The key takeaways from the new Bills are summarised below:

Mandatory ransomware reporting

The Cyber Security Bill 2024 (Cyber Security Bill) introduces a mandatory reporting requirement where a ransomware payment (or other benefit) is paid to an extorting entity. The aim is to give the Australian Government greater visibility over the extent of the threat which ransomware poses to Australian businesses, particularly in light of the Australian privacy regulator’s ongoing concern regarding the under-reporting of ransomware incidents under the notifiable data breach regime in the Privacy Act 1988.

A report will need to be made to the Department of Home Affairs within 72 hours, if the following criteria are met:

• a cyber security incident has occurred, is occurring or is imminent and has had, is having or could reasonably be expected to have, a direct or indirect impact on a reporting business entity;
• an extorting entity makes a demand of the reporting business entity, or some third party directly related to the incident impacting the reporting entity, in order to benefit from the incident or the impact on the reporting business entity; and
• the reporting business entity provides, or is aware that another entity, directly related to the reporting entity, has provided a payment or benefit to the extorting entity that is directly related to the demand.

Some Australian businesses will be exempt from the reporting requirement, if their annual turnover falls below an as-yet unspecified amount.

A two-stage reporting obligation had previously been proposed, which would have required notifications to be made if a request for payment of ransomware was received and additionally if any payment was subsequently made.

Cyber Review Board

Australia is following in the footsteps of other jurisdictions such as the United States by establishing a Cyber Review Board. The Board’s remit will be to conduct no-fault, post-incident reviews of significant cyber security incidents in Australia. The intent is to strengthen cyber resilience, by providing recommendations to Government and industry based on lessons learned from previous incidents.

Limited information gathering powers will be granted to the Board, so it will largely rely on cooperation by impacted businesses. 

The Board will be comprised of a Chair, standing members and an Expert Panel. The Expert Panel will be drawn from of a pool of industry members with relevant expertise.

Limited Use Exception

A ‘limited use’ obligation will be established under the Cyber Security Bill and the Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024 (Intelligence Services Bill), designed to encourage engagement and reporting between industry and the Government during cyber incidents.

The regime is designed to assure businesses that any information which is voluntarily provided to the National Cyber Security Coordinator or Australian Signals Directorate (ASD) regarding a cyber incident can only be recorded, used and disclosed by those entities for limited purposes.

Crucially, it guarantees that information which is provided voluntarily or in response to a request within the framework of the limited use regime cannot later be used against the entity by a regulator.

The ‘limited use’ obligation will apply to information provided to, acquired or prepared by the National Cyber Security Coordinator or ASD by an impacted entity during a cyber security incident, as well information which is provided on behalf of the impacted entity (such as by its external advisors).

Mandatory security standards for smart devices

The Cyber Security Bill also establishes a framework under which mandatory security standards for smart devices will be issued.

Suppliers of smart devices will be prevented from supplying devices which do not meet these security standards, and will be required to provide statements of compliance for devices manufactured in Australia or supplied to the Australian market.

The Secretary of Home Affairs will be given the power to issue enforcement notices (including compliance, stop and recall notices) if a certificate of compliance for a specific device cannot be verified.

Security of Critical Infrastructure

The Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024 will amend the Security of Critical Infrastructure Act 2018, by giving effect to the legislative reforms contained in the 2023-2030 Australian Cyber Security Strategy.

The changes are designed to strengthen the security and resilience of critical infrastructure assets in Australia. 

The key change to note for regulated entities is that secondary assets which hold ‘business critical data’ may also be captured as critical infrastructure assets, regardless of the primary purpose of the asset. This is not intended to capture all non-operational systems which hold business critical data, but rather those where there is a material risk that a hazard to the data storage system could have an adverse impact on a critical infrastructure asset.

Other changes to the Security of Critical Infrastructure Act 2018 include the provision of further clarity on the secrecy and disclosure provisions, and the implementation of new powers for the Secretary of the Department of Home Affairs.

We will provide further updates once these Bills are passed. 

Scam Code Act

In light of the 601,000 scams reported by Australians in 2023 accounting for an estimated $1.3 billion in losses, it has been reported this week that the Government will introducing a new Scam Code Act.

