cyber security bill australiaPasskeys Strategy

Australian Cyber Security Bill 2024: Impact on Authentication

Learn about Australia's Cyber Security Bill 2024, key components, impacts (on authentication) & how businesses can stay compliant with security requirements.

Blog-Post-Author

Vincent

Created: October 16, 2024

Updated: October 16, 2024


Australia Icon

Get free passkey whitepaper for Australian organizations.

Get for Free

1. Introduction: Cyber Security Bill 2024#

On October 9, 2024, Australia passed a landmark piece of legislation known as the Cyber Security Bill 2024, which aims to improve the country’s defense against escalating cyber threats. It’s one of the first standalone cyber security laws worldwide.

With increasing reliance on digital services and the rapid growth of sensitive data exchanges, this bill is a step in ensuring the security of Australian businesses and critical infrastructure. It also reflects a global trend: governments worldwide are tightening cybersecurity laws to safeguard sensitive information and maintain the integrity of essential services.

In this blog, want to answer the following questions:

  1. What key components are in the Cyber Security Bill?
  2. What is the impact of the Cyber Security Bill?
  3. What is recommended now for Australian organizations?
  4. Which effect does the Cyber Security Bill have for authentication?

Whether you're a business owner, a technology leader, or simply someone interested in cybersecurity, understanding the implications of this bill is crucial to staying compliant and secure.

2. Key Components of the Cyber Security Bill#

First, let’s have a look at the four key components of the Cyber Security Bill.

2.1 Security Standards for Smart Devices#

The Cyber Security Bill mandates that all manufacturers and suppliers of smart devices (e.g. fridges, TVs, smartphones) comply with strict security standards. These measures aim to ensure that devices are secure and resilient against vulnerabilities that could be exploited by attackers. Failure to meet these standards can lead to enforcement actions, including compliance notices, stop orders, and recalls, ensuring that any insecure products do not remain on the market.

2.2 Ransomware Reporting Obligations#

A critical element of the bill is the requirement for businesses to report any ransomware payments within 72 hours of making them. This obligation is designed to increase transparency and enhance the government’s ability to respond to ransomware incidents, thereby reducing their impact. Companies that fail to report these payments in the designated timeframe could face civil penalties, underscoring the importance of timely communication in managing cyber threats.

Substack Icon

Subscribe to our Passkeys Substack for the latest news, insights and strategies.

Subscribe

2.3 Protected Use of Incident Information#

The bill also establishes protections around the use of information that businesses disclose regarding cybersecurity incidents. Specifically, data voluntarily shared with authorities, such as the National Cyber Security Coordinator or the Australian Signals Directorate (ASD), is shielded from being used in civil or regulatory actions against the reporting organization. This provision encourages companies to report incidents without fear of legal repercussions, fostering greater collaboration between the private sector and government.

2.4 Cyber Incident Review Board (CIRB)#

The Cyber Incident Review Board (CIRB) is a new entity established under the bill to assess significant cybersecurity incidents and provide recommendations for future improvements. The CIRB is empowered to request documents and other information from businesses involved in such incidents, ensuring thorough reviews and learning opportunities. Non-compliance with these requests can result in penalties, emphasizing the importance of transparency and cooperation in enhancing cybersecurity across the nation.

3. What is the Impact of the Cyber Security Bill?#

After the publication of the Essential Eight framework, the Cyber Security Bill of 2024 is a landmark piece of legislation, notable for being the world's first standalone cyber security law. By setting this precedent, Australia has positioned itself at the front of global cybersecurity efforts, demonstrating its commitment to addressing modern cyber threats and vulnerabilities. This courageous move signals to other nations the importance of dedicated, comprehensive legislation to fight digital threats.

The bill is part of a larger strategic vision, laid out in Australia’s Cyber Security Strategy 2023-2030, which aims to establish the country as a global leader in cybersecurity by 2030.

Slack Icon

Become part of our Passkeys Community for updates and support.

Join

4. Recommendations for Australian Organizations#

The Cyber Security Bill of 2024 significantly impacts how organizations in Australia manage their cybersecurity practices, especially those operating in critical sectors such as finance, healthcare, telecommunications, and other industries handling sensitive or business-critical data. Here is a breakdown of the implications and recommended actions for compliance:

4.1 Who Is Affected by the New Cyber Security Bill?#

The law applies broadly across various sectors, with a particular focus on:

  • Critical Infrastructure Providers: Organizations classified under the Security of Critical Infrastructure Act (SOCI Act), including utilities, healthcare providers, financial institutions, and telecommunications companies (e.g. Telstra), are required to adhere to stricter security standards and reporting obligations.
  • Manufacturers and Suppliers of Smart Devices: Businesses involved in the production, distribution, or sale of smart devices must ensure their products comply with the specified security requirements to avoid legal action.
  • Entities at Risk of Ransomware Attacks: Any organization that might be susceptible to ransomware attacks, particularly those holding sensitive data (e.g. myGov), will need to adhere to new reporting obligations when ransomware incidents occur.

