Login

New Cyber Security Laws – What do they mean for you?

Justin Fung, Avant Law - Partner, Head of Commercial & Corporate | General Manager

Anthony Ha, Avant Law - Special Counsel, Commercial & Corporate

Romy Sirtes, Avant Law - Associate, Commercial & Corporate

Thursday, 30 January 2025

lock image

At the end of 2024, the Government passed a number of new cyber security legislation as part of its Cyber Security Legislative Package 2024, in accordance with its cybersecurity strategy for 2023-2030.  This legislative package is comprised of the following:

  1. Cyber Security Act 2024 (Cth);
  2. Intelligence Services and Other Legislation Amendment (Cyber Security) Act 2024 (Cth); and
  3. Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Act 2024 (Cth).

This legislative package may impact you and your business, particularly if you carry on a business with an annual turnover above AUD $3 million or if your business deals with critical infrastructure assets, and penalties may apply if you fail to comply with any applicable obligations.

We have summarised some of the new measures introduced by this legislative package in more detail below.

Cyber Security Act 2024

The Cyber Security Act 2024 (Cth) sets out a range of new measures to strengthen cyber security infrastructure, as well as providing guidance and protection to people and businesses who report cyber security attacks.

The key measures introduced by the Cyber Security Act 2024 (Cth) are:

  • mandating minimum cyber security standards for smart devices;
  • introducing mandatory ransomware reporting requirements if a ransomware payment is made to an extorting entity;
  • implementing “limited use” measures to prevent information voluntarily provided to the National Cyber Security Coordinator from being used for enforcement purposes (in order to encourage engagement and cooperation between industry and the government following cyber incidents); and
  • establishing a Cyber Incident Review Board to conduct reviews of significant cyber incidents and share lessons learned.

Significantly, entities which:

  1. carry on business in Australia with an annual turnover that exceeds the prescribed threshold (currently AUD $3 million) which is not a Commonwealth or State body; or
  2. are a responsible entity for a critical infrastructure asset as defined by the Security of Critical Infrastructure Act 2018 (Cth);

are bound by the new mandatory ransomware payment reporting obligations, which will be in effect from May 2025. Such entities will be required to make a report to the Australian Signals Directorate (ASD) within 72 hours of making or becoming aware that a ransomware payment has been made. If an entity which is required to make a report under the Cyber Security Act 2024 does not do so within 72 hours of becoming aware that such a report is required, a civil penalty of up to 60 penalty units may apply.

Intelligence Services and Other Legislation Amendment (Cyber Security) Act 2024

In addition to the above, the Intelligence Services and Other Legislation Amendment (Cyber Security) Act 2024 (Cth) introduces a ‘limited use’ obligation (parallel to the obligation introduced under the Cyber Security Act), which limits how the ASD can use and disclose any information that an entity has voluntary disclosed to them pursuant to the mandatory reporting obligations set out above. It also serves to exempt information voluntarily provided to the National Cyber Security Coordinator under the Cyber Security Act from the operation of the Freedom of Information Act 1982 (Cth).

The intention of this limited use obligation is to provide reporting entities with greater confidence that any information provided as part of their mandatory reporting obligations will be protected and will not be used for enforcement purposes. However, it is important to note that the limited use obligation is not intended to shield the entity from all legal liability provisions, and entities are still required to comply with their existing legal and reporting obligations. Accordingly, businesses should still take measures to ensure such information is protected and handled in accordance with relevant legislation and that they have appropriate cyber security policies in place.

Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Act 2024 

Lastly, the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Act 2024 (Cth) was introduced to amend the Security of Critical Infrastructure Act 2018 (Cth). These amendments aim to further protect critical infrastructure assets and address gaps identified in the current legislation, with the intent of strengthening the security and resilience of critical infrastructure, and the cooperation of government and infrastructure operators. The key amendments implemented by this Act are:

  • an expanded definition of critical infrastructure assets;
  • providing clarification regarding the obligations relating to certain data storage systems that store or process business critical data and protected information;
  • expanding Government powers to facilitate management of the consequences of incidents on critical infrastructure assets; and
  • providing the regulator with the ability to direct entities to remedy a seriously deficient risk management program.

The Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Act 2024 (Cth) is intended to operate in conjunction with the Cyber Security Act 2024 (Cth) and the Intelligence Services and Other Legislation Amendment (Cyber Security) Act 2024 (Cth), and may carry certain additional implications for the purposes of these other legislation – for example, if an entity is now classified as a critical infrastructure asset due to the expanded definition, it is likely to be bound by the mandatory ransomware payment obligations under the Cyber Security Act 2024 (Cth).

Businesses which deal with critical infrastructure assets are required to comply with these additional obligations along with their existing obligations under the Security of Critical Infrastructure Act 2018 (Cth). If you would like further advice as to whether your business may fall under the scope of this legislation, please reach out to our team for a free consultation to discuss further.

*****

The Cyber Security Legislative Package 2024 implement a range of new measures and obligations which entities should be aware of if they have an annual turnover that exceeds $3 million or if it holds critical infrastructure assets.

