordinated law enforcement action against the LockBit ransomware group and comprising Australia, the UK, the USA, France and many more. In addition to simultaneous sanctioning, the inter - national partnerships also result in joint adviso - ries, often seen in respect of Australian-viewed state-sponsored malicious actors. For exam - ple, the ASD continues to work with partners to highlight evolving state-sponsored cyber-actors, such the PRC-sponsored Volt Typhoon, APT40, and Integrity Technology Group, Russia’s Unit 29155, and Iranian cyber-actors generally. Another notable joint-operation appears to have involved the ASD and its international partners in identifying a “botnet” comprising 260,000

37

CHAMBERS.COM

Powered by