Cybersecurity is no longer just an IT responsibility—it's a critical compliance issue for Australian businesses. This guide explores how evolving regulations, data privacy requirements, and cyber threats are reshaping organisational responsibilities. Learn how to strengthen security, reduce compliance risks, and...
There's a conversation happening in boardrooms across Australia right now that didn't exist five years ago.
It used to go like this: "Let's get the IT team to handle the cyber stuff."
Today it sounds more like: "What's our liability if we get breached? Have we met our reporting obligations? Are we covered under the Privacy Act?"
That shift isn't just a change in language. It reflects something fundamental: cybersecurity in Australia is no longer a technical problem sitting in the IT department. It's a legal obligation, a boardroom responsibility, and increasingly — a compliance risk that can cost your organisation millions.
This article breaks down exactly why that shift has happened, what the law now requires, and what it means for your business in 2026.
Let's start with the reality on the ground.
According to the Australian Signals Directorate's (ASD) Annual Cyber Threat Report 2024–25, over 84,700 cybercrime reports were lodged in Australia in the last financial year — roughly one every six minutes. The ASD's Australian Cyber Security Centre (ACSC) responded to more than 1,200 significant cyber incidents, an 11% rise from the previous year.
But here's what really gets attention in a board meeting: the average cost of a cybercrime incident for Australian businesses has jumped 50% to $80,850. For large businesses, losses increased by 219% in a single year.
These aren't edge cases. These aren't overseas statistics. This is what's happening to Australian businesses right now — and the legal frameworks designed to manage this risk have changed dramatically in response.
Australia's Cyber Security Act 2024, which passed Parliament in November 2024, introduced some of the most significant cybersecurity obligations ever placed on Australian businesses. Key provisions include:
Mandatory Ransomware Reporting: From 30 May 2025, any business with an annual turnover above $3 million must report ransomware payments or cyber extortion events to the government within 72 hours. This is no longer optional. Non-compliance carries civil penalties.
Smart Device Security Standards: From 4 March 2026, manufacturers and suppliers of consumer smart devices sold in Australia must meet baseline security requirements — no universal default passwords, defined security update periods, and a clear vulnerability reporting process.
This legislation signals something important: the Australian government has moved from an advisory, educative approach to active enforcement.
For years, the Privacy Act existed but enforcement was relatively rare. That changed.
In December 2024, Parliament passed amendments that dramatically upgraded the consequences of privacy and data security failures:
Maximum penalties for serious breaches increased to the greater of $50 million, three times the benefit obtained from the breach, or 30% of the organisation's adjusted annual turnover during the breach period
The Office of the Australian Information Commissioner (OAIC) gained new powers to issue infringement notices for failing to maintain compliant privacy policies, with penalties of up to $66,000 per contravention
A new statutory tort for serious invasions of privacy came into force in June 2025, opening the door to individual civil claims
These aren't theoretical figures. In 2025, the Federal Court ordered Australian Clinical Labs to pay $5.8 million in the first-ever civil penalty under the Privacy Act following a 2022 cyberattack on its Medlab Pathology subsidiary. The court found the company had failed to take reasonable steps to protect the personal information of 223,000 individuals.
The OAIC has also made its enforcement priorities clear for 2025–2026: targeting advertising technology, artificial intelligence systems, and excessive data collection and retention — all areas where cybersecurity practices directly intersect with compliance obligations.
Under Australia's Notifiable Data Breach scheme, if your organisation experiences a breach involving personal information that is likely to cause serious harm to individuals, you must notify both the affected people and the OAIC.
According to the OAIC's half-yearly report for July to December 2024, 595 breach notifications were received in that period alone. Malicious or criminal attacks accounted for 69% of all notifications — a 17% increase on the previous six months. Of those, 61% resulted from cybersecurity incidents.
The message is unmistakable: a cybersecurity failure is, for most organisations, also a Privacy Act failure.
This is the question that matters most — and where many Australian businesses are still getting it wrong.
The instinct is to assign cybersecurity to the IT manager or an external provider and consider the matter handled. But the law doesn't see it that way.
