New cyber security rules: What governance professionals need to know

Under the Cyber Security (Ransomware Payment Reporting) Rules 2025 (Cth), entities with an annual turnover of at least AUD $3 million must report ransomware payments. That’s one of the new rules now registered under the Cyber Security Act 2024 (Cth) and Security of Critical Infrastructure Act 2018 (Cth).  

Businesses affected by a ransomware attack must disclose specific details, including when the incident occurred and when it was discovered, the impact on infrastructure and customers, the type of malware used, and system vulnerabilities exploited. They must also report the ransom demanded, amount paid, payment method, and any communications with the threat actor. 

These rules largely reflect the draft proposal but now clarify that non-monetary ransom demands must also be reported, ensuring transparency in cyber extortion incidents. The Rules will commence on 30 May 2025, while the Security Standards for Smart Devices Rules will commence on 4 March 2026. 

The Cyber Security (Cyber Security Incident Review Board) Rules 2025 (Cth) have been registered and set the framework for cyber security incident reviews conducted by the newly established Cyber Incident Review Board. These rules outline how review panels will be formed and their terms of reference, the appointment, resignation, and termination of Board members, and the establishment of an Expert Panel to provide technical guidance.  

These provisions will come into effect from 30 May 2025, enabling the Minister for Home Affairs to appoint Board members and initiate reviews of significant cyber incidents. 

The Security of Critical Infrastructure (Telecommunications Security and Risk Management Program) Rules 2025 (Cth) impose stricter security obligations on telecommunications providers. These rules aim to enhance resilience against cyber threats targeting critical communication networks. 

Other changes include: 

• Security Standards for Smart Devices Rules set security standards for internet-connected products, excluding devices like computers, smartphones, and vehicles. 

• Clarifications on reporting procedures for cyber incidents. 

• Refinements in language concerning the Cyber Security Incident Review Board’s operations. 

• Greater detail on compliance obligations for organisations handling critical infrastructure. 

These changes reinforce accountability, transparency, and resilience in cyber security governance. Boards and risk committees must ensure compliance by updating internal policies and incident response plans, strengthening cyber security risk assessments, and educating key personnel on reporting obligations. With cyber threats on the rise, these regulations mark a significant step toward safeguarding Australia’s digital and critical infrastructure.