4 November 2024 Cyber Security Legislative Package: Responses to questions on notice SOCI Bill

Cyber Incident Review Board In the course of the hearing, the Chair queried whether the Law Council held concerns about the requirement that the Minister approve the terms of reference for a review by the Cyber Incident Review Board (the Board) at paragraph 46(2)(c) of the Cyber Security Bill 2024 (the Bill). [...] The Law Council has previously suggested that consideration should be given to removing the requirement that the Minister approve terms of reference for a review, in order to preserve the Board’s actual, and perceived, independence in the community.1 Our concern primarily relates to the terms of reference for a review being required to identify participating standing members of the Board (section. [...] These considerations could include the independence of the appointees, and satisfaction as to the knowledge and expertise of the individuals relevant to the proposed review. [...] The breadth of the potential application of the amendment is compounded by the potential extraterritorial operation of the new subsection (while section 9(2B) of the SOCI Act excludes assets located outside Australia from the definition of critical infrastructure asset, there is no equivalent proposed exclusion in relation to data storage). [...] The Explanatory Memorandum summarises the aim of this amendment as follows: … to expand the definition of all types of critical infrastructure assets to include secondary assets which hold ‘business critical data’ and relate to the functioning of the primary asset.9 The Victorian Bar suggests that this narrower application should be replicated in the text of the amendment by removing proposed ss 9.