Cyber Security Act 2024: What Australian Financial Institutions Need to Know
The Cyber Security Act 2024 is Australia's first standalone cyber security legislation. Passed in November 2024 and entering force in stages through 2025-2026, it introduces mandatory ransomware payment reporting, a Cyber Incident Review Board, minimum security standards for IoT devices, and safe harbour protections that encourage incident disclosure. For financial services firms already navigating APRA CPS 234, SOCI Act obligations, and the Notifiable Data Breaches scheme, the Cyber Security Act adds another layer of mandatory reporting with tight timelines.
This guide covers every obligation relevant to APRA-regulated entities and explains how the Act interacts with your existing cyber compliance framework.
Why This Act Matters for Financial Services
Financial services firms face a unique convergence of cyber obligations:
- APRA CPS 234 requires information security capability, incident notification to APRA within 72 hours, and third-party security management
- SOCI Act classifies banking and superannuation as critical infrastructure sectors with mandatory incident reporting
- Privacy Act (NDB scheme) requires notification to the OAIC and affected individuals for eligible data breaches
- Cyber Security Act 2024 now adds ransomware payment reporting to ASD and enables no-fault incident reviews
A single cyber incident at an ADI or super fund could trigger four parallel reporting obligations, each with different timelines, different regulators, and different thresholds. Understanding the Cyber Security Act is essential to coordinating your incident response without missing a deadline.
Mandatory Ransomware Payment Reporting
The centrepiece obligation for most businesses. Under sections 12-16 of the Act:
- Who must report: Any entity that makes a ransomware payment, or becomes aware that a ransomware payment has been made on its behalf (e.g. by a cyber insurer or incident response firm)
- Reporting timeline: Within 72 hours of making or becoming aware of the payment
- Report to: The Australian Signals Directorate (ASD)
- What to include: Details of the incident, the payment amount, the cryptocurrency wallet or payment method used, any communication with the threat actor, and what data or systems were affected
Small Business Exemption
Entities with annual turnover below $3 million are exempt from mandatory reporting. This is irrelevant for APRA-regulated entities, all of which exceed this threshold.
Practical Implications for Financial Institutions
Most large ADIs and insurers have policies prohibiting ransomware payments. However, the obligation extends beyond direct payments. If your cyber insurer negotiates and pays a ransom on your behalf, or if a third-party incident responder facilitates a payment, you must still report within 72 hours of becoming aware. Your incident response plan needs to account for this.
Safe Harbour Provisions
The Act's safe harbour is designed to overcome the historical reluctance of Australian businesses to report cyber incidents. Under sections 18-22:
- Limited use obligations: Information in a ransomware report cannot be used as evidence against the reporting entity in most civil or criminal proceedings
- No regulatory action: Regulators (including APRA, ASIC, and AUSTRAC) cannot use the contents of a ransomware report as the sole basis for enforcement action against the entity
- No admission: Making a report is not an admission of liability, fault, or regulatory non-compliance
- Exception: Safe harbour does not apply if the entity made materially false or misleading statements in the report
For financial institutions, this is significant. The safe harbour means you can report a ransomware payment to ASD without that report being used by APRA to impose licence conditions or capital charges. This is a deliberate policy choice to prioritise national threat intelligence over individual enforcement.
Cyber Incident Review Board (CIRB)
The CIRB is modelled on the US Cyber Safety Review Board and the Australian Transport Safety Bureau (ATSB). Under sections 28-38:
- Purpose: Conducts no-fault, post-incident reviews of significant cyber security incidents to identify systemic lessons
- Scope: Can review incidents affecting critical infrastructure, government, or incidents the Minister considers nationally significant
- Powers: Can compel production of documents and information from affected entities, service providers, and incident responders
- No-fault approach: Like the ATSB model for aviation accidents, the CIRB's findings cannot be used to attribute individual blame or support enforcement proceedings
- Published reports: The CIRB publishes de-identified findings and recommendations for the broader industry
The April 2025 coordinated super fund cyber attacks (AustralianSuper, Rest, Hostplus, Cbus) are exactly the type of incident the CIRB is designed to review. Expect CIRB reports to set de facto standards that APRA then incorporates into supervisory expectations.
