VENDORiQ: Australian Cyber Security Act – Is Your Organisation Prepared for Mandatory Reporting?

Why it Matters

The scope of the Act broadens the range of organisations directly affected by mandatory cyber incident reporting. This change emphasises that strong cyber security controls are no longer just an operational consideration, but a compliance imperative. 

Most significantly, it mandates compliance for smaller organisations that do not have—and likely cannot afford—a chief information security officer (CISO) or a security and risk team. This means that the bulk of chief information officers (CIOs) are now directly responsible for mandatory compliance. Given that non-compliance is backed by civil penalties, CIOs can expect their organisation’s directors to be demanding that they provide evidence on how the company will respond in the event of a cyber incident.

CIOs now face pressure to upgrade their incident response capabilities to contain, investigate efficiently and address cyber incidents within the mandated timeframe. This involves not only technological solutions but also established playbooks, trained personnel, and clear communication channels. 

ICT leaders investing in proactive cyber incident response plans are better positioned to navigate the complexities of the modern cyber landscape as well as meet the board’s demands and meet the obligations of the new mandates.

Who’s Impacted?

• Chief Information Officer (CIO): Can no longer assume that cyber incident responses can be handled by managed security partners or as a technical response. They must immediately develop, document, and implement cyber incident plans to cover a wide range of potential incidents. If such plans are already in place, they should be reviewed for how well they align with the new mandatory reporting requirements and meet the demands of the legislation. CIOs should also ensure that cyber incidents are rehearsed regularly, so that all stakeholders are thoroughly familiar with their roles. 
• Chief Information Security Officer (CISO): Most CISOs will already be familiar with Australian mandated reporting requirements. They should work closely with the CIO, HR and the board level executive to ensure that incident response plans meet the government requirements, that documentation is both well secured from cyber criminals and readily available in the case of a cyber incident (in other words, available as an ‘offline resource’), and that cyber incidents are rehearsed regularly. 
• Legal Counsel/Compliance Officer: Must advise on legal obligations under the new Act and ensure internal policies align with regulatory demands.
• Finance Directors/CFOs: Should be aware of the financial implications of non-compliance (penalties) and the costs associated with strengthening cyber security.
• Business Unit Leaders: Critical for understanding their role in reporting and the potential impact of cyber incidents on their operations.

Next Steps

• Review Applicability: Determine if your organisation meets the criteria for mandatory reporting under the new Act (annual turnover > AUD 3 million or critical infrastructure entity).
• Assess Current Incident Response Capabilities: Evaluate existing incident response plans and tools against the 72-hour reporting requirement to ensure compliance. Identify gaps in detection, analysis, containment, and communication processes. 
• Seek Specialist Advice: Consider engaging independent cyber security advisors for a gap analysis against the new regulations and to assist with developing compliant response plans. If your organisation is an IBRS client, open an inquiry and have your cyber incident response processes reviewed for completeness and best practices by IBRS’s independent advisors.
• Develop or Refine Ransomware Response Playbooks: If not already in place, create clear, documented procedures specifically for ransomware incidents, including steps for data recovery, notification, and mandatory reporting. Request templates from IBRS and then a whiteboard session to tailor the template to meet your organisation’s needs.
• Establish Communication Protocols: Define internal and external communication channels for incident notification, including those for legal, executive leadership, and relevant government authorities.
• Plan and Conduct Tabletop Exercises: Simulate ransomware and other cyber incident scenarios to test the effectiveness of incident response plans, identify bottlenecks, and train relevant personnel on their roles and responsibilities. IBRS conducts many of these exercises for our clients, so please contact us to request our assistance in planning and executing them within the context of your organisation.
• Review Vendor Contracts: Assess third-party vendor agreements to understand their responsibilities in the event of a cyber incident affecting your data or systems, particularly concerning reporting requirements.
• Allocate Resources: Ensure adequate budget and personnel are available to enhance cyber security posture and incident response readiness in line with the new Act.