This will require digital communications platforms, telecommunications carriers and banks to report scams as soon as they are detected, or face fines of up to AUD 50 million. The Australian Consumer & Competition Commission will be granted powers to draft mandatory codes across the three sectors, and also for individual business and platforms. It is expected that the new regime will also include requirements for:

• platforms to verify their advertisers;

• banks to warn customers if they attempt to make a transfer to an account that is identified as fraudulent;

• carriers to take certain measures to prevent scams being spread by SMS;

• companies designated by the ACCC to establish internal dispute resolution processes to hear complaints from customers and consider refunds; and

• all companies to maintain a “scams defence plan” to assist customers.

It is expected that the legislation will be tabled in parliament later this year, and we will keep you updated as more information is released about the proposed legislation.  

Other cyber security measures  

As a further rollout of the 2023-2030 Australian Cyber Security Strategy, the Australian Government has consulted on a range of proposed new cyber security legislation. In order to combat existing gaps in regulation, consultation was sought on the following proposed measures:

• mandating a security standard for consumer-grade smart devices, to incorporate basic security features by design and help prevent cyber attacks on Australian consumers;

• creating a no-fault, no-liability ransomware reporting obligation to improve collective understanding of ransomware incidents across Australia,in order to counteract the limited visibility over the amount of ransoms paid by Australian organisations. The laws are proposed to apply to businesses with an annual turnover of more than $3 million and include fines for failure to disclose;

• creating a ‘limited use’ obligation to clarify how the Australian Signals Directorate and the Cyber Coordinator may use information voluntarily disclosed to them during a cyber incident, in order to encourage industry to collaborate with the Government as part of an incident response; and

• establishing Cyber Incident Review Board to conduct no-fault incident reviews and share lessons learned to improve Australia’s national cyber resilience.

The Government received 130 submissions as part of the consultation, which closed on 1 March 2024. We will keep you updated on the outcome of the consultation.

Given this, the Cyber Security Agency of Singapore (CSA) launched a public consultation on the draft Cybersecurity (Amendment) Bill (Draft Bill) on 15 December 2023 to address the evolving cyber threat landscape. The public consultation will close on 15 January 2024.

Key changes proposed in the Draft Bill

• Introducing a new category of “non-provider-owned Critical Information Infrastructure (CII)”: The Draft Bill acknowledges the paradigm shift in the business models of essential service providers, which are increasingly leveraging third-party vendors’ computer systems rather than owning their own CIIs.
  
  The Draft Bill distinguishes between conventional “provider-owned CII” (Provider-owned CII) and “non-provider-owned CII” (Non-provider-owned CII).
  
  Under the new Part 3A of the Draft Bill, essential service providers utilizing Non-provider-owned CII will be ultimately responsible for the cybersecurity of Non-provider-owned CII. They will be required to obtain legally binding commitments from their computing vendors to ensure that they can fully meet their cybersecurity obligations under the Draft Bill.
  
• Broadening incident reporting requirements for CIIs: The CSA is proposing to expand the incident reporting framework to improve its awareness of cyber threats.
  
  The current focus of the Act is on CIIs and their connected systems. The Draft Bill aims to go extend the notification requirements to the Commissioner of Cybersecurity (Commissioner) to include incidents involving other computer or computer system which are controlled by owners or essential service providers (as the case may be) – regardless of whether those systems are interconnected to or communicate with CIIs.
  
• Widening oversight of the Commissioner beyond CII owners: The CSA proposes broadening its regulatory reach beyond owners of CIIs to include other pivotal systems that underpin Singapore’s’ cyber ecosystem. The Draft Bill introduces three new categories for CSA oversight:
  
  • Foundational Digital Infrastructure (FDI): This category includes digital infrastructure, namely cloud computing and data facility services that enhance the availability, latency, throughput, or security of digital services, which, while not currently designated as CII, are integral to Singapore’s technology stacks. The compromise of these FDI could have a cascading effect on a wide range of systems.
    
    The Commissioner will designate a provider a “major FDI service provider” if the Commissioner is satisfied that the FDI service is provided to or from Singapore, and its impairment or loss could lead to or cause disruption to a large number of businesses or organisations. If passed, these provisions are likely to affect leading data centre operators and cloud service providers in the market.
    
  • Entities of Special Cybersecurity Interest (ESCI): These are entities that handle sensitive data or perform critical functions for Singapore that, if disrupted, would have a significant detrimental effect on Singapore’s defence, foreign relations, economy, public health, safety, or order. For example, entities collaborating with the Singapore Government and holding sensitive data may potentially fall under the ambit of the provisions.
    
