Australian cyber security reform

31 August 2021

According to a federal government estimate, cyber attacks on Australian businesses cost the Australian economy $29 billion each year. Malware attacks, which involve the installation of malicious software in systems, are said to pose the largest cyber threat. The Australian Signals Directorate predicts that cyber attacks will increase in the years to come with the rise of remote working arrangements often weakening system security.


Proposed reforms

In response to the worsening situation, the federal government launched a cyber security reform program in 2020 – its “Cyber Security Strategy 2020”. As part of this program, it released a discussion paper in July this year titled “Strengthening Australia’s cyber security regulations and incentives”.

The discussion paper (which can be accessed here) details that the federal government is proposing to introduce the following reforms in order to strengthen existing frameworks and fill regulatory gaps:

  • new governance standards for big businesses, to complement existing obligations;
  • mandatory baseline security features for smart devices based on international standards;
  • new transparency requirements for smart devices such as star rating and expiry date labels;
  • voluntary cyber security health check programs for small businesses;
  • minimum protection security controls for personal information, which may take the form of an enforceable security code under the Privacy Act 1988 (Cth); and
  • new and clearer remedies for consumers under consumer and privacy legislation.


In addition, the federal opposition recently introduced its Ransomware Payments Bill 2021 to the Senate. If passed, Commonwealth entities, State and Territory agencies, corporations and partnerships who make a “ransomware payment” will be required to notify the Australian Cyber Security Centre in writing as soon as reasonably practicable. The Bill prescribes particular details that must be included in the notice and imposes a civil penalty for non-compliance.


Considerations for businesses

Businesses should implement the best practice measures recently outlined by ASIC in its current proceedings against an Australian financial service provider which it claims breached its obligations by failing to implement adequate cyber security measures. ASIC outlined that the provider should have implemented, among others, the following measures as part of its risk management framework:

  • account lock-out policies for failed log-ins;
  • increased password complexity requirements;
  • multi-factor authentication;
  • cyber security training;
  • email filtering; and
  • application whitelisting.

Further, in light of the proposed reforms by both federal and opposition government, businesses should confirm which regulatory regimes they are governed by and keep track of legislative changes that will affect them.


This article provides general comments only.  It does not purport to be legal advice.  Before acting on the basis of any material contained in this article, we recommend that you seek professional advice.




Jacqui Ballard, Lawyer in our Transactions Team

Direct Telephone:  +61 8 8210 2284