Are the proposed cyber laws a “turning point”?

Are the proposed cyber laws a “turning point”?

Earlier this monthCybersecurity Minister Tony Burke (pictured) has proposed new legislation in the lower house that would result in the country’s first stand-alone law. Cybersecurity law.

The new legislation will introduce mandatory reporting for those who have paid ransom to malicious actors, minimum cybersecurity standards for smart devices and the creation of a Cyber ​​Incident Review Board, all under seven sections of the Australian Cyber ​​Security Strategy 2023-2030.

“The creation of a Cybersecurity law This is a long overdue step for our country and reflects the Government’s deep concern and focus on these threats,” Minister Burke told the media at the time.

“This legislation ensures we keep pace with emerging threats, putting individuals and businesses in a better position to respond and rebound from cybersecurity threats.

“To achieve Australia’s vision of becoming a global leader in cybersecurity by 2030, we need a unified effort from government, industry and the community. »

But what do lawyers and industry experts think of the bill? Lawyers Weekly spoke with several seasoned professionals about the bill and its implications for the future.

A “crown jewel of government”?

The bill, proclaimed Norton Rose Fulbright partner Annie Haggar, is a “watershed” for cyber law in Australia.

“While this will not solve our current ‘puzzle’ of cybersecurity laws and regulations, it will provide a framework for the development of regulations necessary to address the cyber risks our community faces,” he said. -she declared.

Jason Symons, partner at Mills Oakley, called the proposed changes “very important,” noting that they will foster greater collaboration between affected organizations and relevant government agencies and promote greater transparency with the public regarding incidents of cybersecurity.

Lyn Nicholson, general counsel for Holding Redlich, shared similar sentiments, emphasizing that the bill provides “much-needed clarity and resources” to help businesses deal with growing threats.

The proposed legislation, said John Reeman, Cyooda Security founder and chief information security officer, is “certainly a step in the right direction” and brings things like improved IoT security devices closer together with the EU Cybersecurity law.

According to Clyde & Co partners Reece Corbett-Wilkins, John Moran, Richard Berkahn and Stefanie Luhrs, the proposed changes “are the jewel in the government’s crown” (and by extension, the Home Affairs team carrying out the consultation). and its preparation). ).

“The Cybersecurity Strategy Working Groups are all to be commended for bringing this project to life; a lot of work has been done in this area, and other jurisdictions around the world are interested in it,” the quartet said.

“Fundamentally, these are bold reforms aimed at introducing friction into the cybercrime economy and encouraging increased investment at a global level to improve cybersecurity resilience. »

Mandatory declaration

The bill, pointed out AUCyber ​​CEO Peter Maloney, requires entities with revenues exceeding $3 million to report any ransom payments within 72 hours to improve transparency and allow the government to assess the extent of cybercrime affecting the economy.

Reeman said the 72-hour reporting requirements for ransomware extortion are a good initiative, but added that in his opinion they don’t go far enough.

“I have personally helped several small businesses fall victim to ransomware this year,” he said.

“So the reporting threshold ignores 95 percent of businesses that fall below the $3 million threshold, and they are the ones being targeted as well, so this activity will continue to go unnoticed unless victims voluntarily report, which which is unlikely.

Clyde & Co partners, for their part, noted that the proposed reporting requirements constitute a “compromise between outright banning ransom payments” but added that they “bring the government closer to what he ultimately wants: better data on who pays (how ransoms are paid). a lot and why) and better chances of tracking down bad guys after the event.”

All organizations, Haggar advised, should review their incident response plan and include processes “to help meet this tight deadline.”

The reporting requirement, Symons added, means the entity must be properly advised throughout the negotiation process, given that it is illegal to pay a ransom in some cases.

“Entities must also be properly informed of the potential consequences of sharing information and reporting a payment from a professional secrecy (LPP) perspective,” he said.

“The proposed legislation limits the use of information provided by organizations to the government and protects LPP claims to some extent, but potential waiver of LPP should still be considered.”