  • Systems of Temporary Cybersecurity Concern (STCC): These are computer systems that are temporarily critical to the nation’s interests, for instance, when they provide support for key international events like the World Economic Forum. Such systems are at heightened risk of cybersecurity threat or incident that would have a serious detrimental effect on the national security, defence, foreign relations, economy, public health, safety or order of Singapore.
    
    The Commissioner may designate a system as a STCC for up to one year with the option for extensions, which differs from the typical 5-year term for other designations.
    
    Generally speaking, regardless of categorisation, designated providers/entities under these new categories are expected to adhere to duties comparable to those imposed on CII providers, including providing the Commissioner with system information, complying with prescribed codes of practice and standards, and notifying the CSA of relevant cybersecurity incidents.
    
    Notably, while non-compliance with obligations concerning FDI and ESCI might result in financial penalties, the Draft Bill proposes that non-compliance in relation to an STCC would be a criminal offence.

• Expanding jurisdiction to cover offshore CIIs and FDIs: The CSA has proposed to confer power upon the Commissioner to designate computers or computer systems as CIIs/major FDIs, even if the computer systems are located wholly outside Singapore. 
  
  Providers which have infrastructure offshore may soon  be caught by the expanded territorial scope if the Bill is passed unamended.

Conclusion

The Draft Bill represents a proactive and adaptive response by the CSA to the dynamic and rapidly evolving cybersecurity landscape and associated challenges.

Companies in the business of digital infrastructure and systems may soon find that they will be subject to new and onerous obligations under the CSA, thereby increasing compliance cost. It is vital for businesses to remain agile and adopt proactive measures to steer through the evolving regulatory waters.

The Draft Bill may be accessed here: cybersecurity-(amendment)-bill-2023_for-public-consultations.pdf (csa.gov.sg)

Please contact Carolyn Bigg (Partner), Lauren Hurcombe (Partner) or Yue Lin Lee (Senior Associate) if you have any questions or to see what this means for your organisation.

DLA Piper Singapore Pte. Ltd. is licensed to operate as a foreign law practice in Singapore. Where advice on Singapore law is required, we will refer the matter to and work with licensed Singapore law practices where necessary.

Cyber Security Strategy discussion paper launched

This week saw the launch of a discussion paper for the Australian Government’s 2023-2030 Australian Cyber Security Strategy. The discussion paper refers to the lofty aim of making Australia the most cyber secure nation by 2030.

The discussion paper, which acknowledges that the Australian Government was “ill-equipped” to respond to the large scale data breaches which occurred in 2022 (namely Medibank and Optus), emphasises the importance of protecting customer data and enduring that Australians can continue to access critical services in the event of a cyber-attack.

One of the core policy areas that will be addressed in the Strategy is the “enhancement and harmonisation of regulatory frameworks”.  Several options are being considered to give effect to this, including:

• Development of best practice cyber security standards.
• New laws, such as a Cyber Security Act, to provide a more explicit specification of cyber security obligations;
• Expansion of the existing Security of Critical Infrastructure Act to include customer data and systems within the definition of critical assets. This proposal is particularly controversial given the power for the Australian Signals Directorate to “step-in” and control critical assets as a measure of last resort under that Act; and
• A single reporting portal for all cyber incidents, to harmonise the existing requirements to report separately to multiple regulators.

Additional policy areas identified for further consideration in the discussion paper include:

• Developing national frameworks to respond to major incidents, including the development of fit-for-purpose approaches to incident management and coordination and ensuring that post-incident reviews of major incidents are conducted and root cause findings shared.
• Designing and sustaining security in new technologies, such as quantum computing, IoT and AI, each of which have the potential to significantly impact, and be impacted by, cyber security issues.
• Supporting Australia’s cyber security workforce and skills pipeline.

The Strategy is expected to be finalised by the end of 2023.  An Expert Advisory Board has been established to assist with development of the Strategy, and is inviting consultations on the areas outlined in the discussion paper until 15 April 2023.

Establishment of Cyber Security Coordinator to assist with coordinated responses to cyber attacks

Since the release of the discussion paper, the Federal Government has announced its intent to establish a national Coordinator for Cyber Security.

