Navigating Australia’s evolving cyber regulatory landscape

Australia’s cyber regulatory environment is rapidly shifting in the face of an escalating threat environment. With the OAIC reporting a 15% increase in data breach notifications from the first half of 2024 to the second half, businesses face mounting pressure to reassess their cyber security posture to reflect the current landscape. 

In this article, the first in a series for Cyber Security Awareness Month, we discuss the key developments in Australia’s cyber regulatory framework over the past 12 months. We also address the critical role of boards and directors in cyber risk management and examine the increasingly proactive enforcement stance adopted by regulators.

Australia’s cyber regulatory framework

Privacy Act

Tranche 1 reforms commenced

The commencement of the Privacy and Other Legislation Amendment Act 2024 (Cth) (Amendment Act), which received Royal Assent on December 10, 2024, marked the first major set of reforms to the Privacy Act 1988 (Cth) (Privacy Act).

These 'Tranche 1' changes clarify the meaning of ‘reasonable steps to protect personal information’ required for compliance with Australian Privacy Principle (APP) 11. 'Reasonable steps' now explicitly encompass both technical and organisational measures, in line with the European General Data Protection Regulation (GDPR). This can include deploying modern technical controls (such as encryption and firewalls) and implementing essential organisational governance, including staff training, data governance and robust data protection policies. Businesses must assess and implement these measures in a way that is proportionate to its size, resources, the sensitivity and volume of personal information it holds, and the specific industry risks it faces. 

Tranche 1 changes also introduce new and increased penalties for privacy breaches. Businesses now face an extensive, tiered penalty regime, intended to capture a broad range of contraventions of the Privacy Act (not only ‘serious or repeated’ interferences with privacy). 

The penalties are as follows:

• for serious interferences with the privacy of an individual, the greater of A$50 million, three times the benefit, or 30% of adjusted turnover;
   
• for interferences with the privacy of an individual, a maximum penalty of 10,000 penalty units for bodies corporate (currently A$3.3 million); and
   
• for a breach of any of the provisions of the APPs prescribed in the Bill, a maximum penalty of 1,000 penalty units for bodies corporate (currently A$330,000).

Under the changes, OAIC enforcement capabilities have also been expanded. The Office of the Australian Information Commissioner (OAIC) has been granted new investigatory, monitoring and enforcement powers including powers to:

• conduct public inquiries;
   
• search premises for evidence;
   
• make copies of information specified in a warrant;
   
• operate electronic materials to determine whether the information specified in a warrant are accessible; and
   
• seize evidential material.

The OAIC can also make determinations requiring businesses to identify and mitigate reasonably foreseeable loss to individuals. 

Find out more about these reforms in Privacy Act reforms: work to be done, but more to come and Australia’s ongoing privacy reforms: bolstering Australia’s privacy regulatory framework.

Tranche 2 reforms to come 

Further shifts in Australia’s cyber regulatory framework are on the horizon. While the precise timeline and scope of ‘tranche 2’ reforms to the Privacy Act remain unknown, the Attorney-General recently indicated that these are imminent. Key proposals expected in this next phase of privacy reform include:

• Removal of small business and employee exemption: This would extend the Privacy Act’s obligations to (i) businesses with annual turnover of less than A$3 million and (ii) private sector employers’ handling of employee records.
   
• New definition of personal information: An expanded definition of ‘personal information’ to cover technical identifiers or data such as IP addresses, device IDs and location data.
   
• A ‘fair and reasonable’ use test: This would require businesses to collect, use and disclose personal information that a reasonable person would consider ‘fair and reasonable’, notwithstanding any consent provided by the individual.
   
• Expanded individual rights: New rights may be introduced, including a right to erasure or right to be ‘forgotten’ and a right to object to certain data practices.

SOCI Act

The Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Act 2024 (SOCI Amendment Act) introduced a number of reforms to the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act), aimed at sharpening businesses’ cyber security obligations. Changes of particular significance include:

• regulating the internal data storage systems used to store or process business critical data as critical infrastructure assets themselves. Consequently, responsible entities will need to expand their risk management programs and incident notification procedures to include any systems which store or process business critical data of their primary critical infrastructure assets;
   
• enabling the government to exercise its information gathering and action directions powers in respect of any incidents affecting a critical infrastructure asset, not just cyber incidents; and
   
• providing regulators with the ability to direct responsible entities to improve their critical infrastructure risk management programs.

Our insight, Australia introduces Comprehensive Cyber Security Legislation, explores these changes in more detail.

Cyber Security Act

The Cyber Security Act 2024 (Cth) (Cyber Security Act) was enacted in November 2024 to further improve Australia's national cyber resilience and address evolving threats by facilitating information sharing between the private sector and the federal government. 

A key feature of the Cyber Security Act is the mandatory reporting of ransom and cyber extortion payments. Since 30 May 2025, any entity that carries on business in Australia with at least $3 million annual turnover, or a ‘responsible entity’ for a critical infrastructure asset under the SOCI Act, must report any ransomware or cyber extortion payments made by it (or in its behalf) to the Department of Home Affairs and the Australian Signals Directorate within 72 hours of payment.

There is no obligation to report ransomware or extortion demands generally though, so if a business elects not to pay a ransomware demand, there is no reporting obligation.

The Cyber Security Act also establishes a new voluntary cyber incident reporting regime to the National Cyber Security Coordinator, supported by the National Office of Cyber Security (NOCS). This regime is intended to encourage organisations to disclose information concerning both significant and non-significant cyber security incidents. Crucially, the legislation imposes strict limitations on how the NOCS can use and disclose voluntarily provided information, especially in the context of significant incidents. This offers assurance that the information will not be used to pursue regulatory or civil enforcement action against the reporting entity.

