--- url: 'https://www.corbado.com/blog/cyber-security-bill-australia' title: 'Australian Cyber Security Bill 2024: Impact on Authentication' description: 'Learn about Australia''s Cyber Security Bill 2024, key components, impacts (on authentication) & how businesses can stay compliant with security requirements.' lang: 'en' author: 'Vincent' date: '2024-10-16T12:32:43.894Z' lastModified: '2026-03-25T10:00:46.077Z' keywords: 'cyber security bill' category: 'Passkeys Strategy' --- # Australian Cyber Security Bill 2024: Impact on Authentication ## Key Facts - **Cyber Security Bill 2024**, passed October 9 2024, is one of the world's first standalone cyber security laws, positioning Australia as a global cybersecurity leader. - **Ransomware payment reporting** is required within 72 hours. Businesses that fail to report on time face civil penalties for non-compliance. - The **Cyber Incident Review Board (CIRB)**, established under the bill, assesses significant incidents and can request documents from businesses, with penalties for refusal. - Organizations under the **SOCI Act** are expected to reach Essential Eight Maturity Level 3, requiring phishing-resistant MFA for customers as effectively mandatory. - The bill aligns with Australia's **Cyber Security Strategy 2023-2030**, aiming to establish Australia as a global cybersecurity leader by 2030. ## 1. Introduction: Cyber Security Bill 2024 On October 9, 2024, Australia passed a landmark piece of legislation known as the **Cyber Security Bill 2024**, which aims to improve the country’s defense against escalating cyber threats. It’s one of the **first standalone cyber security laws worldwide**. With increasing reliance on digital services and the rapid growth of sensitive data exchanges, this bill is a step in ensuring the security of Australian businesses and [critical infrastructure](https://www.corbado.com/glossary/critical-infrastructure). It also reflects a global trend: [governments](https://www.corbado.com/passkeys-for-public-sector) worldwide are tightening cybersecurity laws to safeguard sensitive information and maintain the integrity of essential services. In this blog, want to answer the following questions: 1. **What key components are in the Cyber Security Bill?** 2. **What is the impact of the Cyber Security Bill?** 3. **What is recommended now for Australian organizations?** 4. **Which effect does the Cyber Security Bill have for authentication?** Whether you're a business owner, a technology leader, or simply someone interested in cybersecurity, understanding the implications of this bill is crucial to staying compliant and secure. ## 2. Key Components of the Cyber Security Bill First, let’s have a look at the four key components of the Cyber Security Bill. ![security bill components](https://www.corbado.com/website-assets/security_bill_components_fe818477ac.png) ### 2.1 Security Standards for Smart Devices The Cyber Security Bill mandates that all manufacturers and suppliers of smart devices (e.g. [fridges, TVs](https://www.linkedin.com/posts/vincent-delitz_passkey-sdc24-activity-7247873024698273793-W1Ak), smartphones) comply with strict security standards. These measures aim to ensure that devices are secure and resilient against [vulnerabilities](https://www.corbado.com/glossary/vulnerability) that could be exploited by attackers. Failure to meet these standards can lead to enforcement actions, including **compliance notices, stop orders, and recalls**, ensuring that any insecure products do not remain on the market. ### 2.2 Ransomware Reporting Obligations A critical element of the bill is the requirement for businesses to report any **ransomware payments** within **72 hours** of making them. This obligation is designed to increase transparency and enhance the [government](https://www.corbado.com/passkeys-for-public-sector)’s ability to respond to [ransomware](https://www.corbado.com/glossary/ransomware) incidents, thereby reducing their impact. Companies that fail to report these [payments](https://www.corbado.com/passkeys-for-payment) in the designated timeframe could face **civil penalties**, underscoring the importance of timely communication in managing cyber threats. ### 2.3 Protected Use of Incident Information The bill also establishes protections around the **use of information** that businesses disclose regarding cybersecurity incidents. Specifically, data voluntarily shared with authorities, such as the **National Cyber Security Coordinator** or the **Australian Signals Directorate (ASD),** is **shielded from being used** in civil or regulatory actions against the reporting organization. This provision encourages companies to report incidents without fear of legal repercussions, fostering greater collaboration between the private sector and [government](https://www.corbado.com/passkeys-for-public-sector). ### 2.4 Cyber Incident Review Board (CIRB) The **Cyber Incident Review Board (CIRB)** is a new entity established under the bill to assess significant cybersecurity incidents and provide recommendations for future improvements. The CIRB is empowered to **request documents** and other information from businesses involved in such incidents, ensuring thorough reviews