NCC Group responds to the Australian Government’s consultation on cyber legislative reform

In November 2023, the Australian Government published its final 2023–2030 Australian Cyber Security Strategy setting out it will deliver on its vision for making Australia the most cyber secure nation in the world by 2030.

One of the core components of the Government’s Strategy is to update the cyber rules applied to technology developers and others across the economy. This includes the introduction of a mandatory no fault, no liability ransomware reporting obligation and mandating cyber security requirements for consumer IoT devices. Critical infrastructure providers will also face enhanced and clarified regulations, with the SOCI Act reformed to clarify providers’ obligations and include telecoms providers.

In a wide-ranging consultation, the Government sought views on the implementation of these proposals. Here, Regional Lead, Tim Dillon, comments on the key points from NCC Group’s response to the public consultation:

“Through NCC Group’s threat intelligence, incident response and research functions, we are acutely aware of the changing cyber threat landscape, witnessing first-hand the real-world impact cyberattacks have on their victims, communities, and ecosystems.

“I am therefore pleased that the Government is focused on further strengthening national cyber defences, both through the proposed legislative reforms and the wider delivery of its Cyber Security Strategy.

“At a high-level, we support the aims of the changes being consulted on, but offer the following observations and recommendations as the Government proceeds with its plans: 

• In alignment with global developments such as the EU’s Cyber Resilience Act, the Government should be ambitious in its plans to set security standards for IoT devices, covering all hardware sold into Australia (including enterprise devices), pursuing all ETSI 303 645 requirements proportionately, on a phased basis, and ensuring that manufacturers and developers’ compliance is technically validated by an independent third party where the risk profile necessitates.  

• The proposed mandatory reporting requirement for ransomware attacks should be aligned to existing legislative frameworks (such as SOCI and the Privacy Act) and apply only to businesses with an annual turnover of more than $10 million per year. For small to medium sized businesses, the Government should explore what incentives it could provide to encourage reporting, such as in exchange for access to the Government’s proposed Small Business Cyber Security Resilience Service. 

• The mandatory reporting requirement, limited use obligation for the Australian Signals Directorate (ASD) and Cyber Coordinator, and the new Cyber Incident Review Board (CIRB) will require clear legal delineations – backed by a public communications campaign – in order to build trust that the associated powers will not be misused.  

• The Australian Cyber Security Centre (ACSC) and regulators require investment to ensure they have the capabilities, expertise, and skills to effectively enforce the legislative proposals.”

What’s next?

With entries for the consultation paper being closed on Friday 1 March, the Department of Home Affairs will now consider the responses before setting out its advice to Government on new legislation later this year.

NCC Group stands ready to remain a valued part of the cyber security industry in Australia, helping to deliver a secure and digitally resilient nation. We look forward to seeing how the Government reflects our input to inform its updated cyber laws.