Cyber security regulations introduce important protections. Flame Tree Cyber welcomes the opportunity to contribute expert insights into new subordinate legislation under the Cyber Security Act and Security of Critical Infrastructure Act 2018 (SOCI Act)

This post outlines our recommendations on three key regulations:

• Cyber Security (Security Standards for Smart Devices) Rules 2024
• Cyber Security (Ransomware Reporting) Rules 2024
• Cyber Security (Cyber Incident Review Board) Rules 2024

Each of these plays a vital role in enhancing the resilience of Australian businesses and critical infrastructure. However, refinements can ensure they provide more comprehensive protections.

Securing smart devices in business environments

The Cyber Security (Security Standards for Smart Devices) Rules 2024 aim to enhance device security but fail to cover point-of-sale (POS) terminals, a key target for cybercriminals. Expanding the regulations to include these devices would strengthen payment infrastructure. Additional controls, such as minimum password requirements, failed attempt limits, and password reset mechanisms, should be mandated to improve baseline protections while ensuring usability.

Strengthening ransomware financial tracking

The Cyber Security (Ransomware Reporting) Rules 2024 require incident reporting but do not address the financial transactions enabling ransomware attacks. Mandating the reporting of payment account details and tracking ransom-related transactions would empower law enforcement to disrupt cybercriminal networks, making ransomware less profitable and reducing its impact on Australian organisations.

Safeguarding independent cyber incident governance

The Cyber Security (Cyber Incident Review Board) Rules 2024 introduce oversight for major cyber incidents, but the requirement for Ministerial approval of the Board’s Terms of Reference raises concerns about government influence. To ensure the Board remains independent, it must have clearly defined autonomy, transparent decision-making processes, and robust accountability mechanisms free from political interference. A truly independent Board will enhance trust and strengthen Australia’s cyber incident response capabilities.

Driving cyber resilience through collaboration

Flame Tree Cyber is committed to supporting Australian businesses and government agencies in achieving cyber resilience. Our recommendations align with a broader strategy of enhancing national security while ensuring practical and effective implementation of cyber regulations.

We encourage further refinement of these rules to:

• Address gaps in smart device security
• Improve ransomware financial tracking
• Ensure independent cyber incident governance

By strengthening these measures, Australia can build a more resilient cyber security landscape.

Join the conversation

Cyber security is a shared responsibility. We encourage industry stakeholders and policymakers to collaborate in refining these regulations.