Cybersecurity regulations introduce protections to support incident resilience. Flame Tree welcomes the opportunity to contribute expert insights into new subordinate legislation under the Cyber Security Act and Security of Critical Infrastructure Act 2018 (SOCI Act).
This post outlines our recommendations on three key regulations:
- Cyber Security (Security Standards for Smart Devices) Rules 2024 (sic)
- Cyber Security (Ransomware Reporting) Rules 2024
- Cyber Security (Cyber Incident Review Board) Rules 2024
Each of these plays a vital role in enhancing the resilience of Australian businesses and critical infrastructure. However, refinements can ensure they provide more comprehensive protections.
Securing smart devices in business environments
The Cyber Security (Security Standards for Smart Devices) Rules 2024 aim to enhance device security but fail to cover point-of-sale (POS) terminals, a key target for cybercriminals. Expanding the regulations to include these devices would strengthen payment infrastructure. Additional controls, such as minimum password requirements, failed attempt limits, and password reset mechanisms, should be mandated to improve baseline protections while ensuring usability.
Strengthening ransomware financial tracking
The Cyber Security (Ransomware Reporting) Rules 2024 require incident reporting but do not address the financial transactions enabling ransomware attacks. Mandating the reporting of payment account details and tracking ransom-related transactions would empower law enforcement to disrupt cybercriminal networks, making ransomware less profitable and reducing its impact on Australian organisations.
Safeguarding independent cyber incident governance
The Cyber Security (Cyber Incident Review Board) Rules 2024 introduce oversight for major cybersecurity incidents, but the requirement for Ministerial approval of the Board’s Terms of Reference raises concerns about government influence. To ensure the Board remains independent, it must have clearly defined autonomy, transparent decision-making processes, and robust accountability mechanisms free from political interference. A truly independent Board will enhance trust and strengthen Australia’s cybersecurity incident response capabilities.
Driving incident resilience through collaboration
Flame Tree is committed to supporting Australian organisation achieve incident resilience. Our recommendations align with a broader strategy of enhancing national security while ensuring practical and effective implementation of cybersecurity regulations.
We encourage further refinement of these rules to:
- Address gaps in smart device security
- Improve ransomware financial tracking
- Ensure independent cybersecurity incident governance
By strengthening these measures, Australia can build a more resilient cybersecurity landscape.
Join the conversation
Cybersecurity is a shared responsibility. We encourage industry stakeholders and policymakers to collaborate in refining these regulations.