Australian federal government opens consultation on mandatory ransomware reporting obligation for businesses


As per the proposal, all-hazards power of last resort may only be authorized by the Minister for Home Affairs if there is no existing power available to support a fast and effective response. Among the long list of safeguards, the paper stated that prior to exercising the power, the minister must consult with the affected entity and must be satisfied that the responsible entity is unwilling or unable to address the consequences that prejudice the socioeconomic stability, national security or defence of Australia.

Simplify how government and industry share information

The government is proposing a revision of the ‘protected information’ definition currently in the SOCI Act as it is broad and has led to varying interpretations by industry and government. It proposes that the definition be given greater clarity and specificity. The government is also proposing the clarification of disclosure provisions to allow entities to disclose information for the purpose of the continued operation of, or mitigation of risks to, an asset.

Review and remedy powers to Home Affairs

This proposes to introduce a formal, written directions power — in Part 2A of the SOCI Act — when the Secretary of Home Affairs formed a reasonable belief that an entities’ critical infrastructure risk management program (CIRMP) is seriously deficient, and the deficiency carries a material risk to the socioeconomic stability, defence, or national security of Australia. Or when there is a severe and credible threat to national security; and the Secretary is satisfied that the direction is likely to compel an effective response to address that risk.

Align telco providers to the same standards as other critical infrastructure providers

This last one is due to the telecommunications sector being both under the SOCI Act and the Telecommunications Act. Therefore, the government proposes e to consolidate security regulation for the telecommunications sector under the SOCI Act.

This will mean security obligations from Part 14 of the Telecommunications Act, including the security obligation and the notification obligation, will move to the SOCI Act. Any ‘SOCI-like’ obligations currently applied under the Telecommunications Act will be repealed and activated under the SOCI Act. The new framework will harmonise the current security obligation and notification obligation, into a new Telecommunications Security and Risk Management Program (TSRMP) within the SOCI Act. This will hopefully minimise duplication and scalable obligations.

Home Affairs will accept submissions to the Cyber Security Legislative Reforms consultation paper until 5pm AEDT, Friday 1 March 2024 and these can be done via the consultation online form.


Leave a Reply

Your email address will not be published. Required fields are marked *