Defending Against Cyber Threats: Legal Obligations & Best Practices

Cybersecurity threats are an ever-present risk for businesses operating in Australia, with data breaches, ransomware attacks, and other cyber incidents on the rise. Businesses must comply with legal obligations to both prevent cyberattacks and manage their impact when they happen.

This article outlines the key legal requirements and practical tips for businesses to defend against cyber threats.

1. The Legal Obligations: Cybersecurity Prevention and Management

Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs)

The Privacy Act 1988 (Cth) applies to Australian Government agencies and private sector and not-for-profit organisations with an annual turnover of more than $3 million, requiring that they comply with the Australian Privacy Principles (APPs). These principles mandate that businesses must:

• Take reasonable steps to protect personal information from misuse, interference, and loss, as well as unauthorised access, modification, or disclosure (APP 11).
• Ensure security controls align with industry standards to safeguard sensitive data.

Notifiable Data Breaches (NDB) Scheme

• The NDB scheme, part of the Privacy Act, requires certain entities to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals if a data breach is likely to result in serious harm.

ASIC, ASX, and APRA Requirements

• ASIC (Australian Securities and Investments Commission) and ASX Listing Rules: Publicly listed companies must disclose material cybersecurity risks under continuous disclosure obligations.
• APRA (Australian Prudential Regulation Authority): APRA-regulated financial institutions must comply with Prudential Standard CPS 234, which sets cybersecurity standards, including the need for robust information security frameworks.

Cyber Security Act 2024 (Cth)

In November 2024, the Australian government enacted the Cyber Security Act 2024, which introduced several key obligations:

• Mandatory Reporting of Ransomware Payments: Businesses with an annual turnover of $3 million or more that experience significant cyber incidents (e.g. incidents that materially impact operations or compromise critical infrastructure), and choose to make a ransomware payment, must report it to the Department of Home Affairs and the Australian Signals Directorate (ASD) within 72 hours of making the payment. Reporting is required even if the payment is made by a third party on behalf of the business.

The ASD has a limited use obligation to ensure that any information voluntarily provided by businesses during a cyber incident is used solely for cybersecurity purposes and cannot be leveraged for regulatory action or enforcement, unless specific conditions are met (see the Intelligence Services and Other Legislation Amendment (Cyber Security) Act 2024).

• Mandatory Reporting of Cyber Incidents: Designated entities, including critical infrastructure operators, must report significant cyber incidents to the National Cyber Security Coordinator (NCSC) promptly.  Information shared with the NCSC during a cyber incident is protected under a limited use obligation, meaning it cannot be used for regulatory action or as evidence in civil or criminal proceedings against the entity, except in specific circumstances.
• Minimum Security Standards for Smart Devices:  Businesses involved in the manufacturing, importing, or selling of smart devices (including Internet of Things (IoT) and connected devices) are required to ensure these products meet specified security criteria.

• Stricter Security Standards for IT and Cloud Infrastructure: Businesses must implement stronger security controls across IT networks, cloud environments, and third-party systems, including:
  • Robust access controls.
  • Regular security assessments.
  • Ensuring third-party service providers adhere to stringent cybersecurity standards.

• Cyber Incident Review Board (CIRB): This independent advisory body conducts “no-fault” post-incident reviews of significant cyber incidents to share lessons learned and improve overall cyber resilience. While businesses are expected to cooperate with the CIRB, providing information is not mandatory unless specifically requested under legal provisions.

Security of Critical Infrastructure Act 2018 (Cth) and the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Act 2024 (Cth)

Certain businesses in critical infrastructure sectors (e.g., telecommunications, energy, financial services, and healthcare) are required to:

• Report cybersecurity incidents to the Australian Cyber Security Centre (ACSC).
• Maintain risk management programs for cybersecurity threats.
• Cooperate with government agencies in the event of a cyber crisis.

2. Practical Tips for Businesses

Failing to take reasonable cybersecurity precautions may expose businesses to regulatory penalties, civil liability claims, and reputational damage. Directors and officers could also be held personally liable if cybersecurity risks are not appropriately managed.

Cybersecurity Prevention Strategies

• Implement Strong Access Controls: Use multi-factor authentication (MFA) and role-based access controls to restrict system access.
• Regularly Update Software: Ensure all software, operating systems, and security patches are up to date.
• Conduct Employee Training: Train staff on identifying phishing attempts and safe data handling practices.
• Perform Regular Risk Assessments: Identify vulnerabilities and implement appropriate security measures.
• Use Encryption and Backups: Encrypt sensitive data and maintain regular backups to prevent data loss.

Cybersecurity Incident Response Best Practices

• Develop an Incident Response Plan: Establish clear protocols for identifying, reporting, and containing cyber threats. Businesses should document all steps taken to manage the incident, as regulatory bodies may request evidence of compliance.

• Engage External Experts: Partner with cybersecurity firms to provide rapid response and forensic analysis.
• Communicate Transparently: If a breach occurs, inform stakeholders, regulators, and affected individuals promptly.
• Review and Learn: Conduct post-incident reviews to strengthen future cybersecurity defences.

By understanding and adhering to these legal requirements and implementing strong cybersecurity practices, businesses can mitigate risks, comply with regulations, and protect their sensitive data from cyber threats.

If you would like more information or help with your cybersecurity prevention and response strategies, please contact our Intellectual Property Team on 03 5273 5271 or by email to info@coulterlegal.com.au.