Cyber Security Act: Key business considerations.

Part 1: Mandated security standards for smart devices

The new Cyber Security Bill is before parliament and may soon be upon us. If passed, it will introduce:

• mandated security standards for smart devices;
• mandatory ransomware reporting obligations;
• voluntary information sharing with the National Cyber Security Coordinator for specified purposes; and
• cyber incident reviews by the newly established Cyber Incident Review Board

We discuss key considerations for businesses on these features in this 4-part series, beginning with part 1 on mandated security standards for smart devices.

1.     What is the intention behind this measure?

Consumer safety – given the prevalence of ‘IoT’ smart devices use in a private setting, this measure is focused on ensuring that such devices are safe and trusted for Australians to use.

2.     Regulated smart devices and who needs to comply?

The new Bill takes inspiration from UK legislation to simplify compliance for businesses. In the UK, the following types of smart devices are regulated:

• smart phones;
• connected cameras, TVs and speakers;
• connected children’s toys and baby monitors;
• connected safety-relevant products, such as smoke detectors and door locks;
• wearable connected fitness trackers;
• connected home automation and alarm systems;
• connected appliances, such as washing machines and fridges; and
• smart home assistants.

Whilst the types of smart devices would be set out in rules accompanying the new Act (if passed), if you are a manufacturer of these devices or supply them in Australia, the new mandated security standards may apply to you.

3.     Applicable standards

The Government mentioned it will look to ‘international best practice’ with a focus on enhancing consumer security.[1] The leading international standard is ETSI EN 303645, which has also been adopted by Standards Australia.

We can expect to see at least the first 3 principles of ETSI EN 303645 as minimum security standards for smart devices in general, with the possibility of other additional standards and requirements for specific devices.

The first 3 principles of ETSI EN 303645 require the following:

• ensuring smart devices do not have universal default passwords;
• implementing a means to receive reports of cyber vulnerabilities in smart devices; and
• providing information on minimum security update periods for software in smart devices.

While still early days, having significant stock in your inventory that does not comply with (at least) the above standards may create risk exposure for your business (see transition period in section 4 below).

4.     How are manufacturers and suppliers required to comply?

Manufacturers and suppliers of regulated smart devices are required to provide a compliance statement for the device confirming that the mandated security standards are met. The rules will specify the details to be specified in a compliance statement.

A key consideration between manufacturers and suppliers is the allocation of responsibility on compliance. In these circumstances, Australian suppliers will need to ensure that manufacturers provide them with the compliance statement or relevant information to be included in the statement.

Foreign manufacturers who supply to different markets may not agree to specifically comply with Australian standards. If so, Australian suppliers will need to get the product tested and a statement of compliance prepared by a ‘verified third party’.

The Government’s reference to a ‘verified third party’ may suggest the emergence of compliance schemes and organisations recognised by the Government aid suppliers with compliance and independently audit for non-compliance before taking enforcement action. It is also interesting to see how these compliance requirements are harmonised with existing voluntary certification and labelling schemes such as the IoT Security Trust Mark.

5.     Timing to adjust to new security standards and non-compliance.

In its consultation paper, the Government suggested that a 12 month transition period may be appropriate. Affected manufacturers and suppliers should keep their eye on the eventual transition period, considering the operational requirements to dispose of non-compliant inventory stock and ensure compliance with the security standards before they become effective.

Non-compliance could result in the manufacturer or supplier being issued with enforcement notices by the Secretary of Home Affairs requiring them to:

• fix the non-compliance;
• stop the supply of the device; and/or
• recall non-compliant devices, failing which the Minister may notify the public of the non-compliance.

6.     Line your ducks in a row

Given compliance to the mandated security standards will be operationally intensive, affected manufacturers and suppliers should plan and prepare for compliance ahead of time, including the following practical tips:

• Tip 1: check if your current products are at least compliant with the first 3 principles of ETSI EN 303645 (see section 2 above);
• Tip 2: for suppliers, project your supply and manage your existing inventory stock carefully over the transition period section 4 above);
• Tip 3: come to an arrangement on whether the supplier or manufacturer is responsible for compliance;
• Tip 4: conduct industry research and due diligence on organisations who are positioned to test and verify compliance with security standards.

As the saying goes, it is never too early to start planning, so draw your plans early but keep them nimble as details of this measure continue to emerge. (Watch this space and stay tuned for the next instalment in the series in part 2!)

[1] Cyber Security Bill 2024, Second Reading Speech by the Minister for Cyber Security, 9 October 2024.