VICDOC Autumn 2025 - Magazine - Page 73
THE NEW CYBER SECURITY ACT
-
The second legislative change is a
new law, the Cyber Security Act 2024
(Cth). The Cyber Security Act is the first
Australian law specifically designed
to strengthen cyber security across
the whole of the Australian public and
private sectors.
The Cyber Security Act introduces
a new requirement that is relevant
to large healthcare providers who
experience a cyber security incident.
The Cyber Security Act requires
organisations which suffer a cyber
security incident and make a ransom
payment to the hacker to report that
payment to the Australian Signals
Directorate within 72 hours of making
the payment. While payments to
hackers are most commonly paid in
response to a ransomware attack,
the requirement applies to any cyber
security incident in which a ransom is
paid – for example, it would also apply
where a ransom is paid to stop stolen
data being published by the hacker.
The report must include details
of the incident, the amount of
the payment, and details of any
communications with the threat
actor. To encourage compliance with
this reporting requirement, the Cyber
Security Act also contains restrictions
on how the information in these
reports may be used. In particular,
information provided under the
Cyber Security Act may not be used
to investigate or take enforcement
action in relation to the contravention
of any law by the organisation, and
may not be used as evidence in any
civil or criminal proceeding.
The ransom payment reporting
obligation comes into effect from
29 May 2025, and will only apply
to organisations with an annual
turnover above a specified threshold,
which is proposed to be A$3 million.
Any organisation that fails to notify
a ransom payment may be subject
to a penalty of up to A$19,800.
Level 9 | 360 Elizabeth Street
Melbourne Victoria 3000
Australia
T: +61 3 9498 6699
kennedyslaw.com
VI CD O C AUTU M N 2025
73
