Australia’s new Cyber Security Act introduces significant changes for organisations, particularly in regards to ransomware payments and cyber incident reporting. Mandatory Ransomware Payment Reporting requires organisations with a turnover above AUD $3 million to report ransomware payments within 72 hours to the Department of Home Affairs and the Australian Signals Directorate.

Voluntary Cyber Incident Reporting encourages information sharing among organisations to prevent and mitigate cyber risks. The National Cyber Security Coordinator (NCSC) will oversee this reporting framework, which protects organisations through a “limited use” obligation. Other key measures include enforcing security standards for IoT devices and establishing a Cyber Incident Review Board to review significant incidents. Organisations must update their cyber security incident response plans to comply with these new regulations.