Late 2024, the Australian Government passed the Cybersecurity Act 2024, Australia’s first piece of standalone cybersecurity legislation.
Part 3 of the Act, which imposes obligations on large companies to report cybersecurity incidents, took effect in May 2025.
The Act is primarily intended to strengthen Australia’s cybersecurity regime and provides opportunities for businesses to address cybersecurity concerns. A failure to comply with the new laws can result in financial penalties.
Here’s what you need to know.
Who does the Act apply to?
Entities with a turnover of $3m or more. Under Part 3, entities carrying out business in Australia with a turnover of $3m or more are deemed ‘reporting entities’ and will have obligations imposed.
What will the Act require?
Reporting entities are to notify the National Cybersecurity Coordinator of cybersecurity incidents which result in a ransomware payment being made to an extorter.
A ‘cybersecurity incident’ is any attack or incident carried out through the use of the internet or phone lines, or which impeded or impaired the ability of a computer to connect to the internet.
If such an attack is carried out, and the perpetrator makes a demand for payment, the entity must report the incident if it discovers that the ransomware payment has in fact been made.
Once payment is made, or the entity becomes aware that payment has been made, the incident must be reported within 72 hours.
What happens if an entity fails to report?
If an entity fails to report a ransomware payment being made, the Act imposes civil penalties of up to $11,855.
Protection for reporting entities
The Act includes a ‘safe harbour’ provision, which means that any information provided to the Cybersecurity Coordinator is subject to information protection. This means that the information obtained through a report cannot be used by the Coordinator in any civil or regulatory action being taken against the entity. Providing information will not constitute waiver of legal professional privilege by the reporting entity.
Voluntary reporting
The Act also outlines the process that businesses can choose to take to voluntarily report a cybersecurity incident that does not involve a ransomware payment being made.
How should you comply?
To comply with the Act, businesses should:
- prepare internal procedures for reporting ransomware incidents;
- identify or nominate responsible persons within an organisation; and
- establish procedures for voluntary reports.
Our team advises clients on compliance with the Act as well as on a wide range of other compliance and crisis response issues. Contact us if you would like to discuss your approach to cybersecurity and privacy.