We can help you

If you would like to learn more about updates in cyber security legislation and how it may affect you or your business, please call 1800 867 113, or to organise a confidential discussion at a time that suits you, please click here 

Topic

Other resources

More ways we can help you

Commercial & Corporate
Employment & Workplace
Estate planning & Probate
Property
Litigation & Disputes

About the authors

Justin Fung

Justin Fung is a lawyer and the Head of Commercial and Corporate in our Avant Law team. Justin has over 15 years’ experience advising in commercial, corporate, risk, compliance, governance, regulatory enforcement and dispute resolution and advises clients in the private and public sectors. He was previously General Counsel of a national allied health group of companies and held Group and Divisional Head of Legal roles in a major ASX-listed health company, whose operations covered medical and dental centres, allied health, pathology, diagnostic imaging, assisted reproductive technologies, day surgeries and hospitals. Prior to these in-house legal roles, Justin was an Executive Counsel with the global law firm Herbert Smith Freehills where he practiced for over 10 years.


Anthony Ha

Anthony Ha is a Special Counsel in Avant Law’s Commercial and Corporate law practice, based in Sydney. Anthony has over seven years’ experience advising clients in both the private and public sectors on all aspects of commercial and corporate law. His practice includes privacy, regulatory enforcement, governance, and risk and compliance matters. Before joining Avant Law, Anthony held the role of senior legal counsel in a major ASX-listed health company, whose operations covered medical and dental centres, allied health, pathology, diagnostic imaging, assisted reproductive technologies, day surgeries and hospitals. He has also worked as a senior lawyer within one of New South Wales’s largest primary and secondary education providers.

Romy Sirtes

Romy Sirtes is an Associate in Avant Law’s Commercial and Corporate Law practice, based in Sydney. Romy has experience advising clients in both the private and public sectors on a wide range of commercial, corporate, litigious and regulatory law. Romy has particular experience working with health practitioners and medical practices, assisting primarily with privacy, governance, risk, compliance and commercial matters. Romy enjoys working with clients to achieve practical and commercially strategic outcomes and is known for her professional and reliable approach.   

The information in this article does not constitute legal advice or other professional advice and should not be relied upon as such. It is intended only to provide a summary and general overview on matters of interest and it is not intended to be comprehensive. You should seek legal or other professional advice before acting or relying on any of this content. The information in this article is current to 31 January 2025. Liability limited by a scheme approved under Professional Standards Legislation. Legal practitioners employed by Avant Law Pty Limited are members of the scheme. © Avant Mutual Group Limited 2025

To Top

NSW State Office AddressLevel 6, Darling Park 3, 201 Sussex Street, Sydney NSW 2000
Telephone 02 9260 9000 | Facsimile 02 9261 2921

Mailing addressPO Box 746 Queen Victoria Building NSW 1230

Connect with Avant Law

avant-linkedin

In the spirit of reconciliation Avant acknowledges the Traditional Custodians of country throughout Australia and their connections to land, sea and community. We pay our respect to their Elders past and present and extend that respect to all Aboriginal and Torres Strait Islander peoples today.

IMPORTANT: Professional indemnity insurance and the Practice Medical Indemnity Policy available from Avant Mutual Group Limited ABN 58 123 154 898 (Avant Mutual) are issued by Avant Insurance Limited, ABN 82 003 707 471, AFSL 238 765 (Avant). Avant Cyber Insurance cover is available to eligible Avant Practice Medical Indemnity Policy holders up to the cessation of their policy and is provided under a Group Policy between Liberty Mutual Insurance Company ABN 61 086 083 605 (Liberty) and Avant. Private health insurance products are issued by The Doctors’ Health Fund Pty Limited, ABN 68 001 417 527, a member of the Avant Mutual Group. Avant arranges Avant Business Insurance as agent of the insurer Allianz Australia Insurance Limited ABN 15 000 122 850, AFSL 234 708 (Allianz) and may receive a commission on each policy arranged. Avant Travel Cover is available under a Group Policy between QBE Insurance (Australia) Limited, ABN 78 003 191 035, AFSL 239 545 (QBE) and Avant Mutual. Avant Travel Cover is underwritten by QBE and Avant may receive a benefit for arranging cover. Avant Financial Services is a registered business name of Avant Doctors’ Finance Pty Ltd (ACN 637 769 361) and licensed to Avant Doctors’ Finance Brokers Pty Ltd (ABN 75 640 406 784). Avant Doctors’ Finance Brokers Pty Ltd is a wholly owned subsidiary of Avant Doctors’ Finance Pty Ltd. Loan products may be provided by Avant Doctors’ Finance Pty Ltd or arranged by Avant Doctors’ Finance Brokers Pty Ltd. Credit services or assistance to which the National Credit Code applies are provided by Avant Doctors’ Finance Brokers Pty Ltd as authorised Credit Representative (Credit Representative Number 523242) for LMG Broker Services Pty Ltd ACN 632 405 504 Australian Credit Licence 517192. Legal services are provided by Avant Law Pty Ltd ABN 63 136 429 153 (Avant Law). Liability limited by a scheme approved under Professional Standards Legislation. Legal practitioners employed by Avant Law are members of the scheme.


The information provided on this website is general advice only and has been prepared without taking into account your objectives, financial situation and needs. You should consider these, having regard to the appropriateness of the advice before deciding to purchase or continue to hold these products. For full details including the terms, conditions, and exclusions that apply, please read and consider the relevant Product Disclosure Statement or policy wording and Target Market Determination (TMD) which are available on this website or by contacting us on 1800 128 268. Information on this site does not constitute legal or professional advice, and is current as at the date of initial publication.