World

Cyber security reform to learn from past data breaches

October 9, 2024 5:44 pm

[Source: AAP Image/Dave Hunt]

Cyber security reform proposing mandatory standards for smart devices and reporting requirements for some businesses “strike the right balance” and puts Australia on the path to learning from past incidents.

New legislation to create the nation’s first standalone Cyber Security Act was introduced to federal parliament’s lower house on Wednesday.

“This is a significant step in achieving the Australian government’s vision of becoming a world leader in cybersecurity by 2030,” Cyber Security Minister Tony Burke told the parliament.

Article continues after advertisement

“We need a framework that enables individuals to trust the products they use every day.”

Under the package, the government will be empowered to direct companies and other entities to fix serious deficiencies within their risk management program.

A Cyber Incident Review Board would be set up under the changes and would function as an independent advisory body able to conduct “no fault” assessments of significant cyber security incidents.

Pointing to previous major data breaches such as the Medibank hacking attack, Mr Burke said the reform would provide a “cohesive legislative toolbox for Australia to move forward with clarity and confidence in the face of an ever changing cybersecurity landscape”.

Medibank is facing legal action and enormous fines over the breach in October 2022, which affected 9.7 million customers.

Hackers stole personal and highly sensitive information and published it on the dark web.

The changes include mandating minimum cyber security standards for smart devices and compulsory ransomware reporting for certain businesses, which are yet to be decided on, to report ransom payments.

Mr Burke said the government had worked extensively with business and believed the bill’s measures “strike the right balance to achieve our security outcomes” without burdening companies.

The regulation of telecommunications security would be moved into the Security of Critical Infrastructure Act, and existing obligations for systems holding business-critical data would be further clarified.

The legislative package will go before a parliamentary committee to be scrutinised.