and learning opportunities. Non-compliance with these requests can result in **penalties**, emphasizing the importance of transparency and cooperation in enhancing cybersecurity across the nation. ## 3. What is the Impact of the Cyber Security Bill? After the publication of the Essential Eight framework, the **Cyber Security Bill of 2024** is a landmark piece of legislation, notable for being the **world's first standalone cyber security law**. By setting this precedent, Australia has positioned itself at the front of global cybersecurity efforts, demonstrating its commitment to addressing modern cyber threats and [vulnerabilities](https://www.corbado.com/glossary/vulnerability). This courageous move signals to other nations the importance of dedicated, comprehensive legislation to fight digital threats. The bill is part of a larger strategic vision, laid out in Australia’s **Cyber Security Strategy 2023-2030**, which aims to establish the country as a **global leader in cybersecurity** by 2030. ## 4. Recommendations for Australian Organizations The Cyber Security Bill of 2024 significantly impacts how organizations in Australia manage their cybersecurity practices, especially those operating in critical sectors such as finance, [healthcare](https://www.corbado.com/passkeys-for-healthcare), [telecommunications](https://www.corbado.com/blog/telstra-passkeys), and other industries handling sensitive or business-critical data. Here is a breakdown of the implications and recommended actions for compliance: ### 4.1 Who Is Affected by the New Cyber Security Bill? The law applies broadly across various sectors, with a particular focus on: - **Critical Infrastructure Providers**: Organizations classified under the **Security of Critical Infrastructure Act (SOCI Act)**, including utilities, [healthcare](https://www.corbado.com/passkeys-for-healthcare) providers, financial institutions, and [telecommunications](https://www.corbado.com/blog/telstra-passkeys) companies (e.g. [Telstra](https://www.corbado.com/blog/telstra-passkeys)), are required to adhere to stricter security standards and reporting obligations. - **Manufacturers and Suppliers of Smart Devices**: Businesses involved in the production, distribution, or sale of smart devices must ensure their products comply with the specified security requirements to avoid legal action. - **Entities at Risk of Ransomware Attacks**: Any organization that might be susceptible to [ransomware](https://www.corbado.com/glossary/ransomware) attacks, particularly those holding sensitive data (e.g. myGov), will need to adhere to new reporting obligations when [ransomware](https://www.corbado.com/glossary/ransomware) incidents occur. ### 4.2 Recommendations for Compliance and Risk Mitigation Let’s analyze what is now recommended for these organizations. ![steps compliance](https://www.corbado.com/website-assets/steps_compliance_4bd59fc417.png) #### 4.2.1 Update Security Standards for Smart Devices Organizations producing or supplying smart devices should: - **Review and Enhance Security Protocols**: Ensure that your devices meet the latest cybersecurity standards mandated by the law. This may involve implementing stronger authentication (e.g. [phishing](https://www.corbado.com/glossary/phishing)-resistant MFA), security patches, and regular software updates. - **Establish Compliance Monitoring**: Set up internal monitoring systems to ensure ongoing compliance and to quickly identify any potential non-compliance issues before they escalate. #### 4.2.2 Prepare for Ransomware Reporting Obligations To meet the new **72-hour ransomware reporting requirement**, organizations should: - **Develop a Clear Incident Response Plan**: Update your existing incident response plans to include specific steps for handling ransomware attacks. Ensure the plan outlines how to detect, report, and mitigate ransomware threats promptly. - **Designate a Reporting Team**: Identify a team responsible for liaising with the **National Cyber Security Coordinator** and other relevant authorities to ensure timely and accurate reporting in the event of a ransomware attack. #### 4.2.3 Enhance Risk Management Programs For organizations regulated under the **SOCI Act**, it's essential to: - **Expand Risk Management Practices**: Update existing risk management programs to include provisions for **critical data storage systems**. This includes assessing current security measures, identifying [vulnerabilities](https://www.corbado.com/glossary/vulnerability), and ensuring compliance with the new standards. - **Implement Comprehensive Training**: Regularly train staff on updated security protocols and incident response procedures to minimize human error and improve overall system security. #### 4.2.4 Collaborate and Share Information Securely With the introduction of the **Cyber Incident Review Board (CIRB)** and enhanced information-sharing mandates, organizations should: - **Foster Collaboration**: Work closely with industry partners, the **Australian Signals Directorate (ASD)**, and [government](https://www.corbado.com/passkeys-for-public-sector) bodies to improve overall cybersecurity posture. Sharing insights and best practices can help mitigate