The Cyber Security Act 2024 was assented to on November 29, 2024, with key provisions commencing on November 30, 2024, and others coming into effect within the next 6-12 months by proclamation. This Act marks a significant and reformative shift in Australia’s legislative approach towards cybersecurity at the individual, business, and national level.
Key Measures Introduced by the Cyber Security Act 2024
The Cyber Security Act is not a standalone solution but a critical step towards strengthening Australia’s cyber defences. The legislation, implemented under the Department of Home Affairs, with support from the National Cyber Security Coordinator, introduces four key measures designed to align Australia with international best practices:
- Mandatory reporting of ransomware payments within 72 hours – Eligible businesses meeting the turnover threshold (to be prescribed) must report ransomware payments within 72 hours of making or becoming aware of the payment. Failure to report results in a civil penalty. This requirement is separate from the Notifiable Data Breach (NDB) scheme, which applies to personal data breaches under the Privacy Act 1988.
- Stricter cybersecurity standards for smart devices and connected products – Manufacturers and suppliers of Internet-of-Things (IoT) devices, including smart TVs, kitchen appliances, and vehicle software, must meet mandatory security standards before supplying their products in Australia. This ensures that connected products meet robust security requirements and include a statement of compliance.
- Limited-use information sharing with the National Cyber Security Coordinator – The Act enables impacted businesses to voluntarily share cybersecurity incident details with the National Cyber Security Coordinator to enhance government response efforts. Information disclosed cannot be used as evidence against the impacted entity and is subject to strict use and disclosure limitations.
- Establishment of the Cyber Incident Review Board (CIRB) – A new Cyber Incident Review Board will review major cybersecurity incidents, identify lessons learned, and provide recommendations to improve national resilience. This Board is similar to the Cyber Safety Review Board in the United States.
Ransomware and the National Cyber Strategy – Strengthening Australia’s Cyber Defences
Cyber extortion, particularly ransomware, continues to cause significant financial and operational damage to Australian organisations, with estimated losses exceeding $3 billion annually. In response, the Six Cyber Shields framework within the 2023-2030 Cyber Security Strategy aims to position Australia as a global leader in cybersecurity:
- Strong Businesses and Citizens – Empowering individuals and businesses to protect and recover from cyber attacks.
- Safe Technology – Ensuring trust in digital products and strengthening security in software and hardware.
- World-Class Threat Sharing and Blocking – Enhancing Australia’s ability to monitor, detect, and counter real-time cyber threats.
- Protected Critical Infrastructure – Strengthening the resilience of essential services and government systems.
- Sovereign Capabilities – Supporting and expanding Australia’s domestic cybersecurity industry.
- Resilient Region and Global Leadership – Establishing Australia as a leader in global cybersecurity policy and enforcement.
While the Six Cyber Shields are not part of the Cyber Security Act itself, they provide strategic direction for long-term cybersecurity policy and influence future legislation.
Why This Matters for Australian Businesses
Cybersecurity is no longer just an IT concern—it is a boardroom and executive-level priority. Many small and medium-sized businesses (SMBs) underestimate their risk, assuming they are too small to be a target.
In reality, threat actors exploit weaker security postures, regardless of business size. Unless politically, strategically, or financially motivated, why would a threat actor spend significant time and resources targeting a hardened organisation when smaller, vulnerable businesses store valuable data in easily exploitable environments?
The new cybersecurity legislation highlights the need for proactive cyber resilience across all sectors, ensuring businesses of all sizes implement proper security controls and incident response planning.
A Future-Ready Cybersecurity Framework
Failing to adopt strong cybersecurity measures leaves businesses vulnerable to disruption, reputational damage, and regulatory penalties. The Cyber Security Act 2024 reinforces Australia’s commitment to cyber resilience by providing clear legal requirements for security, reporting, and incident response.
With geopolitical tensions rising and cyber threats increasing, the need for strong cybersecurity governance and risk management has never been more critical. The Cyber Security Act 2024 and the broader Cyber Security Strategy together create a legal and strategic foundation to ensure Australia remains secure, resilient, and a global leader in cybersecurity.
Common Questions About the Cyber Security Act 2024
Who needs to report ransomware payments under the new Act?
Any business with an annual turnover exceeding AUD $3 million must report ransomware payments within 72 hours. Critical Infrastructure operators must also report, regardless of turnover.
How does this differ from the Privacy Act's Notifiable Data Breach Scheme?
The Privacy Act (NDB scheme) covers personal data breaches, while the Cyber Security Act mandates reporting ransomware payments, whether or not personal data is involved.
What happens if a business fails to report a ransomware payment?
Failure to report can result in civil penalties, including fines. The government will determine specific enforcement measures.
For a more detailed breakdown of the Cyber Security Act and answers to more questions, visit our full FAQ page.
0 Comments