Under the Work Health and Safety Act, employers have a duty of care that includes protecting workers from harm — and that now extends to digital environments, including employees working from home. Under the Privacy Act, it is the organisation (not the software vendor) that must take "reasonable steps" to protect personal information. Under the Corporations Act, directors have an obligation to manage material risks to the business — and a cyber incident that could cost tens of millions of dollars absolutely qualifies.
The ASD's ACSC has been clear in its guidance: organisations should "assume compromise" and build governance frameworks accordingly. That means cyber risk needs to sit on risk registers, be reported to boards, and be owned at the leadership level — not just managed in the infrastructure team.
For APRA-regulated entities (banks, insurers, superannuation funds), Prudential Standard CPS 234 already sets legally binding information security requirements. But the principle is now spreading: boards and executives who fail to govern cyber risk appropriately face genuine personal and organisational liability.
Based on current legislation and regulatory expectations, here's what compliance now looks like in the cybersecurity space:
1. Know your data Under the Privacy Act, you cannot protect what you don't know you hold. A data mapping exercise — understanding what personal information you collect, where it's stored, and who has access — is the starting point for every other compliance obligation.
2. Report ransomware payments If your business turns over more than $3 million and you pay a ransomware demand, you must report it within 72 hours. Failing to do so is a breach of the Cyber Security Act 2024.
3. Maintain a compliant privacy policy Since December 2024, the OAIC can issue infringement notices for non-compliant privacy policies. This is one of the more straightforward obligations to meet — and one of the easier ones to overlook.
4. Have an incident response plan When the Australian Clinical Labs case was reviewed, part of the $5.8 million penalty reflected a failure to conduct a "reasonable and expeditious breach assessment" after the incident. Having a tested, documented incident response plan is no longer optional best practice — it's a legal expectation.
5. Train your people The most sophisticated technical controls in the world don't protect against a staff member clicking a phishing link or misconfiguring a file share. Regulators across WHS, Privacy Act, Fair Work, and the Cyber Security Act frameworks all, in different ways, expect organisations to demonstrate that employees have been trained on their obligations and risks.
There's a reason the ASD's ACSC has consistently identified human behaviour as a critical factor in most cyber incidents. Phishing, credential theft, and accidental data exposure aren't technology failures — they're human ones.
This is also why regulators don't just ask whether you have security software. They ask whether your people understand the risks, know what to do when something goes wrong, and have been kept current as obligations change.
In the penalty handed down against Australian Clinical Labs, the court specifically noted that failures in the organisation's response — not just the breach itself — contributed to the penalty amount. Being breached is one thing. Failing to respond appropriately, notify in time, and demonstrate reasonable safeguards is what turns an incident into a liability.
For compliance professionals, HR managers, and business owners, this creates a clear responsibility: cybersecurity training is not an IT onboarding task. It's an ongoing compliance function that sits alongside WHS training, privacy training, and anti-money laundering obligations.
Australia's regulatory environment has shifted significantly, and the pace of change is not slowing down. The OAIC has explicitly signalled it is moving toward active enforcement. The ASD is notifying more organisations of malicious activity than ever before — up 83% year on year. And the cost of incidents continues to climb.
For Australian businesses, the practical takeaway is this: you no longer have the option of treating cybersecurity as purely a technical matter handled somewhere else in the organisation. The law requires you to take reasonable steps, document those steps, train your people, report incidents on time, and demonstrate to regulators — if asked — that you took your obligations seriously.
That is, by definition, a compliance function.
The Australian Compliance Institute offers a Cybersecurity Fundamentals & Compliance course built specifically around Australia's current regulatory landscape — covering the Privacy Act, the Cyber Security Act 2024, the Notifiable Data Breach scheme, and the Essential Eight framework.
It's self-paced, accredited, and designed for professionals who need to understand not just what the law requires, but how to apply it in a real workplace.
diversity and inclusion
Inclusive leadership is essential for building high-performing, diverse, and respectful workplaces. This guide outlines 10 practical inclusive leadership practices every manager should know, including communication...
Australian employers
This practical guide helps Australian employers understand their Privacy Act obligations and implement effective privacy practices. Learn how to manage personal information, strengthen data protection,...
AML Compliance
Money laundering and terrorism financing are often grouped together under AML/CTF regulations, but they serve very different purposes. This guide explains the key differences, common...