Finally, the Cyber Security Act introduces Mandatory Security Standards for Smart Devices the Cyber Incident Review Board. The security standards, which will take effect in March 2026, will mandate certain minimum security requirements (such as prohibiting universal default passwords) for Internet of Things (IoT) devices supplied in Australia, impacting manufacturers and suppliers. The CIRB is an independent advisory body established to conduct ‘no-fault, post-incident’ reviews of significant cyber incidents to draw lessons and provide recommendations to enhance national prevention and response capabilities.

Our insight, Australia introduces Comprehensive Cyber Security Legislation explores the Cyber Security Act in more detail.

Directors’ duties: cyber as a foreseeable, board-level risk

Directors must act in their company’s best interests, including taking reasonable steps to avoid foreseeable harm. The Australian Securities and Investments Commission (ASIC) has made clear that it considers cyber to be a foreseeable risk of harm to be managed by directors in fulfilling their duties. While ASIC has not yet pursued legal action against directors in the cyber context for breach of directors’ duties, ASIC Chairman Joe Longo has stated that:

“If things go wrong, ASIC will be looking for the right case where company directors and boards failed to take reasonable steps, or make reasonable investments proportionate to the risks that their business poses.”

ASIC has further stated that it intends on “bringing the full force of the law against those found to have failed in their duties” in relation to cyber-attacks, data breaches and internal system failures.

Businesses and directors need to proceed on the basis that cyber risk is real, foreseeable and falls squarely within directors’ remit, and that failure to implement adequate cyber risk management measures may constitute a breach of directors’ duties. We discuss some of these obligations in ‘Shields’ and ‘horizons’: key takeaways from the 2023-2030 Australian Cyber Security Strategy.

Cyber is no longer an issue reserved for management. Directors must ensure that their businesses have the appropriate governance and resourcing in place in respect of cyber. 

In practical terms, directors should ensure that:

• they understand the business’ technology stack, the key information assets and critical systems, including the processes in place to ensure business continuity;
   
• they are receiving sufficient information to effectively oversee the business’ cyber security practices. Cyber should be a standing item on board meeting agendas;
   
• management have paid due attention to the risks posed by suppliers and other members of the supply-chain;
   
• the business has adequate resources in place to prepare for, respond to, and recover from a cyber incident;
   
• there is a clear delineation of responsibilities between management and the Board in respect of cyber (for instance, decisions as to whether to pay a ransom may be reserved for the Board); and
   
• the business’ cyber security procedures are regularly tested and updated. In addition to operational and management testing, the Board should participate in cyber incident simulations to understand and refine the decisions likely to be required in the event of an incident. 

Regulatory action around cyber security breaches

Recent proceedings commenced by the OAIC and ASIC demonstrate a significant and coordinated enforcement appetite for cyber and information security issues throughout 2025. Some examples are discussed below.

OAIC v Optus 

In August 2025, the OAIC commenced civil penalty proceedings against Singtel Optus Pty Ltd & Optus Systems Pty Ltd (Optus) in the Federal Court concerning its 2022 data breach. The OAIC’s central allegation is that Optus failed to adequately manage cybersecurity and information security risk in a manner commensurate with the nature and volume of personal information that Optus held, the size and the risk profile of Optus. The OAIC alleges one contravention per affected individual, amounting to approximately 9.5 million contraventions. As the breach occurred under the Privacy Act’s previous penalty regime, the Federal Court has the power to impose a maximum civil penalty of $2.2 million per contravention. The penalty is therefore expected to be substantial.

OAIC v Australian Clinical Labs 

Australian Clinical Labs (ACL) faced a data breach in February 2022 that resulted in the theft of 86 gigabytes of sensitive data, including health and financial information, affecting over 223,000 individuals. Following this, the OAIC commenced proceedings against for failing to take reasonable steps to protect personal information. The OAIC alleged ACL:

• did not adequately invest in cybersecurity (allocating only $350,000 out of a $1.3 million IT budget to security);
   
• failed to assess risks during the Medlab acquisition;
   
• performed a ‘manifestly inadequate’ post-incident investigation; and
   
• failed to notify the Commissioner of the breach as soon as practical. 

On 29 September 2025, ACL agreed to a civil penalty of $5.8 million and proposed to contribute $400,000 to cover the OAIC’s legal costs. 

ASIC v FIIG Securities Ltd 

In March 2025, ASIC commenced proceedings against FIIG Securities Limited. It alleged systemic failures over four years that enabled a major data breach affecting 18,000 clients. ASIC also raised concerns that FIIG did not investigate or respond to the incident for almost a week after being notified of potential malicious activity. This case highlights the need for robust technical controls, incident response planning, and ongoing staff training. Per ASIC Chair Joe Longo, it “should serve as a wake-up call to all companies on the dangers of neglecting your cybersecurity systems.”

ASIC v wealth management business

In July 2025, ASIC commenced separate proceedings against another wealth management business. This case focuses primarily on governance and oversight failures, alleging the company failed to adequately manage and mitigate cybersecurity risks. ASIC alleges that this failure led to multiple cyber incidents by its aligned authorised representatives, including a breach where the personal information of some clients of their authorised representatives was published on the dark web. ASIC's allegations specifically cite insufficient supervision of the company’s authorised representatives.

Key takeaways around cyber security regulation

The Australian Government remains focused on the cyber risk posed to Australian businesses and the impact that they might have on Australia’s economy and national security. These concerns are fuelling tighter regulation and a more complex legal landscape.  

Recent cyber incidents have exposed the reputational and financial toll on businesses. Now, increased enforcement by regulators such as ASIC and the OAIC puts directors on notice: significant penalties may also follow a breach.

Rising threats and tighter regulation make regular cyber governance reviews and a focus on uplift and improvement a boardroom imperative.