June 2025 | Curium Insights

Australia has entered a new era of cyber governance. With the commencement of the Cyber Security Act 2024 and its associated reporting obligations, businesses face heightened expectations for cyber resilience, transparency, and consumer protection.

These changes are not just policy adjustments—they’re a signal that cyber compliance is now core business. Here’s what your organisation needs to know.

📣 What’s changed?

1. Mandatory Ransomware Reporting

From 2025, businesses operating in Australia (with over $3M in turnover) and all critical infrastructure operators must report ransomware payments to the federal government.

What must be reported?
– Details of the ransomware attack
– Payment amount and method
– Communications with the attacker
When?
– Within 72 hours of making the payment
Where to report?
– Reports go to the Department of Home Affairs and Australian Signals Directorate (ASD)
📘See the official Cyber Security (Ransomware Reporting) Rules 2024 here

2. Cyber Incident Review Board (CIRB)

Australia has established a no-fault review board to analyse significant cyber attacks.

Focus: Learnings, not blame
Powers: Can compel information if needed
Goal: Share sector-wide insights and improve national resilience
📘 More on the Cyber Security Act here

3. Limited Used Provisions

To encourage transparency, companies that voluntarily share information with the government during a cyber incident benefit from legal protections:

– Information cannot be used against them in regulatory or civil proceedings
– Legal professional privilege remains protected
– This is designed to encourage early engagement with government cyber response teams.

📘See Allens’ summary on the limited use protections here 

4. Minimum Security Standards for Smart Devices

Consumer-grade smart devices must now meet baseline security standards, with enforcement set to begin 12 months from rule registration. This aims to reduce the growing risks of poorly secured IoT devices.

📘 See the Cyber Security Legislative Reform Overview here

🧭 What Should Businesses Do Now?
Organisations need to act immediately to ensure they comply with these new rules:

✅ Review your cyber incident response plans
✅ Establish clear internal ransomware reporting workflows
✅ Train your executive, IT, and legal teams
✅ Confirm how your data will be protected when reporting
✅ Prepare for CIRB engagement in the event of a significant breach

📘 See the ASD’s Cyber Incident Response Practitioner Guide here

💡 How Curium Can Help

At Curium, we enable insurance organisations, underwriting agencies, and brokers to stay on top of evolving regulation—without the manual overhead.

Our platform automatically:
🔄 Updates compliance workflows when new obligations like the Cyber Security Act come into force
📋 Tracks reporting timelines and provides dashboards for response deadlines
🔐 Supports evidence collection and real-time audit trails
📢 Integrates with internal systems to ensure every team is aligned

📅 Final Thought
These changes are not hypothetical—they’re live, and non-compliance can carry significant reputational and regulatory risk. With the growing frequency and complexity of cyber attacks, regulatory clarity and preparedness are now business-critical.

🧠 If your business needs help operationalising these new rules, reach out to Curium. We make compliance simple, structured, and stress-free.