The Coordinator will form part of a broader National Office for Cyber Security and will be responsible for ensuring a “centrally coordinated approach” to cyber security, including coordination of major incidents.

Latest data breach statistics show that data breaches are on the rise

The launch of the cyber security discussion paper coincides the with publication of the Office of the Australian Information Commissioner’s latest statistics on the notifiable data breach regime.

These statistics confirm the commonly held view that data breaches are on the rise in Australia.

The 6 month period from July – December 2022 saw a 26% increase in the number of data breaches reported against the previous 6 month period.  For breaches caused by criminal or malicious attacks, the increase was 46% for the same period.  Health care and financial services remain the two highest reporting sectors.

Significantly there were five breaches which impacted more than 1 million Australians –with one impacting more than 10 million. Whilst the high-profile incidents affecting Optus and Medibank account for two of these incidents, these statistics highlight that several major data breaches have gone unreported in Australia.

On 24 October 2022, the ICO issued a penalty notice (MPN) to Interserve Group Limited (Interserve), imposing a fine of £4.4m for violations of the GDPR (the violations were pre-Brexit).
The ICO found that Interserve had failed to put appropriate technical and organisational measures in place to secure personal data (in contravention of Articles 5(1)(f) and 32 GDPR) for a period of ~20 months.

The Incident

The incident followed what is proving to be a familiar fact pattern. A phishing email was sent to a group employee which was designed to appear as though the attached document needed urgent action. Subsequent download and ZIP extraction resulted in the installation of malware onto the workstation giving the threat actor access to that workstation (Patient Zero). This was flagged by Interserve’s end point protection system, which reported automatic removal of malware had been successful. Interserve took no further action to verify this, and the threat actor continued to have ongoing access to the workstation.

Following initial access, a server was compromised which was then used to “move laterally” within the Interserve estate (i.e., moving from the initial point of compromise to other parts of the victim’s IT estate). In the subsequent days, the threat actor compromised 283 systems and 16 accounts (12 being privileged admin accounts) across the estate. A privileged account was then used by the threat actor to uninstall Interserve’s anti-virus solution to prevent detection of malware used by the threat actor. The attacker then compromised four HR databases containing data of 113k employees and former employees. The databases were encrypted and rendered unavailable to Interserve. Regulatory notification followed to the NCA, the NCSC and the ICO.

The personal data held on the compromised databases comprised a common HR data set, including employees’ and former employees’: telephone numbers; email addresses; national insurance numbers; bank account details; marital status’; birth dates; education; countries of birth; genders; number of dependants; emergency contact information, and salary. The databases also held special category personal data including ethnic origin; religion; details of disabilities; sexual orientation, and health information relevant to ill-heath retirement applications. Interestingly, each of these items of information was not necessarily held for each of the 113,000 individuals, rather these categories of information were recorded in the relevant databases. Under Article 33(1) GDPR an organisation is only obliged to be able to describe the approximate categories and number of personal data records when notifying the ICO which appears to have been the approach adopted by Interserve.

Digest of points to note in the MPN

The MPN is littered with useful insights into the ICO enforcement and provides further detail around what the ICO expects with regards to the principle-based obligations in Article 5(1)(f) and 32 GDPR. We found the following points of particular interest:

• % of revenue. On the face of it, this is a sizeable fine issued to a non household name controller for perceived failings in information security. Dig a little deeper and, in fact, the level of fine appears to be a relatively small percentage of Interserve’s last reported revenues (less than 1/5th of 1%).

It is nevertheless a significant amount of money and the reputational damage arising from a public fine was also taken into consideration by the ICO when setting the fine. The fact that the fine is a relatively small percentage of revenues may indicate that the new ICO John Edwards, favours a less aggressive approach to enforcement than his predecessor Elizabeth Denham, at least when it comes to setting the level of fine. Lower fines are also less likely to result in successful appeals and tie up the ICO’s enforcement team with legal arguments.

A key open legal question remains whether the correct maximum fine when calculating fines under the UK GDPR (NB this MPN was issued under EU GDPR) is either a) the greater of 2% of turnover or £8.7 million; or b) the greater of 4% of turnover or £17.5 million (in each case where turnover is total worldwide annual turnover of the preceding financial year). The ICO has previously taken the position that the higher limit applies though this has not yet been tested on appeal and there are good arguments that the lower maximum should apply.

