Australia Cyber Security Act 2024 Scope and definitions

The Act creates several separate cyber security regimes. Part 2 deals with security standards for smart devices. Part 3 deals with ransomware payment reporting. Part 4 deals with voluntary information sharing with the National Cyber Security Coordinator for significant cyber security incidents. Part 5 deals with the Cyber Incident Review Board.

A scope decision should therefore name the pathway before naming the control. A product launch may require relevant-connectable-product and consumer-grade analysis. A cyber extortion event may require reporting-business-entity and ransomware-payment analysis. A critical infrastructure incident may also need a separate SOCI Act check.

Under the Act, a relevant connectable product is an internet-connectable product or a network-connectable product that has not been exempted under the rules. An internet-connectable product can connect to the internet using an internet protocol suite communication protocol to send and receive data.

A network-connectable product is not internet-connectable, but can send and receive data by electrical or electromagnetic transmission and meets the Act's direct-connection conditions. That means product teams should document actual connectivity, companion devices, gateways, communication protocols, and whether the product connects directly or indirectly to internet-capable equipment.

The Smart Devices Rules currently prescribe a security standard for consumer-grade relevant connectable products. The class is relevant connectable products intended by the manufacturer to be used, or of a kind likely to be used, for personal, domestic, or household use or consumption.

The specified acquisition circumstance is also important: the products must be acquired in Australia by a consumer. The Rules define consumer by reference to section 3 of the Australian Consumer Law.

The Act uses Australian Consumer Law meanings for manufacturer and supply, with supplier and supplied carrying corresponding meanings. The Smart Devices Rules then apply obligations to covered products through those roles.

For covered products, manufacturers must manufacture in compliance with the applicable security standard when they are aware, or could reasonably be expected to be aware, that the product will be acquired in Australia in the specified circumstances. Suppliers must not supply a non-compliant product in Australia when they have the same awareness, and suppliers must supply the product with a compliant statement of compliance.

The ransomware reporting pathway starts only after the entity is inside the Act's reporting-business-entity definition and the incident and payment trigger is met. For non-government businesses, the Act looks to a business carrying on in Australia with annual turnover for the previous financial year above the prescribed threshold, excluding Commonwealth or State bodies and excluding responsible entities for critical infrastructure assets from that limb.

A separate limb captures a responsible entity for a critical infrastructure asset to which SOCI Act Part 2B applies. The Ransomware Payment Reporting Rules prescribe a $3 million turnover threshold, with a pro-rated formula where the business operated for only part of the previous financial year.

A ransomware payment scope record should be narrow and factual. It should show why the entity is or is not a reporting business entity, when the payment was made or discovered, what information was known or reasonably findable within the 72-hour reporting period, and who approved the report decision.

The Rules require specific report content: contact and business details including ABN if any and address, incident timing and awareness, impact on infrastructure and customers, ransomware or malware variants if any, exploited vulnerabilities if any, demand details, payment details, communications, and any pre-payment negotiations.

The Cyber Security Act does not supersede the Security of Critical Infrastructure Act 2018. It imports SOCI Act concepts for critical infrastructure asset and responsible entity, and it uses SOCI Act Part 2B status in the reporting-business-entity definition.

The practical result is that SOCI status can bring an organisation into the ransomware payment reporting regime even if the ordinary business-turnover limb is not the right path. The same event may also require separate reporting or information provision under SOCI Act Part 2B or another Commonwealth law; the Act states that a Part 3 report does not affect other information-provision requirements.