Learn about Australia's Cyber Security Bill 2024, key components, impacts (on authentication) & how businesses can stay compliant with security requirements.
Vincent
Created: October 16, 2024
Updated: October 16, 2024
Get free passkey whitepaper for Australian organizations.
Get for FreeOn October 9, 2024, Australia passed a landmark piece of legislation known as the Cyber Security Bill 2024, which aims to improve the country’s defense against escalating cyber threats. It’s one of the first standalone cyber security laws worldwide.
With increasing reliance on digital services and the rapid growth of sensitive data exchanges, this bill is a step in ensuring the security of Australian businesses and critical infrastructure. It also reflects a global trend: governments worldwide are tightening cybersecurity laws to safeguard sensitive information and maintain the integrity of essential services.
In this blog, want to answer the following questions:
Whether you're a business owner, a technology leader, or simply someone interested in cybersecurity, understanding the implications of this bill is crucial to staying compliant and secure.
First, let’s have a look at the four key components of the Cyber Security Bill.
The Cyber Security Bill mandates that all manufacturers and suppliers of smart devices (e.g. fridges, TVs, smartphones) comply with strict security standards. These measures aim to ensure that devices are secure and resilient against vulnerabilities that could be exploited by attackers. Failure to meet these standards can lead to enforcement actions, including compliance notices, stop orders, and recalls, ensuring that any insecure products do not remain on the market.
A critical element of the bill is the requirement for businesses to report any ransomware payments within 72 hours of making them. This obligation is designed to increase transparency and enhance the government’s ability to respond to ransomware incidents, thereby reducing their impact. Companies that fail to report these payments in the designated timeframe could face civil penalties, underscoring the importance of timely communication in managing cyber threats.
Subscribe to our Passkeys Substack for the latest news, insights and strategies.
SubscribeThe bill also establishes protections around the use of information that businesses disclose regarding cybersecurity incidents. Specifically, data voluntarily shared with authorities, such as the National Cyber Security Coordinator or the Australian Signals Directorate (ASD), is shielded from being used in civil or regulatory actions against the reporting organization. This provision encourages companies to report incidents without fear of legal repercussions, fostering greater collaboration between the private sector and government.
The Cyber Incident Review Board (CIRB) is a new entity established under the bill to assess significant cybersecurity incidents and provide recommendations for future improvements. The CIRB is empowered to request documents and other information from businesses involved in such incidents, ensuring thorough reviews and learning opportunities. Non-compliance with these requests can result in penalties, emphasizing the importance of transparency and cooperation in enhancing cybersecurity across the nation.
After the publication of the Essential Eight framework, the Cyber Security Bill of 2024 is a landmark piece of legislation, notable for being the world's first standalone cyber security law. By setting this precedent, Australia has positioned itself at the front of global cybersecurity efforts, demonstrating its commitment to addressing modern cyber threats and vulnerabilities. This courageous move signals to other nations the importance of dedicated, comprehensive legislation to fight digital threats.
The bill is part of a larger strategic vision, laid out in Australia’s Cyber Security Strategy 2023-2030, which aims to establish the country as a global leader in cybersecurity by 2030.
Become part of our Passkeys Community for updates and support.
JoinThe Cyber Security Bill of 2024 significantly impacts how organizations in Australia manage their cybersecurity practices, especially those operating in critical sectors such as finance, healthcare, telecommunications, and other industries handling sensitive or business-critical data. Here is a breakdown of the implications and recommended actions for compliance:
The law applies broadly across various sectors, with a particular focus on:
Let’s analyze what is now recommended for these organizations.
Organizations producing or supplying smart devices should:
To meet the new 72-hour ransomware reporting requirement, organizations should:
For organizations regulated under the SOCI Act, it's essential to:
With the introduction of the Cyber Incident Review Board (CIRB) and enhanced information-sharing mandates, organizations should:
Want to find out how many people can use passkeys?
View Adoption DataThe Cyber Security Bill of 2024 does not explicitly mandate the use of multi-factor authentication (MFA) across all sectors. However, the bill does require enhanced security measures for businesses and critical infrastructure, aligning with global best practices in cybersecurity. In particular, it emphasizes minimum cybersecurity standards for organizations that handle sensitive data or fall under critical infrastructure sectors like finance, telecommunications, and healthcare.
While specific mention of MFA is not directly stated, organizations are expected to adopt strong authentication mechanisms, including (phishing-resistant) MFA, as part of these enhanced security protocols to comply with the new standards. This expectation arises from the bill’s push for stricter controls on data access and protection, making MFA a logical and recommended part of any robust cybersecurity strategy.
Moreover, businesses that fail to meet these updated standards, including implementing appropriate authentication methods, risk facing fines and penalties for non-compliance.
This is especially true because organizations addressed by SOCI are likely to be classified at Essential Eight Maturity Level 3, the highest level of cybersecurity maturity defined by the Australian Cyber Security Centre (ACSC). At this level, organizations are strongly encouraged to implement robust security measures, including phishing-resistant multi-factor authentication also for their customers, to protect against sophisticated cyber threats.
Therefore, strong customer authentication requirements and recommendations are not just advisable but effectively mandatory for these critical infrastructure providers to comply with both the Cyber Security Bill and the SOCI Act.
Why Are Passkeys Important For Australian Organizations?
The Australian Cyber Security Strategy and Essential Eight framework require organizations to implement phishing-resistant MFA (via passkeys). Our whitepaper provides an overview and shows how to implement passkeys efficiently and what the business impact is.
If you have questions, feel free to
contact usThe Cyber Security Bill of 2024 is a critical step toward improving Australia’s resilience against cyberattacks. For Australian organizations, the implications are clear: stronger security measures are no longer optional but a legal requirement. Whether you're upgrading your authentication systems to meet MFA standards or improving your overall data protection strategies, staying compliant with this new law will be essential for the future of secure digital services in Australia.
By understanding the requirements of this bill and proactively strengthening your security protocols, you can protect your business, your customers, and your reputation in an increasingly digital world.
Table of Contents
Enjoyed this read?
🤝 Join our Passkeys Community
Share passkeys implementation tips and get support to free the world from passwords.
🚀 Subscribe to Substack
Get the latest news, strategies, and insights about passkeys sent straight to your inbox.
We provide UI components, SDKs and guides to help you add passkeys to your app in <1 hour
Start for free