The Cyber Security Act 2024 creates four distinct obligations. They commenced at different times, and they are enforced differently.
The Act was passed as part of a three-bill legislative package alongside amendments to the Security of Critical Infrastructure Act 2018 and the Intelligence Services Act. It implements key commitments from the 2023–2030 Australian Cyber Security Strategy.
Penalties at a glance
The penalty unit value is $330 as of November 2024 (Crimes Act 1914 s 4AA). Body corporate multiplier is 5x under the Regulatory Powers (Standard Provisions) Act 2014. Next indexation: 1 July 2026.
| Provision | Individual | Body Corporate |
|---|---|---|
| Failure to report ransomware payment within 72 hours (s 27(5)) | $19,800 | $99,000 |
| Unauthorised secondary use/disclosure of ransomware report info (s 30(6)) | $19,800 | $99,000 |
| Unauthorised secondary use/disclosure of NCSC-shared info (s 40(6)) | $19,800 | $99,000 |
| Failure to comply with CIRB compulsory production notice (s 50(1)) | $19,800 | $99,000 |
| Smart device non-compliance (ss 17–20) | Escalating notices: compliance → stop → recall → public naming | |
If your organisation pays a ransom, or becomes aware someone paid on your behalf, you have 72 hours to report it. Full enforcement is now active.
Who must report
The Act defines a reporting business entity in two categories:
- Commercial entities carrying on business in Australia with annual turnover exceeding $3 million for the previous financial year, excluding Commonwealth bodies, State bodies, and SOCI-regulated entities (who are caught by the second category).
- SOCI-regulated entities: any responsible entity for a critical infrastructure asset under Part 2B of the SOCI Act, regardless of turnover.
The $3 million threshold mirrors the Privacy Act small business exemption. For businesses operating less than a full financial year, the Rules prescribe a pro-rata formula.
What triggers the obligation
All five conditions must be met: a cyber security incident has occurred or is imminent; the incident has or could have an impact on the reporting entity; an extorting entity makes a demand; and the reporting entity provides, or becomes aware another entity has provided, a payment or benefit related to the demand.
The third-party payment trap: The obligation extends to entities who become aware that a third party—a cyber insurer, lawyer, or IT consultant—paid on their behalf. This creates real complexity about when awareness crystallises. If your insurer settles a ransom demand, the 72-hour clock starts from the moment you know about it, not from when the payment was made.
The 72-hour reporting window
What the report must contain
The report requires information the entity knows or is able, by reasonable search or enquiry, to find at the time of reporting:
- Contact and business details of the reporting entity
- Contact and business details of the paying entity (if a third party paid)
- Details of the cyber security incident and its impact
- The demand made by the extorting entity
- The ransomware payment: amount, method, and details (monetary and non-monetary)
- Communications with the extorting entity relating to the incident and payment
- Malware variants, exploited vulnerabilities, ransom demanded versus paid
Phased enforcement
Phase 1 (30 May – 31 December 2025) was education-first, with enforcement reserved for egregious non-compliance. Phase 2 (1 January 2026 onwards) is full compliance and enforcement. If you have not built a ransomware payment reporting workflow into your incident response procedures, you are already operating in a full enforcement environment without the process to meet it.
The limited-use provisions are designed to encourage reporting. They are not a safe harbour, and the distinction matters.
The Act restricts how information provided through its reporting channels can be used. This applies to both ransomware payment reports (Part 3) and information voluntarily shared with the National Cyber Security Coordinator during significant incidents (Part 4).
What is protected
Ransomware report information (s 29) may only be used for permitted purposes: assisting the reporting entity, performing functions under the Act, informing the Minister, intelligence agency functions, and proceedings for false or misleading information. It must not be used for investigating or enforcing any civil or regulatory contravention against the reporting entity—except for breaches of Part 3 itself or criminal offences.
Voluntarily shared information (s 38) with the NCSC during a significant cyber incident receives the same framework of protections. Information shared under Part 4 is inadmissible against the impacted entity in most proceedings (s 42).
Legal professional privilege (s 31) is preserved: providing information in a report does not waive LPP claims.
Why this is not a safe harbour: Multiple authoritative law firm analyses emphasise that the limited-use protections do not exempt entities from existing legal obligations. They do not prevent regulators from gathering the same information through their own powers—APRA's information-gathering powers, OAIC's investigation powers, ASIC's compulsory examination powers all remain intact. The protections only cover information obtained via the Act's reporting channels. If the same information is provided elsewhere, the protections do not apply.
The directors' duties tension
There is a genuine tension identified by legal commentators: if disclosing ransomware payment information to government is contrary to the organisation's best interests, directors could theoretically face a conflict between their duties under sections 180–184 of the Corporations Act and the Act's reporting obligation. This is an unresolved area that boards should discuss with legal counsel before an incident forces the conversation under pressure.
The CIRB will conduct post-incident reviews of nationally significant cyber events. It is not yet operational, but organisations should prepare for its eventual involvement.
