The Australian government passed its first cyber security legislation on 25 November 2024, marking a significant milestone in the country’s cyber security landscape.
This landmark legislation introduces comprehensive security standards for managing cyber incidents and strengthens governance and risk management frameworks.
So what do they mean for businesses across Australia?
Understanding your reporting obligations
The bill introduces specific reporting requirements for specific cyber incidents such as ransomware payments and data breaches. Businesses with an annual turnover of $3 million or more are now obligated to report ransomware payments to the National Cyber Security Coordinator (NCSC) within 72 hours of making a payment. Failure to comply will result in a civil penalty.
The report must include:
- Contact and business details of the entity making the payment (or details of a third party paying on their behalf).
- Details of the cyber incident, including its impact on the business.
- Information about the extortion demand and the payment itself.
- Communications with the extorting entity.
Optional details can also be added to provide more context about the incident, but the required information must be clear, accurate, and submitted in the prescribed format.
Cyber Incident Review Board (CIRB)
The bill establishes a new independent body, the Cyber Incident Review Board (CIRB), to conduct impartial post-incident reviews of significant cyber incidents. To encourage cooperation, legal safeguards have been put in place for businesses that voluntarily share information with the Australian Signals Directorate (ASD) to assist in cyber security investigations, ensuring unbiased assessments without fear of repercussions.
However, we do see some inevitable implications:
- Even though it is a no-fault review, the CIRB may choose to publicly report on the findings of its review, which could increase scrutiny on the business, leading to potentially negative publicity.
- As the CIRB highlights cyber security risks and vulnerabilities, insurance companies may reassess their risk assessments and adjust their premiums accordingly. This could lead to increased insurance costs for businesses in the future.
The bigger picture
Experts recommend viewing the bill’s requirements not as standalone obligations but as part of a larger cyber security “fabric”. The Cyber Security Bill 2024 is not a compliance checklist, it is part of a broader strategy to reduce the profitability of ransomware attacks and encourage businesses to adopt proactive cyber security measures.
Underreporting has long been a major barrier, limiting the ability to address the scale of the problem. With this bill, the government aims to build a clearer picture of how ransomware is affecting Australian businesses and use this data to provide better support to everyone.
As a business, meeting this obligation is not just about ticking a box, it is about contributing to a collective effort to fight cyber crime.
The next steps
Businesses have a six-month transition period before the reporting requirements take full effect. This is your opportunity to:
- Identify your risk – start by evaluating whether your turnover meets the $3 million threshold and ensure you understand the types of incidents that trigger reporting.
- Engage with stakeholders – work with your IT team (or consult external experts like Netway Networks) and legal counsel to ensure your processes align with the bill.
- Strengthen cyber policies – develop a clear incident response plan that outlines procedures for handling ransomware attacks, including documentation, communication, and reporting protocols.
- Training and awareness – effective compliance relies on a well-trained workforce. Ensure your team understands their roles and responsibilities in the event of a ransomware attack.
The Cyber Security Bill 2024 signals a new era of accountability in the fight against cyber attacks. While the reporting requirements might seem daunting, they represent a crucial step toward a safer and more resilient cyber environment for all Australian businesses.
Read the full Cyber Security Bill 2024 here.