1300 688 648 Get In Touch
BackView All
View All Services

Can’t find what you’re looking for? Call 1300 688 648 for expert IT assistance

Australia now has its own Cyber Incident Review Board. For business owners, COOs, CTOs, and anyone responsible for IT decisions, that is genuinely good news. The Australia Cyber Incident Review Board (CIRB), established under the Cyber Security Act 2024, represents a major shift in how this country learns from serious cyber incidents. It is not about punishment. It is about building a smarter, more resilient national response to the cyber threats that are growing in frequency and sophistication every year.

This post explains what the CIRB is, how it works, what it means for Australian businesses, and what practical steps you can take right now to position your organisation well.

What Is the Australia Cyber Incident Review Board?

The Australia Cyber Incident Review Board is an independent statutory advisory body created under the Cyber Security Act 2024. The Act received Royal Assent in November 2024, marking Australia’s first standalone piece of cybersecurity legislation. The CIRB began its formation process in late 2025, with expressions of interest called for board membership in October of that year.

The board exists to conduct what are called “no-fault, post-incident reviews” of significant cyber security incidents that affect Australia. The term “no-fault” is important here. The CIRB is not a regulator. It is not a court. It does not fine businesses, assign blame, or determine legal liability. Its sole purpose is to understand what happened during a major cyber incident and share those learnings so that everyone, across government and industry alike, can do better next time.

Think of it as the cyber equivalent of the Australian Transport Safety Bureau. When a serious transport accident occurs, the ATSB investigates what went wrong and publishes findings to prevent future accidents. Nobody gets prosecuted by the ATSB. The goal is learning, not punishment. The CIRB follows the same philosophy, applied to the digital world.

How the Australia Cyber Incident Review Board Works

Understanding the structure and process of the CIRB helps demystify what it actually does in practice.

Board Composition

The CIRB consists of:

  • A Chair, appointed by the Minister for Cyber Security
  • Between two and six Standing Members, also appointed by the Minister
  • An Expert Panel drawn from across industry, academia, and legal and cyber security professions
  • Support staff from the Department of Home Affairs

Appointments are for a maximum term of four years. For specific incident reviews, the Chair selects a review panel from the Standing Members and relevant Expert Panel members with expertise suited to that particular incident.

How a Review Is Triggered

A review can be initiated by several parties:

  • The Minister for Cyber Security
  • The National Cyber Security Coordinator
  • An entity directly impacted by the incident
  • A member of the board itself

Crucially, the CIRB only begins its review after the initial incident response is complete. This means organisations dealing with an active cyber attack are not distracted by a board investigation while they are still managing the crisis.

Information Gathering

The CIRB can request information voluntarily from any entity involved in or affected by the incident. If those voluntary requests are unsuccessful, the Chair holds limited powers to compel the production of documents and information. Failure to comply with a compelled request can result in a civil penalty.

Importantly, there are “limited use” obligations protecting information provided to the CIRB. Information shared with the board generally cannot be used against the reporting entity for civil or regulatory contraventions. The final report itself is also not admissible as evidence in court proceedings. This protection is designed to encourage open and honest engagement with the review process.

Reporting and Recommendations

After completing its review, the CIRB produces a final report with findings and recommendations. That report is provided to the Minister and its insights are shared in a way that:

  • Protects sensitive and classified information
  • Does not identify individuals
  • Does not allow adverse inferences to be drawn against specific organisations

The recommendations are directed at both government and industry, aiming to improve prevention, detection, response, and impact minimisation for future incidents.

What This Means for Australian Businesses

A Shift in National Cyber Culture

The establishment of the CIRB signals a meaningful shift in how Australia approaches cybersecurity at a systemic level. For too long, cyber incidents have been treated primarily as individual failures, something that happened to one company because they did not do enough. The CIRB changes that framing.

By conducting no-fault reviews, the board acknowledges that complex cyber incidents often involve systemic factors, shared infrastructure, supply chain vulnerabilities, and threat techniques that no single organisation could have anticipated alone. That is a more honest and productive way to address the problem.

For businesses, this shift means the collective learnings from major incidents will flow back through industry guidance, updated standards, and practical recommendations. You benefit from what other organisations experienced, without those organisations having to fear that cooperating with the review will expose them to liability.

