June 2025 | Curium Insights
Australia has entered a new era of cyber governance. With the commencement of the Cyber Security Act 2024 and its associated reporting obligations, businesses face heightened expectations for cyber resilience, transparency, and consumer protection.
These changes are not just policy adjustments โ theyโre a signal that cyber compliance is now core business. Hereโs what your organisation needs to know.
๐ฃ Whatโs changed?
1. Mandatory Ransomware Reporting
From 2025, businesses operating in Australia (with over $3M in turnover) and all critical infrastructure operators must report ransomware payments to the federal government.
What must be reported?
โ Details of the ransomware attack
โ Payment amount and method
โ Communications with the attacker
When?
โ Within 72 hours of making the payment
Where to report?
โ Reports go to the Department of Home Affairs and Australian Signals Directorate (ASD)
๐See the official Cyber Security (Ransomware Reporting) Rules 2024 here
2. Cyber Incident Review Board (CIRB)
Australia has established a no-fault review board to analyse significant cyber attacks.
Focus: Learnings, not blame
Powers: Can compel information if needed
Goal: Share sector-wide insights and improve national resilience
๐ More on the Cyber Security Act here
3. Limited Used Provisions
To encourage transparency, companies that voluntarily share information with the government during a cyber incident benefit from legal protections:
โ Information cannot be used against them in regulatory or civil proceedings
โ Legal professional privilege remains protected
โ This is designed to encourage early engagement with government cyber response teams.
๐See Allensโ summary on the limited use protections hereย
4. Minimum Security Standards for Smart Devices
Consumer-grade smart devices must now meet baseline security standards, with enforcement set to begin 12 months from rule registration. This aims to reduce the growing risks of poorly secured IoT devices.
๐ See the Cyber Security Legislative Reform Overview here
๐งญ What Should Businesses Do Now? Organisations need to act immediately to ensure they comply with these new rules:
โ Review your cyber incident response plans
โ Establish clear internal ransomware reporting workflows
โ Train your executive, IT, and legal teams
โ Confirm how your data will be protected when reporting
โ Prepare for CIRB engagement in the event of a significant breach
๐ See the ASDโs Cyber Incident Response Practitioner Guide here
๐ก How Curium Can Help
At Curium, we enable insurance organisations, underwriting agencies, and brokers to stay on top of evolving regulation โ without the manual overhead.
Our platform automatically:
๐ Updates compliance workflows when new obligations like the Cyber Security Act come into force
๐ Tracks reporting timelines and provides dashboards for response deadlines
๐ Supports evidence collection and real-time audit trails
๐ข Integrates with internal systems to ensure every team is aligned
๐ Final Thought
These changes are not hypothetical โ theyโre live, and non-compliance can carry significant reputational and regulatory risk. With the growing frequency and complexity of cyber attacks, regulatory clarity and preparedness are now business-critical.