IoT Security Standards
Under sections 39-46, the Act introduces mandatory minimum security standards for internet-connected devices sold in Australia:
- No default passwords: Devices must not ship with universal default passwords
- Vulnerability disclosure: Manufacturers must publish a vulnerability disclosure policy
- Security updates: Manufacturers must state the minimum period for which security updates will be provided
- Scope: Covers smart devices, industrial sensors, connected vehicles, and consumer IoT
While this primarily affects manufacturers, financial institutions that deploy IoT devices (ATMs, smart building systems, branch security cameras, connected POS terminals) should verify that their procurement standards align with the new baseline.
Interaction with Existing Obligations
| Obligation | Regulator | Timeline | Threshold |
|---|---|---|---|
| Ransomware payment report (Cyber Security Act) | ASD | 72 hours | Any payment made or known |
| Material incident notification (CPS 234) | APRA | 72 hours | Material information security incident |
| Critical infrastructure incident (SOCI) | ASD / Home Affairs | 12-72 hours | Significant or relevant impact on critical asset |
| Notifiable data breach (Privacy Act) | OAIC | 30 days (assessment) then ASAP | Eligible data breach likely to cause serious harm |
| Continuous disclosure (ASX) | ASX / ASIC | Immediately | Material price-sensitive information |
A ransomware attack on an ADI that involves data exfiltration could trigger all five reporting streams simultaneously. Your incident response plan needs a reporting coordinator who understands each threshold and timeline.
CPS 234 and the Cyber Security Act: Coordination Points
APRA CPS 234 requires entities to:
- Maintain information security capability commensurate with the size and extent of threats to information assets
- Implement controls to protect information assets and undertake systematic testing
- Notify APRA of material information security incidents within 72 hours
- Ensure third parties managing information assets maintain information security capability
The Cyber Security Act does not replace CPS 234 obligations. You must report to both ASD (for ransomware payments) and APRA (for material incidents) on the same 72-hour timeline. However, the safe harbour means the ASD report cannot be used by APRA against you.
After the April 2025 Super Fund Attacks
APRA mandated CPS 234 self-assessments by August 2025 for all super funds and is now conducting special reviews. The Cyber Security Act's CIRB will likely review the incident separately, producing recommendations that may inform future APRA guidance. Entities should prepare for tighter supervisory expectations on credential stuffing defences, API security, and member notification processes.
Compliance Checklist for Financial Institutions
- Update incident response plans to include ASD ransomware reporting alongside APRA CPS 234, SOCI, and NDB notification procedures
- Designate a reporting coordinator who understands all four parallel reporting obligations and their thresholds
- Review cyber insurance policies to ensure ransomware payment reporting obligations are addressed if the insurer pays on your behalf
- Document your ransomware payment policy (whether prohibition or case-by-case assessment) and ensure it addresses the 72-hour reporting requirement
- Prepare CIRB cooperation procedures so your organisation can respond to information requests without compromising legal privilege
- Audit IoT device procurement against the new minimum security standards for any connected devices in your environment
- Train incident response teams on the safe harbour provisions so staff are not deterred from reporting by fear of regulatory consequences
- Tabletop exercise a scenario that triggers all five reporting streams to test coordination and identify gaps
Scan Your Cyber Security Policies
Upload your incident response plan or cyber security framework. GoComply checks against the Cyber Security Act 2024, CPS 234, SOCI, and 200+ other regulation sources in seconds.
Run a free scanKey Dates and Timeline
| Date | Milestone |
|---|---|
| November 2024 | Cyber Security Act 2024 receives Royal Assent |
| Early 2025 | Ransomware payment reporting obligations commence |
| Mid 2025 | IoT security standards take effect for new devices |
| 2025-2026 | CIRB becomes operational, first reviews commence |
| Ongoing | Mandatory vulnerability disclosure obligations phased in |
Penalties
Failure to report a ransomware payment within 72 hours attracts civil penalties. The Act does not impose criminal penalties for late reporting, but persistent non-compliance could trigger enforcement action. For APRA-regulated entities, the more significant risk is that a failure to report indicates broader weaknesses in incident response capability, which could prompt APRA supervisory action under CPS 234.
This guide is for informational purposes and does not constitute legal advice. Consult qualified cyber security and compliance professionals for specific obligations. GoComply covers 200+ Australian regulatory sources - ask the chatbot for instant clause-level answers on the Cyber Security Act 2024, CPS 234, SOCI, and all related frameworks.