The Broader Legislative Context

The CIRB does not exist in isolation. It is part of a broader suite of changes introduced by the Cyber Security Act 2024. Some of those changes carry direct compliance obligations for businesses that you should be aware of:

Mandatory ransomware payment reporting: If your business has an annual turnover exceeding $3 million, you are now legally required to report ransomware payments to the government within 72 hours of making or becoming aware of a payment. This obligation commenced on 30 May 2025. The report must include details about the incident, the demand, the payment, and any communications with the threat actor. Failure to comply can result in substantial civil penalties.

Broader mandatory incident reporting: The Act introduces obligations for entities above a certain turnover threshold to report a wider range of cyber incidents, extending beyond ransomware to include things like denial-of-service attacks and malware incidents.

Smart device security standards: Manufacturers and suppliers of internet-connected devices in Australia are now subject to mandatory security standards. If your business uses or supplies IoT or network-connected equipment, this is relevant.

Expanded SOCI Act obligations: The definition of critical infrastructure has been broadened to include data storage systems holding business-critical data. If your organisation falls under the Security of Critical Infrastructure Act, your obligations may have expanded.

These obligations do not all apply to every business equally. However, they do signal the direction of travel. Australia is moving toward a regulatory environment where cybersecurity is treated as a genuine business responsibility, not just an IT problem.

Why the Australia Cyber Incident Review Board Actually Matters

Learning at Scale

One of the most persistent problems in cybersecurity is that the lessons from major incidents are rarely shared broadly. A company experiences a devastating breach, spends months recovering, develops hard-won internal insights about what went wrong, and then those insights stay internal. Sometimes there is legal risk in sharing. Sometimes there is reputational risk. Often there is just no mechanism to share effectively.

The CIRB creates that mechanism. By conducting structured, no-fault reviews and publishing recommendations, it enables the entire Australian business community to learn from incidents that may have directly affected only a handful of organisations.

Building National Resilience

Australia has experienced a number of high-profile cyber incidents in recent years. Those incidents exposed real gaps in how we, as a country, detect, respond to, and recover from cyber attacks. The CIRB is designed to address those gaps systematically, not just reactively.

When the board completes a review and publishes recommendations, those recommendations can drive changes in government policy, industry standards, and best-practice guidance. Over time, this creates a more robust national cybersecurity baseline that benefits all businesses operating in Australia.

Protection for Businesses That Cooperate

The “limited use” protection built into the CIRB framework is particularly significant for businesses. It means that if your organisation is involved in a CIRB review, the information you provide in good faith generally cannot be turned against you in regulatory proceedings. That is a meaningful protection, and it is designed specifically to encourage honest, detailed engagement with the review process rather than defensive, lawyered responses.

Alignment with Global Best Practice

Australia is not the first country to establish this kind of body. The United States has operated a Cyber Safety Review Board since 2022, and various other jurisdictions have similar mechanisms. Australia’s CIRB draws on those international models while adapting them to the local regulatory and business environment. This alignment with global best practice matters for Australian businesses operating internationally, because it signals that Australia is taking cybersecurity governance seriously at a national level.

What You Should Do Right Now

The CIRB is operational. The Cyber Security Act 2024 is law. Here is what Australian business leaders should be doing in response.

Review Your Cyber Incident Response Plan

If you do not have a documented incident response plan, create one. If you have one, review it against the current legislative landscape. Your plan should address:

  • How you would detect and contain a cyber incident
  • Who is responsible for making decisions during an incident
  • How you would communicate with staff, customers, and partners
  • What your reporting obligations are under the new mandatory reporting rules
  • How you would document the incident for potential regulatory purposes

Understand Your Reporting Obligations

Check whether your business meets the turnover threshold that triggers mandatory ransomware payment reporting. If it does, make sure your finance and legal teams understand the 72-hour reporting window and the information required. Being unprepared when an incident occurs and then missing the reporting deadline compounds a bad situation significantly.

Invest in Proactive Security

The best outcome from all this legislation is one where you never have to interact with it in a crisis. The practical implication is that businesses need to invest in cybersecurity before an incident occurs, not just in response to one.

That means:

  • Regular vulnerability assessments and penetration testing
  • Multi-factor authentication across all critical systems
  • Employee security awareness training
  • Endpoint detection and response (EDR) solutions
  • Network monitoring and logging
  • Regular, tested backups that are stored securely offline

At Otto IT, our managed cyber security services are designed to give businesses ongoing protection without requiring them to build an in-house security operations team. We handle the monitoring, detection, and response so you can focus on running your business.

