Key Obligations and Requirements:

Background Information

2022 and 2023 saw several Australian companies hit with significant data breaches or cyberattacks, which lead to the Australian Government adopting a whole-of-economy approach to ensuring cyber robustness. Following this, in 2023, the National Office for Cyber Security was established, as well as the release of the 2023-2030 Australian Cyber Security Strategy.

The 2023–2030 Australian Cyber Security Strategy aims to make Australia a world leader in cybersecurity by 2030, with a focus on improving cyber security, mitigating cyber risks in the community, and bringing Australia in line with international best practices.

October 9, 2024, the Parliamentary Joint Committee on Intelligence and Security was referred the Cyber Security Bill 2024 by Hon Tony Burke MP as part of the implementation of the Cyber Security Strategy.  After referral, the Joint Committee reviewed the Bill and submitted it for Parliamentary approval. The Bill obtained Royal Assent on 29 November, to become the Cyber Security Act 2024.

Introduced Measures

The introduction of the Cyber Security Act 2024 has created the following four main initiatives. Additional legislation, in the form of Rules, was implemented on 4 March 2025 to give effect to the following measures introduced in the Cyber Security Act 2024:

1. Security Standard for Smart Devices

Under the Act the Minister for Cyber Security has the power to establish mandatory security standards for smart devices, which are also to be referred to as Internet of Things (IoT) devices.

These security standards place the responsibility on manufacturers and suppliers of these devices to meet minimum security expectations. In addition, they will be expected to provide a statement of compliance to confirm that the devices are meeting the requirements.

These standards will come into effect March 2026, and are to be updated further through Ministerial Rule.

2. Ransomware Payment Reporting

This is the requirement for businesses that make a ransomware payment in relation to a cybersecurity incident, this must report the payment to the Commonwealth with 72 hours of making, or becoming aware of, the payment.

This will include circumstances where the entity pays the ransom, provides the benefit, or engages a third-party service provider to negotiate and provide payment or benefit to the extorting entity.

The following diagram summarises the reporting requirements:

Please note: the Government has indicated that it intends to set the turnover threshold at AU$3 million. However, this has not yet been confirmed.

The Ransomware Payment Reporting requirements will come into effect 30 November 2025, 6 months after the expected Royal Commission (30 May 2025).

3. Limited Use Obligation

This restricts the recording, use, and disclosure of information provided to the National Cyber Security Coordinator (NCSC), to promote business confidence in sharing information following an incident.

A summary of whether the obligation applies to the situation can be seen in this diagram:

From November 30, 6 months after the expected Royal Commission (30 May 2025), the Cyber Incident Review Board (CIRB) will be established as an independent statutory advisory board, to conduct no-fault reviews of significant cybersecurity incidents in Australia.

The aim of these reviews is to create recommendations to prevent further cyber-attacks.

Case Example

Between March 2019 to June 2023, it is alleged that FIIG Securities Limited (FIIG) has failed take the appropriate steps to ensure there are adequate cyber risk management systems in place.

On June 2^nd, 2023, FIIG was notified that there was potential for a malicious cybersecurity incident. That was not investigated, or reported by FIIG until 8^th June 2023, where it was identified that the theft of personal information had already occurred. This had accumulated to approximately 385GB of confidential data and client personal information being released on the dark web. Over 18,000 clients required notification of their personal information, such as names, addresses, birthdates, driver’s licences, passports bank accounts, and tax file numbers, had been compromised.

ASIC is now suing FIIG for systemic and prolonged cybersecurity failures, alleging that FIIG has failed to have appropriately configured and monitored firewalls, failed to update and path software security vulnerabilities, failed to provide mandatory training in cyber security awareness, and has failed to have adequate human technological and financial resources to manage cyber security.

To Conclude

In 2022 and 2023, Australia faced major data breaches involving millions of customer records. These major data breaches included Optus (approximately 10 million customer records breached), Medibank (approximately 9.7 million customer records stolen and published), and Latitude Financial (14 million customer records compromised, including passport details and drivers’ licences).

In response to these breaches, the Cyber Security Act 2024 was created. This will have continual impacts on the financial services, as the government continues to release Rules and industry guides on how to meet these new regulations.

For further information on the Cyber Security Act, please visit: https://www.homeaffairs.gov.au/about-us/our-portfolios/cyber-security/cyber-security-act

Or contact us at support@grcessentials.com.au