risks across the sector. - **Establish Data Governance Practices**: Ensure that any shared cybersecurity information is managed securely, with protocols that maintain data integrity and confidentiality. Use the legal protections provided by the bill to encourage transparent and responsible data-sharing without fear of legal exposure. ## 5. How the Cyber Security Bill Affects Authentication The **Cyber Security Bill of 2024** does not explicitly mandate the use of multi-factor authentication (MFA) across all sectors. However, the bill does require enhanced security measures for businesses and [critical infrastructure](https://www.corbado.com/glossary/critical-infrastructure), aligning with global best practices in cybersecurity. In particular, it emphasizes **minimum cybersecurity standards** for organizations that handle sensitive data or fall under [critical infrastructure](https://www.corbado.com/glossary/critical-infrastructure) sectors like finance, [telecommunications](https://www.corbado.com/blog/telstra-passkeys), and [healthcare](https://www.corbado.com/passkeys-for-healthcare). While specific mention of MFA is not directly stated, organizations are expected to adopt **strong authentication mechanisms**, including (phishing-resistant) MFA, as part of these enhanced security protocols to comply with the new standards. This expectation arises from the bill’s push for stricter controls on data access and protection, making MFA a logical and recommended part of any robust cybersecurity strategy. Moreover, businesses that fail to meet these updated standards, including implementing appropriate authentication methods, risk facing fines and penalties for non-compliance. This is especially true because organizations addressed by SOCI are likely to be classified at [Essential Eight Maturity Level 3](https://www.corbado.com/blog/essential-eight-passkeys-mfa), the highest level of cybersecurity maturity defined by the Australian Cyber Security Centre (ACSC). At this level, organizations are strongly encouraged to implement robust security measures, including [phishing](https://www.corbado.com/glossary/phishing)-resistant multi-factor authentication **also for their customers**, to protect against sophisticated cyber threats. ![essential eight maturity levels](https://www.corbado.com/website-assets/essential_eight_maturity_levels_aa2b11d083.jpg) Therefore, [strong customer authentication](https://www.corbado.com/faq/sca-psd2-importance) requirements and recommendations are not just advisable but effectively mandatory for these critical infrastructure providers to comply with both the Cyber Security Bill and the SOCI Act. ## 6. Conclusion The **Cyber Security Bill of 2024** is a critical step toward improving Australia’s resilience against cyberattacks. For Australian organizations, the implications are clear: stronger security measures are no longer optional but a legal requirement. Whether you're upgrading your authentication systems to meet **MFA** standards or improving your overall data protection strategies, staying compliant with this new law will be essential for the future of secure digital services in Australia. By understanding the requirements of this bill and proactively strengthening your security protocols, you can protect your business, your customers, and your reputation in an increasingly digital world. ![authentication takeaway](https://www.corbado.com/website-assets/authentication_takeaway_eeb919280d.png) ## Frequently Asked Questions ### What does the Australian Cyber Security Bill 2024 require businesses to do when they pay a ransom? Businesses must report any ransomware payment to authorities within 72 hours of making it. Missing this deadline can result in civil penalties, so organizations should designate a reporting team and update their incident response plans before an attack occurs. ### Does the Australian Cyber Security Bill 2024 explicitly mandate multi-factor authentication? The bill does not explicitly name MFA but requires enhanced security measures and minimum cybersecurity standards for organizations handling sensitive data. Organizations covered by the SOCI Act are expected to operate at Essential Eight Maturity Level 3, making phishing-resistant MFA for both staff and customers effectively mandatory. ### What legal protections exist for Australian organizations that voluntarily report cybersecurity incidents? Information voluntarily shared with authorities such as the National Cyber Security Coordinator or the Australian Signals Directorate is shielded from use in civil or regulatory actions against the reporting organization. This protection is designed to encourage transparency and reduce the fear of legal repercussions when disclosing incidents. ### Which sectors in Australia are most affected by the Cyber Security Bill 2024? The bill places the heaviest obligations on critical infrastructure providers classified under the SOCI Act, including utilities, healthcare providers, financial institutions and telecommunications companies. Manufacturers and suppliers of smart devices are also directly affected, as their products must meet mandated security standards or face compliance notices, stop orders and recalls.