Engage With Published Guidance

As the CIRB completes reviews and publishes recommendations, those findings will represent some of the most actionable, Australia-specific cyber security guidance available. Make a habit of reviewing published CIRB outputs and considering how the recommendations apply to your business.

General Advice for Business Leaders

You do not need to be a technical expert to lead on cybersecurity in your organisation. What you need is to ask the right questions, ensure the right people are accountable, and make sure your organisation treats cyber risk with the same seriousness as financial or operational risk.

Some practical questions to ask your IT team or managed security provider today:

  • What is our current exposure to ransomware, and how would we respond to an attack?
  • Do we meet the mandatory reporting thresholds under the Cyber Security Act 2024?
  • When did we last test our incident response plan?
  • Are our backups tested, current, and stored in a way that protects them from ransomware?
  • Do we have visibility across all devices and users on our network?
  • What would happen if our primary IT systems went offline for 48 hours?

If you do not have good answers to those questions, that is where to start. Good cybersecurity is not about having the most sophisticated technology. It is about having the right foundations, the right processes, and the right people in place before something goes wrong.

Frequently Asked Questions

Does the CIRB affect all Australian businesses?

Not directly. The CIRB conducts reviews of significant cyber incidents that affect national security, social stability, or economic stability, or that involve novel attack methods. Most businesses will not be directly involved in a CIRB review. However, all businesses benefit from the guidance and recommendations that the CIRB publishes following its reviews.

Can the CIRB penalise my business for a cyber incident?

No. The CIRB is explicitly a no-fault body. It does not assign blame, impose penalties, or make findings of liability. Its purpose is learning and recommending, not enforcement.

What happens if my business is asked to participate in a CIRB review?

If you are asked to cooperate voluntarily, you should engage openly and honestly. The information you provide is generally protected under “limited use” obligations, meaning it cannot typically be used against you in regulatory proceedings. If you are compelled to provide information and do not comply, you may face civil penalties, so taking any formal request seriously is important.

Are there penalties for not reporting a ransomware payment?

Yes. If your business has an annual turnover of more than $3 million and you make a ransomware payment without reporting it within 72 hours, you may face substantial civil penalties under the Cyber Security Act 2024.

How do I know if my business is covered by the mandatory reporting rules?

The current threshold for ransomware payment reporting is an annual turnover of more than $3 million. Broader mandatory incident reporting thresholds are still being finalised. If you are unsure whether your business is covered, speak with your legal counsel or managed IT provider. You can also contact the Otto IT team for guidance specific to your situation.

Where can I find CIRB reports and recommendations?

CIRB findings and recommendations are published through the Department of Home Affairs. The Home Affairs website (homeaffairs.gov.au) is the primary source for updates on the board’s activities and published outputs.

What is the difference between the CIRB and the Australian Cyber Security Centre (ACSC)?

The ACSC is the operational body responsible for providing cyber security advice and assistance to Australian organisations and coordinating the national response to significant cyber incidents. The CIRB is a separate, independent body that reviews incidents after the fact to identify lessons learned. They serve complementary roles, with the ACSC focused on real-time response and the CIRB focused on systemic improvement through post-incident analysis.

The Bottom Line

The Australia Cyber Incident Review Board represents a genuine step forward in Australia’s approach to national cyber resilience. For business leaders, the message is clear: cyber security is no longer just an IT conversation. It is a regulatory, operational, and strategic one.

The CIRB will not come knocking on your door unless you are involved in a nationally significant cyber incident. But the legislation it sits within, and the standards and guidance it will generate, will shape the cybersecurity expectations placed on Australian businesses for years to come.

Now is the time to get ahead of it. Review your incident response plan, understand your reporting obligations, and invest in proactive protection.

If you want to understand how your business stands against current cyber threats and obligations, our team at Otto IT can help. Explore our managed cyber security services or get in touch today for a no-obligation conversation.

This post is intended for general information purposes only and does not constitute legal advice. For specific legal obligations under the Cyber Security Act 2024, please consult a qualified legal professional.

managed it support articles

Related Blog Articles

Discover more insights to optimise your business with the latest IT trends and best practices. Stay ahead of the curve by learning how to leverage cutting-edge technology for success. Explore expert advice and valuable guidance to navigate the evolving world of IT solutions

Learn More