Although the Cyber Security Act 2024 appears as a significant shift in the trajectory and expectations of Cyber Security practices in Australia, there are a few questions that begin to arise when attempting to completelty understand the new legislation. According to my research and follow up questions from my recent article on the changes, the questions below appear to be the most frequently asked.
Who is required to report ransomware payments under the Cyber Security Act 2024?
Businesses operating in Australia with an annual turnover exceeding AUD $3 million must report ransomware payments within 72 hours of making or becoming aware of the payment. This aligns with the small business threshold under the Privacy Act 1988. Additionally, responsible entities for critical infrastructure assets (as defined under the Security of Critical Infrastructure Act 2018) must also report, regardless of turnover. Businesses operating in Australia with an annual turnover exceeding AUD $3 million must report ransomware payments within 72 hours of making or becoming aware of the payment.
When do the ransomware reporting obligations commence?
The ransomware reporting obligations under the Cyber Security Act 2024 will take effect on the earlier of:
- A date fixed by Proclamation, or
- 30 May 2025.
As of the date of this post, the government has not issued a Proclamation to set an earlier date, so the obligations are anticipated to commence on 30 May 2025. There is no grace period for compliance; therefore, affected entities must be prepared to adhere to these requirements by this date.
What happens if my business fails to report a ransomware payment?
Failure to report within the 72-hour window can result in civil penalties, including fines. The exact penalty amount will be determined by the Australian government’s enforcement policies.
Does the Act apply to government agencies?
No. Commonwealth, state, and territory government bodies are exempt from the mandatory ransomware reporting obligations under the Act.
How does the Cyber Security Act differ from the Privacy Act's Notifiable Data Breach (NDB) Scheme?
The Notifiable Data Breach (NDB) scheme under the Privacy Act 1988 requires organisations to report breaches involving personal information.
The Cyber Security Act 2024, on the other hand, specifically requires reporting of ransomware payments, regardless of whether personal data is involved.
What kinds of smart devices are covered under the Cybersecurity standard?
The Act applies to internet-connected products, including:
- Smart home devices (e.g., TVs, kitchen appliances, security cameras)
- Wearable technology (e.g., fitness trackers, smartwatches)
- Connected vehicles (e.g., electric and autonomous vehicles)
- Industrial IoT systems (e.g., smart meters, networked manufacturing equipment)
Manufacturers and suppliers must meet security compliance requirements before selling these products in Australia.
What is the role of the Cyber Incident Review Board (CIRB)?
The Cyber Incident Review Board (CIRB) investigates major cyber incidents, identifies weaknesses in national cybersecurity, and recommends improvements. This is Australia’s equivalent of the US Cyber Safety Review Board.
Can businesses voluntarily share Cybersecurity Incident details with the government?
Yes. The Act enables businesses to share cybersecurity incident details with the National Cyber Security Coordinator. However, this information:
- Cannot be used as evidence against the business, and
- Is protected under limited-use disclosure rules to encourage transparency without legal repercussions.
Are small businesses affected by this legislation?
Small businesses with less than AUD $3 million turnover are not required to report ransomware payments. However, they must still comply with security standards if they manufacture or supply smart devices in Australia.
How does this legislation fit into Australia's broader Cybersecurity Strategy?
The Cyber Security Act 2024 is part of Australia’s 2023-2030 Cyber Security Strategy, which outlines six key areas of focus (the Six Cyber Shields) to strengthen national cybersecurity resilience.
What should my business do to prepare for the Cyber Security Act?
To ensure compliance:
- Review your cybersecurity policies and incident response plans.
- Implement ransomware reporting procedures (if applicable).
- Ensure IoT and connected devices meet cybersecurity standards.
- Engage with the National Cyber Security Coordinator for guidance.
Where can I find more details on the Cyber Security Act 2024?
You can access the full legislation on the Federal Register of Legislation:
Cyber Security Act 2024
0 Comments