IronSights
All insights

compliance

The Cyber Security Act 2024: what it changes for Australian businesses

Australia's first standalone Cyber Security Act brings mandatory ransomware payment reporting, smart device standards, and a Cyber Incident Review Board. Here is what applies to your business and what to do about it.

By IronSights Editorial, Practitioner team7 July 20264 min read
ByIronSights Editorial7 July 20264 min read

The Cyber Security Act 2024 passed Parliament in November 2024 as Australia's first standalone cyber security legislation. Most of the commentary at the time focused on what it meant for government and critical infrastructure. Less was written about the part that reaches furthest: a reporting obligation that applies to ordinary businesses, including ones with no regulator, no compliance function, and no reason to have heard the Act exists.

This article covers the four measures that matter, who each one applies to, and the practical steps worth taking now.

Mandatory ransomware payment reporting

This is the measure most likely to touch an ordinary business. If your business has an annual turnover above $3 million (or you are a responsible entity for a critical infrastructure asset) and you make a payment, or someone makes one on your behalf, you must report it to the Australian Government within 72 hours.

The report goes to the Department of Home Affairs and the , and it must cover the incident, the demand, the payment, and the communications with the attacker. The obligation took effect on 30 May 2025, and failing to report is a civil penalty offence.

Three things about this catch businesses off guard. First, the trigger is the payment, not the incident: you can suffer a ransomware attack and pay nothing, and this obligation never arises. Second, the 72-hour clock starts when the payment is made, which in a real incident is usually the most chaotic possible moment to be assembling a government report. Third, the turnover threshold captures a large share of Australian SMEs who assume cyber legislation is someone else's problem.

The Act deliberately does not ban ransom payments, and reporting a payment does not launder it. Sanctions law still applies if the recipient is a sanctioned entity, and payment remains a commercial decision with poor odds: paying does not guarantee working decryption keys, and it marks you as a payer. Our position, shaped by incidents we have worked, is that payment is a last resort that gets decided with legal advice and negotiation support, never in panic on day one.

Security standards for smart devices

The Act creates a framework for mandatory security standards on internet-connected consumer devices: the cameras, doorbells, sensors, and appliances that ship with default passwords and no update mechanism. If you manufacture or supply smart devices into the Australian market, this is your compliance problem. If you simply run a business full of them, it is quieter good news: the baseline of what lands on your network improves over time.

It does not fix the fleet you already own. Cheap connected devices remain one of the most common weak points we find on business networks, and they still need to be segmented away from systems that matter.

Limited use: sharing with the ASD is now safer

Businesses have historically hesitated to tell the Australian Signals Directorate about incidents, worried that whatever they disclosed would find its way to regulators and end up used against them. The Act's 'limited use' obligation addresses this directly: information you voluntarily provide to the ASD or the National Cyber Security Coordinator about an incident cannot be used for most regulatory enforcement purposes against you.

This changes the calculus during an incident. Calling the ASD early gets you and support, and the legal downside of doing so is now substantially narrower. It is not blanket immunity, since your notification obligations under the Privacy Act and other regimes still stand, but the trap businesses feared has been largely closed.

The Cyber Incident Review Board

The Act establishes a Cyber Incident Review Board to run no-fault, post-incident reviews of significant cyber incidents, in the way transport safety investigators review crashes. Expect its published findings to become required reading: they will describe, in specifics, how major Australian breaches actually happened. For most businesses the CIRB is not an obligation. It is a free source of lessons paid for by someone else's very bad month.

What to do about it

  • Check whether you clear the $3 million turnover threshold. If you do, the ransomware reporting obligation applies to you today.
  • Put the 72-hour reporting step into your now, with an owner, so nobody is discovering the obligation mid-incident.
  • Decide your ransom position before you are attacked, including who has authority to approve or refuse a payment and which legal adviser gets the call.
  • Treat the ASD as a resource, not a risk. Limited use protections mean early engagement is now the sensible default.
  • Reduce the odds of ever making the report: tested backups, hardened identity, and monitored endpoints remain the controls that decide whether ransomware becomes a payment conversation at all.

If you want the incident plan, the controls, or both looked at properly, that is work we do every week, including for businesses in the middle of the incident. Better to meet us before then.

Keep reading

More from the IronSights team.