Australia: Federal Cybersecurity Review (February 2023)

Latest developments

In addition to the Privacy Act review mentioned in chapter 4, which includes recommendations regarding security of personal information, in February 2023, the Albanese Government released a discussion paper considering various options for regulatory reform in respect of cybersecurity (Cybersecurity Discussion Paper).


An Expert Advisory Board appointed by Australia’s first ever Minister for Cyber Security, the Honourable Claire O’Neil MP, released the Cybersecurity Discussion Paper regarding the development of Australia’s Cyber Security Strategy for 2023-2030 (Strategy). The Strategy will be progressed in parallel with the Australian Government’s other digital and data related priorities, including the Attorney General Department’s review of the Privacy Act and the ACCC’s Digital Platform Services Inquiry 2020-25.

Three core areas of policy which will be included in the Strategy are:

  • Enhancing and harmonising regulatory frameworks;
  • Strengthening Australia’s international strategy on cyber security; and
  • Securing government systems.

The questions for consultation include:

  • Whether obligations on company directors should specifically address cyber security risks and consequences;
  • Whether Australia should introduce a Cyber Security Act (with an aim to draw together existing (and, likely, future) cyber-specific legislative obligations and standards across industry and government) and what should be included in any such legislation;
  • Whether the definition of ‘critical infrastructure asset’ under the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act) should be broadened to include customer data and systems (our articles about the SOCI Act can be found here and here);
  • In relation to the payment of ransoms and extortion demands by cyber criminals:
    • Whether the Government should prohibit payment by victims of cybercrime and/or insurers and, if so, under what circumstances;
    • Whether the Government should clarify its position regarding the payment of ransoms by companies and the circumstances in which this may constitute a breach of law (for example, currently this may be caught by terrorism financing legislation or the sanctions regime); and
    • Whether a mandatory reporting regime should be implemented in respect of such payments;
  • Whether reporting and response requirements following a major cyber incident should be streamlined; and
  • Whether an explicit obligation of confidentiality upon the Australian Signals Directorate (ASD) Australian Cyber Security Centre (ACSC) would improve engagement with organisations that experience a cyber incident in order to allow information to be shared between the organisation and ASD/ACSC without the concern that such information would be shared with regulators.

The Department is also seeking feedback on broader policy questions, including how:

  • Australia could establish itself as the most cyber secure nation in the world by 2030;
  • To monitor the regulatory burden on businesses so as to make cyber security obligations clear and easy to follow, both from an operational perspective and for company directors (given the existing framework includes a range of implicit and overlapping obligations on entities), particularly for small and medium-sized enterprises;
  • To increase support available to victims of cybercrime; and
  • To improve information sharing with industry in relation to cyber threats, for example by sharing root cause findings from investigations of major cyber incidents.

Next steps and relevance

Public consultation for the discussion paper closed on 15 April 2023. Over 330 submissions were received by the Department of Home Affairs on what should be included in the Strategy.

*Information is accurate up to 27 November 2023


Cybersecurtiy - Explore further sections

Explore other chapters in the guide

Data as a key digital asset

Crypto assets

AI as a digital asset

Privacy & Data Protection


Digital Identity and Trust Services