• One group controller to rule them all: Interserve was held to be the relevant controller for the purpose of enforcement, regardless of the fact the incident and the security failings were applicable across numerous group companies. Interserve was the parent company, it was responsible for info-sec for the group and employed individuals working in information security. Enforcement against multiple entities in the same group is complicated and time consuming. It is much simpler for the ICO to target the parent company when that company is responsible for info sec for the entire group.
• Paper based compliance represents a small and incomplete part of the picture. Central to the decision (and another identified recurring point of failure) was that Interserve had extensive info-sec policies and standards however these policies were not implemented nor were they subject to appropriate oversight (despite the fact the exec were aware of issues with the Interserve estate). While policies and procedures are an essential part of any compliance programme as the “paper shield”, without the resources and budgets needed to implement and oversee them effectively, they can become a liability for controllers providing an easy way for regulators to prove breach. Employee training remains a key consideration for the ICO in the context of post incident enforcement. The Interserve MPN is yet another reminder of the importance of regular and effective training.

• Period for assessing duration of infringement / enforcement: the “relevant period” for the ICO’s assessment around the duration of the infringement was held to start at the time Interserve became the relevant controller (following the winding up of another group company) and did not end until remediation was complete. This emphasises the importance of remediating any gaps in security measures promptly to meet the legal standard of care. Any delay to remediation will extent the duration of the infringement, aggravating the risk of fines and also potentially compounding losses caused to data subjects. The MPN also provides an insight into the timing of, and procedural steps around, ICO enforcement. The Notice of Intent was not served on Interserve for almost 2 years after the Article 33 notification was made to the ICO. A month later, Interserve provided written representations in response to that notice. The ICO updated the notice and invited supplemental representations, which were made by Interserve. The final procedural step was an ICO meeting ~4 weeks before the MPN was published.

• What was the risk of harm to the individuals? an eagle-eyed reader may question what was the risk to the data subjects here? There was no evidence of exfiltration, and one view may be that the threat actor applied encryption in an attempt to extort money from or cause nuisance to Interserve rather than to cause harm to the individuals (e.g., fraud).

The ICO found that all the data subjects had their personal data processed unlawfully and the processing had the potential for concern, anxiety and stress, due to: (a) data had been accessed by criminal actors with malicious intent; (b) the personal data compromised included data which was commonly used to facilitate identity/financial fraud (home addresses, bank account details, pay slips, passport data and national insurance numbers); (c) special category data was compromised – it is particularly sensitive (per Recital 51). Employees may be content to share with their employer, they would not want this data accessed by malicious individuals: (d) compromised data included salary details, which enables social and financial profiling which is dangerous in the hands of threat actors; (e) while there was no evidence of exfiltration, the ICO could not rule out this possibility and the risks of exfiltration remain significant as privileged accounts could exfiltrate data / advanced groups can prevent detection of exfiltration / measures that can identify exfiltration (firewall filtering and logging) were not implemented until after the incident.

• What should you be discussing with your Info-Sec team? While the ICO MPN does not necessarily reflect the legal standard of care (as the ICO does not make the law) it is an indication as to the ICO’s view as to the legal standard of care at the date of the incident. In particular, the ICO considers that the following gaps and deficiencies fell short of the legal standard of care required by Articles 5(1)(f) and 32 GDPR:
• • outdated operating systems/protocols;
  • inadequate end point protection (outdated / firewalls not enabled);
  • no pen tests conducted for two years prior to the incident;
  • inadequate investigation by the info-sec team; and
  • poor privileged account management.

It would be prudent for organisations to check that their own IT estates do not suffer from the same shortcomings. As with previous decisions regulatory guidance/standards (NIST / NCSC) continues to be an appropriate benchmark. The MPN strongly implies that Interserve spent considerable amounts to remediate in accordance with ICO expectations. Remediation before a cyber incident is invariably less costly, stressful and damaging to an organisation’s reputation and balance sheet compared to remediation after a cyber incident.

We continue to frequently advise clients both on incident response together with pro-active cyber assurance and resilience. If you need any advice in this area, please do reach out to your DLA contact.

Authors: Ross McKean (Partner and co-chair of the UK data protection and cyber security practice) and Henry Pelling (Senior Associate in the DLA data protection and cyber security practice).