The CIRB is an independent statutory advisory body modelled on civil aviation accident investigation boards and the US Cyber Safety Review Board. It is designed to improve Australia's preparedness by learning from significant incidents.
Who can refer an incident
Written referrals can come from the Minister, the NCSC, an impacted entity, or a Board member. The Board can only commence a review after the incident and immediate response have ended, and the Minister has approved terms of reference.
Review criteria
The incident must have seriously prejudiced (or could prejudice) social or economic stability, defence, or national security; or involved novel or complex methods that would improve preparedness; or be of serious concern to the Australian people.
Information-gathering powers
The Chair can request information voluntarily (s 48), and if that is unsuccessful, can compel production of documents (s 49) with a minimum 14 days to comply. Penalty for non-compliance: 60 penalty units ($19,800/$99,000). Reasonable compensation is payable for compulsory production.
The no-fault model
Final review reports must not apportion blame, provide means to determine liability, identify individuals without consent, or allow adverse inferences from being the subject of a review. Reports are published after redaction of sensitive information. A protected (unredacted) report goes to the Minister and Prime Minister.
Plan for participation: CIRB reviews will extend the tail of a significant incident. Companies should plan for the possibility of voluntary and compulsory information requests, maintain legal privilege throughout, and understand the interaction between CIRB participation and any parallel regulatory investigations or litigation.
Current status
Expressions of interest for Chair and standing members closed October 2025. The Minister is considering applications. The Expert Panel will follow after Board appointment. As of March 2026, the CIRB has not yet conducted any reviews.
Three mandatory security requirements for connected products, aligned with international standards and now in force.
Part 2 applies to relevant connectable products: anything that connects to the internet via IP, or connects to such a device electromagnetically. Exemptions include desktop computers, laptops, tablets, smartphones, therapeutic goods, and road vehicles.
The standards apply to products manufactured on or after 4 March 2026, or supplied new on or after that date.
Enforcement
Non-compliance follows an escalating notice framework: compliance notice (s 17), stop notice (s 18), recall notice (s 19), and public notification (s 20) where the Minister can publish the entity's identity, product details, and non-compliance on the Department website. Each notice allows minimum 10 days for representations. The regulator is the Technology Assessment and Regulation Office within Home Affairs.
International alignment
These requirements closely follow the UK Product Security and Telecommunications Infrastructure Act 2022 and align with ETSI EN 303 645. They are directionally consistent with the EU Cyber Resilience Act, which imposes broader requirements including security-by-design across the product lifecycle. Manufacturers already compliant with UK PSTI or ETSI standards should find alignment straightforward.
A single ransomware incident can trigger five separate reporting obligations to different regulators with different timeframes. This is the core compliance challenge.
The Cyber Security Act does not replace existing reporting obligations. It adds to them. For organisations in regulated sectors, a single incident can generate a cascade of parallel reporting requirements.
| Obligation | Timeframe | Regulator | Trigger |
|---|---|---|---|
| SOCI Act — critical cyber incident | 12h / 72h | ACSC/CISC | Cyber incident affecting CI asset |
| Cyber Security Act — ransomware payment | 72h | DHA + ASD | Payment made to extorting entity |
| Privacy Act (NDB scheme) | "ASAP" (30-day assessment) | OAIC | Eligible data breach likely to cause serious harm |
| APRA CPS 234 | 72h / 10 days | APRA | Material information security incident |
| ASX Listing Rules | Continuous | ASX | Material information |
The triple reporting burden: APRA-regulated entities operating in SOCI-regulated sectors face the heaviest load: CPS 234 notification to APRA, SOCI Act reporting to CISC, and Cyber Security Act reporting to ASD/Home Affairs—all with 72-hour clocks but different triggers, different channels, and different information requirements. Without a pre-built reporting matrix, this will be missed under pressure.
Sector-specific complexity
Financial services must navigate CPS 234, CPS 230 (from July 2025), SOCI Act, Cyber Security Act, and Privacy Act—all with separate incident reporting. Critical infrastructure operators face SOCI CIRMPs plus SOCI incident reporting plus ransomware payment reporting. Healthcare combines SOCI obligations for hospital assets with Privacy Act requirements for health data plus ransomware reporting. Telecommunications entities now have security obligations under the SOCI Act (migrated from the Telecommunications Act in April 2025) plus Cyber Security Act reporting.
The interaction with the SOCI Act amendments
The companion legislation expanded the SOCI Act significantly. CIRMPs now cover data storage systems as critical infrastructure. Government powers expanded from cyber-only to an all-hazards framework. Telecommunications security obligations migrated into SOCI Act Part 2D. The PJCIS review of the SOCI Act was delayed to commence by December 2026, and the Cyber Security Act review by December 2027.
The first civil penalty for cybersecurity failures in Australia was not under the Cyber Security Act. It was under existing AFSL obligations. That should tell you something about the direction of enforcement.
