Cyber Security Act 2024: New Rules You Need to Be Aware Of
The Cyber Security Act 2024 was passed by the Federal Parliament on the 29th of November 2024. It implements four key strategies from the 2023-2030 Australian Cyber Security Strategy aimed at making Australia a global leader in cyber security. These strategies were legislated as rules on 4th March 2025. Source: Australian Government - Department of Home Affairs
Let's look at each of these rules in more detail below:
1. Mandatory ransomware reporting
This requirement will come into effect 6 months after receiving Royal Assent. Under this, all entities must make a report of any ransomware payments that they've made if they are:
Responsible for a critical infrastructure asset that falls under Part B of the Security of Critical Infrastructure Act 2018 or;
Have an annual turnover that exceeds the turnover threshold outlined in the legislation.
This must be done within 72 hours of making such payment or becoming aware of such payment being made.
The Australian Signals Directorate (ASD) website will have a portal where reporting entities will be required to submit their reports. Businesses that fail to meet this obligation might face a civil penalty of up to 60 penalty units.
What should reports include?
Reporting entities are required to provide all information that they can reasonably know or research in their reports. This includes:
Business and contact details of the entity that made the payment
Information about the extorting party
Cyber security incident that occurred and its impact on them
Demands from the extorting party
Ransomware payment
Any communications with the extorting party
Source: Mandatory Ransomware Reporting Factsheet
2. Introduction of limited use obligation for the National Cyber Security Coordinator and Australian Signals Directorate (ASD)
Under this rule, any information that is shared by a business with the National Cyber Security Coordinator or the ASD in relation to a cyber security incident will be protected by a limited use obligation. This means that the coordinator and the ASD can only use, record or share the said information for purposes that will help the affected businesses or others working on behalf of it to respond, manage and recover from the incident.
This initiative aims to encourage businesses to report any cyber security incidents early on and share all related information without the fear of repercussions from regulators or law enforcement.
More details on when and how the limited use obligation applies are available on the limited use obligation factsheet on the Home Affairs website.
Source: Limited Use Factsheet
3. Introduction of a new Cyber Incident Review Board
A new independent statutory advisory body in the form of a Cyber Incident Review Board will be established to conduct reviews of significant cyber security incidents after their occurrence. The purpose of this will be to identify possible actions that can be taken to mitigate and respond to such incidents in the future.
Visit the factsheet on the Cyber Incident Review Board for more information on this.
Source: Cyber Incident Review Board Factsheet
4. Requirement for minimum cyber security standards for smart devices
Under this rule, manufacturers and suppliers of smart devices will be required to produce a statement of compliance confirming that their products meet the defined security standards relevant to them. Visit the factsheet on security standards for smart devices for more information on this.
Source: Security Standards for Smart Devices Factsheet
Address cyber risks with ISO 27001
With the increased focus on cyber security and the updates to legislation, it is now more important than ever to ensure the right protocols are in place to protect your organisation from breaches.
Showcase your organisation's commitment to maintaining high security standards within your information systems with an ISO 27001 certification.
Feel free to contact us or visit our website for more information.