Advisory Report on the Cyber Security Legislative Package 2024

REPORT - November 2024

Full Report (PDF)

List of recommendations

6.11The Committee recommends that, subject to implementation of the recommendations in this report, the Cyber Security Bill 2024, the Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024 and the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024 be passed by the Parliament.

6.27The Committee recommends that the Australian Government ensure that ransomware reporting mechanisms are as user friendly and accessible as possible for the range of businesses subject to the Cyber Security Bill 2024’s reporting obligations, and that the Australian Government continues to prioritise work to minimise duplication in cyber security incident reporting requirements for all businesses.

6.30The Committee recommends that the Australian Government ensure that the Department of Home Affairs and the Australian Signals Directorate are given adequate resources to educate businesses about the proposed ransomware reporting obligations and to provide clear guidance on interpretation of the legislation.

6.32The Committee recommends that the Cyber Security Bill 2024 be amended to ensure that the proposed ransomware reporting obligations apply only to the extent that a ransomware incident relates to the reporting business entity’s operations in Australia.

6.39The Committee recommends that the Explanatory Memorandum to the Cyber Security Bill 2024 be amended to remove the statement that standing members of the Cyber Incident Review Board will be members of the public service.

6.42The Committee recommends that the Cyber Security Bill 2024 be amended to require the Minister to consult the Cyber Incident Review Board before approving the terms of reference for a review.

6.48The Committee recommends the protections conferred by the 'limited use' provisions be more clearly expressed in the Cyber Security Bill 2024 and the Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024 and associated explanatory memoranda, and that the Department of Home Affairs develop guidance to ensure they are well understood by industry.

6.51The Committee recommends that the Cyber Security Bill 2024 and the Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024 be amended to make clearer that:

disclosure of information under the ransomware reporting obligation does not amount to a subsequent waiver of legal professional privilege; and

the provisions do not limit or affect any right, privilege or immunity that the reporting entity has in respect to any proceedings.

6.55The Committee recommends that, in administrative guidance material to support the implementation of the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024, the Department of Home Affairs provide clear guidance and examples in relation to the intended interpretation and application of key definitions introduced into the Security of Critical Infrastructure Act 2018.

6.60The Committee recommends that the Cyber Security Bill 2024 be amended to provide that the Committee may (if it resolves to do so), commence a review of the operation, effectiveness and implications of the Cyber Security Act 2024 as soon as practicable after 1 December 2027.

6.69The Committee recommends that the Minister initiate the independent review of the operation of the Security of Critical Infrastructure Act 2018 required by section 60A of that Act by no later than 1November 2025.

6.70The Committee recommends that existing section 60B of the Security of Critical Infrastructure Act 2018 (SOCI Act) be amended to provide that the Parliamentary Joint Committee on Intelligence and Security may (if it resolves to do so) review the operation, effectiveness and implications of the SOCI Act, so long as the Committee begins its review by no later than 2 December 2026.

6.73The Committee recommends that the Security of Critical Infrastructure Act 2018 be amended to repeal the requirement in section 60AAA for the Department of Home Affairs to provide six-monthly consultation reports to the Committee.

Contents

Abbreviations
Members
Terms of reference
List of recommendations
Additional Comments of the Coalition Members of the Committee
A. List of submissions
B. List of witnesses at public hearings