In February 2026, the Federal Court ordered FIIG Securities to pay $2.5 million in penalties plus $500,000 in costs (ASIC v FIIG Securities Limited [2026] FCA 92). This is the first time civil penalties have been imposed for cybersecurity failures under Australian Financial Services Licence obligations (s 912A of the Corporations Act 2001).
FIIG is an Australian fixed-income specialist that held approximately $3–3.7 billion in client assets. The ALPHV/BlackCat ransomware group attacked from 19 March to 8 June 2023, stealing approximately 385 GB of data affecting approximately 18,000 clients.
The systemic failures (4+ years)
- No multi-factor authentication for remote access; weak passwords for privileged accounts
- No regular penetration testing or vulnerability scanning
- No structured software patching
- No qualified IT personnel monitoring threat alerts
- No mandatory cybersecurity awareness training
- No annually tested incident response plan
- Policies existed on paper but controls were never implemented—ASIC treated this as a separate contravention
Why this matters for the Cyber Security Act: The FIIG case was prosecuted under existing AFSL obligations, not the Cyber Security Act. Every one of the failures identified—no MFA, no pen testing, no patching, no incident response plan—is exactly what the Essential Eight framework and the Cyber Security Act's broader regulatory environment aim to address. The limited-use provisions in the Cyber Security Act are designed to encourage reporting without fear of this type of regulatory action. But regulators retain independent investigation powers. The FIIG precedent demonstrates that ASIC does not need the Cyber Security Act to pursue cybersecurity failures.
The enforcement trajectory
Three ASIC cybersecurity enforcement actions against AFS licensees in four years: RI Advice Group (2022, compliance orders, no penalties), FIIG Securities (February 2026, $2.5M penalty), and Fortnum Private Wealth (proceedings commenced July 2025, ongoing). ASIC's 2026 Key Issues Outlook identifies cyber risk and operational resilience as a systemic risk. The trend is clear, and the Cyber Security Act gives regulators additional tools.
Every obligation, every commencement date, in one place.
Practical steps for organisations that need to comply, not just understand the legislation.
The law firms have explained the legal provisions. Here is what the cybersecurity work actually involves.
Build a ransomware payment reporting workflow
You need a documented, tested process that your incident response team can execute under pressure within 72 hours. This means pre-built report templates aligned to the information requirements in s 27(2), clear decision authority for who approves payment disclosure, integration with your existing incident response procedures, and a communication protocol for third-party payments where the clock starts from awareness, not from payment.
Map your reporting obligations
Build a consolidated reporting matrix that covers every obligation your organisation faces. For each: the trigger, the timeframe, the regulator, the channel, the information required, and who owns the submission. If you operate in financial services or critical infrastructure, this matrix will have at least three rows for a single ransomware incident. Test it in a tabletop exercise where multiple reporting clocks are running simultaneously.
Review your incident response plan
Most incident response plans pre-date the Cyber Security Act. They need updating to include ransomware payment decision criteria, reporting triggers and workflows, third-party payment awareness protocols, and the interaction with limited-use protections. Your legal team should be involved in the update, particularly around how the directors' duties tension affects payment decisions.
Close the Essential Eight gaps the FIIG case exposed
Every control that FIIG lacked—MFA, patching, pen testing, awareness training, incident response testing—is addressed by the Essential Eight. If you have not assessed your organisation against Essential Eight maturity levels, you are operating without the baseline that regulators now expect. The ASD 2025–26 Board Priorities publication specifically encourages boards to consider Essential Eight maturity.
Get board-level visibility on the new obligations
Directors need to understand the ransomware payment reporting obligation, the directors' duties tension it creates, and the limited-use protections and their limitations. This is a board-level governance conversation, not a technical briefing. Pair it with your existing governance framework review.
Assess your detection and monitoring capability
You cannot report incidents you cannot detect. The 72-hour clock starts from awareness, and awareness depends on monitoring capability. If your detection covers corporate IT but not operational technology, if your logging is incomplete, if your alert triage is slow, your reporting compliance is built on a foundation that cannot support it.
We help Australian organisations build the governance, detection, and response capability that makes Cyber Security Act compliance a byproduct of good security practice.
Cliffside works with organisations across financial services, critical infrastructure, healthcare, and professional services on the compliance and operational challenges the Cyber Security Act creates. We do not sell compliance templates. We build the capability that makes compliance sustainable.
Our work typically covers security governance and incident response framework design, compliance audits against Essential Eight, CPS 234, and SOCI obligations, tabletop exercises that test ransomware reporting workflows under realistic pressure, penetration testing to close the gaps the FIIG case exposed, and Virtual CISO engagements that provide ongoing strategic oversight of the evolving compliance landscape.
If you need to understand where you stand against the Cyber Security Act's obligations, start with an honest conversation.
Book a Lighthouse Assessment or call our team on (02) 8916 6389.