Cyber ​​Incident Review Committee

The creation of the CIRB, Maloney detailed, allows for independent reviews of significant cyber incidents, thereby fostering a culture of learning and improvement within organizations.

The CIRB and its panel of experts are a “commendable” step, noted Symons.

“These reviews are designed to help us learn from past serious incidents so that we can try to prevent, detect, respond to and minimize the impact of similar incidents in the future. However, such reviews will prolong a nightmarish situation for the entity concerned and its staff. Information and documentation will need to be produced,” he said.

“And when the review is announced and the final report is published, the entity may once again face further reputational damage due to the presence of its name in the media. Given these drawbacks, we must hope that the actions recommended in the review will serve the common good.

Clyde & Co partners considered the BRIC a “welcome idea” – but noted that “given that incident response is rapid, dynamic and highly situation-dependent, the composition of the review board and its experience will be essential.

Limited Use Disclosure Framework

The bill also introduces limited use requirements for information shared with the national cybersecurity coordinator, Maloney said.

“The bill includes a limited use requirement for information shared with the National Cybersecurity Coordinator, ensuring that such information is used only for incident response and not for punitive measures,” he said , thereby encouraging organizations to share critical information without fear of legal action. consequences.

Critically, Haggar observed, it is not a “safe harbor” or immunity from investigation or regulatory action, “but it allows for early sharing of information about sensitive incidents that can benefit the Australian community.

Corporate counsel, she suggested, “should consider working with their CISO and communications team on a responsible disclosure policy to provide a structure for this sharing.”

The proposed limited-use disclosure framework and opening to government in the event of a breach “is not without criticism”, Clyde & Co partners reflected, “nor without some nervousness among Australian directors (particularly those who are the subject of investigations or class actions).

“But, generally speaking, the IR industry is on board and we’re excited to see how we can make it work,” the quartet said.

Smart device security standards

Another important aspect of the bill is the introduction elsewhere, Maloney pointed out, of mandatory security standards for smart devices.

This, it said, “aims to protect consumers from cyberthreats that exploit IoT vulnerabilities,” adding that the proposed broad definition of “smart devices” “ensures that a wide range of products, home assistants to connected devices, must adhere to cyber threats. safety standards”.

According to Haggar, any attorney advising in this area will need to help clients understand the requirements of the plan, including declarations of compliance, labeling and other elements.

Other thoughts

Generally speaking, Symons noted that given the complexity of the new reporting and information sharing regulations, “these proposals also significantly reinforce the importance of appropriate legal representation within the team.” organization’s incident response system.

The government and relevant organizations (and their internal legal teams), he continued, “have aspired to communicate openly for some time – relying largely on the mutual trust and understanding resulting from a working side by side on incidents.

The proposals formalize protections around information sharing that will greatly help the government and legal services, he said, respond to an incident “in a way that simultaneously serves the interests of the Australian community and organizations “.

Speaking directly to legal practitioners concerned about the direct impact of the proposed changes on them, quartet Clyde & Co said: “Encourage clients to engage quickly with these changes, as the improvement work required to go moving forward will continue until 2025.”

And, on the question of impacts on lawyers themselves, they said: “As law firms generally have an increased propensity to pay ransoms, this will become very relevant to their own incident response processes when of a violation and their preparation efforts. »

Ultimately, Nicholson concluded, a comprehensive approach to cybersecurity reform as set out in the bill “starts the important work flagged off” as part of the Australian Cybersecurity Strategy 2023-2030.

This story was originally published on Cyber ​​Daily’s sister brand, Lawyers Weekly.

Please stop asking chatbots for love advice

Please stop asking chatbots for love advice

4 Companies Charged by SEC for Misleading Investors After SolarWinds Breach

4 Companies Charged by SEC for Misleading Investors After SolarWinds Breach

Leave a Reply

Your email address will not be published. Required fields are marked *