4.2 Recommendations for Compliance and Risk Mitigation#

Let’s analyze what is now recommended for these organizations.

4.2.1 Update Security Standards for Smart Devices#

Organizations producing or supplying smart devices should:

  • Review and Enhance Security Protocols: Ensure that your devices meet the latest cybersecurity standards mandated by the law. This may involve implementing stronger authentication (e.g. phishing-resistant MFA), security patches, and regular software updates.
  • Establish Compliance Monitoring: Set up internal monitoring systems to ensure ongoing compliance and to quickly identify any potential non-compliance issues before they escalate.

4.2.2 Prepare for Ransomware Reporting Obligations#

To meet the new 72-hour ransomware reporting requirement, organizations should:

  • Develop a Clear Incident Response Plan: Update your existing incident response plans to include specific steps for handling ransomware attacks. Ensure the plan outlines how to detect, report, and mitigate ransomware threats promptly.
  • Designate a Reporting Team: Identify a team responsible for liaising with the National Cyber Security Coordinator and other relevant authorities to ensure timely and accurate reporting in the event of a ransomware attack.

4.2.3 Enhance Risk Management Programs#

For organizations regulated under the SOCI Act, it's essential to:

  • Expand Risk Management Practices: Update existing risk management programs to include provisions for critical data storage systems. This includes assessing current security measures, identifying vulnerabilities, and ensuring compliance with the new standards.
  • Implement Comprehensive Training: Regularly train staff on updated security protocols and incident response procedures to minimize human error and improve overall system security.

4.2.4 Collaborate and Share Information Securely#

With the introduction of the Cyber Incident Review Board (CIRB) and enhanced information-sharing mandates, organizations should:

  • Foster Collaboration: Work closely with industry partners, the Australian Signals Directorate (ASD), and government bodies to improve overall cybersecurity posture. Sharing insights and best practices can help mitigate risks across the sector.
  • Establish Data Governance Practices: Ensure that any shared cybersecurity information is managed securely, with protocols that maintain data integrity and confidentiality. Use the legal protections provided by the bill to encourage transparent and responsible data-sharing without fear of legal exposure.
StateOfPasskeys Icon

Want to find out how many people can use passkeys?

View Adoption Data

5. How the Cyber Security Bill Affects Authentication#

The Cyber Security Bill of 2024 does not explicitly mandate the use of multi-factor authentication (MFA) across all sectors. However, the bill does require enhanced security measures for businesses and critical infrastructure, aligning with global best practices in cybersecurity. In particular, it emphasizes minimum cybersecurity standards for organizations that handle sensitive data or fall under critical infrastructure sectors like finance, telecommunications, and healthcare.

While specific mention of MFA is not directly stated, organizations are expected to adopt strong authentication mechanisms, including (phishing-resistant) MFA, as part of these enhanced security protocols to comply with the new standards. This expectation arises from the bill’s push for stricter controls on data access and protection, making MFA a logical and recommended part of any robust cybersecurity strategy.

Moreover, businesses that fail to meet these updated standards, including implementing appropriate authentication methods, risk facing fines and penalties for non-compliance.

This is especially true because organizations addressed by SOCI are likely to be classified at Essential Eight Maturity Level 3, the highest level of cybersecurity maturity defined by the Australian Cyber Security Centre (ACSC). At this level, organizations are strongly encouraged to implement robust security measures, including phishing-resistant multi-factor authentication also for their customers, to protect against sophisticated cyber threats.

essential eight maturity levels

Therefore, strong customer authentication requirements and recommendations are not just advisable but effectively mandatory for these critical infrastructure providers to comply with both the Cyber Security Bill and the SOCI Act.

Why Are Passkeys Important For Australian Organizations?

Passkeys for Australian Government & Enterprises

The Australian Cyber Security Strategy and Essential Eight framework require organizations to implement phishing-resistant MFA (via passkeys). Our whitepaper provides an overview and shows how to implement passkeys efficiently and what the business impact is.

Passkeys for Australian Government & Enterprises

Download the whitepaper

If you have questions, feel free to  

contact us

6. Conclusion#

The Cyber Security Bill of 2024 is a critical step toward improving Australia’s resilience against cyberattacks. For Australian organizations, the implications are clear: stronger security measures are no longer optional but a legal requirement. Whether you're upgrading your authentication systems to meet MFA standards or improving your overall data protection strategies, staying compliant with this new law will be essential for the future of secure digital services in Australia.

By understanding the requirements of this bill and proactively strengthening your security protocols, you can protect your business, your customers, and your reputation in an increasingly digital world.

Share this article


LinkedInTwitterFacebook

Enjoyed this read?

🤝 Join our Passkeys Community

Share passkeys implementation tips and get support to free the world from passwords.

🚀 Subscribe to Substack

Get the latest news, strategies, and insights about passkeys sent straight to your inbox.


We provide UI components, SDKs and guides to help you add passkeys to your app in <1 hour

Start for free