Search

Quality and consistency through collaboration

All.FirmWide services.Cyber and Privacy

In 2025, Australia experienced a staggering 1200% increase in cyber-attacks, affecting businesses, government agencies, and individuals who fell victim to increasingly sophisticated tactics.[1] As cyber threats evolve, the need for progressive cyber security laws has become more urgent.

Over the next nine months, three significant changes will come into effect, impacting how we manage cyber risk. These are, in order of commencement:

30 April 2025 – Ransom Payment Notification

Until this year, only entities responsible for operating critical industries within the ambit of the Security of Critical Infrastructure Act 2018 (SOCI Act) were required to report ransom payments. From May 2025, businesses with revenue exceeding $3 million in their previous financial year must report all ransoms paid within 72 hours of payment. The Department of Home Affairs has indicated that it will create a portal accessible on the Australian Signals Directorate’s cyber.gov.au website.

Businesses reporting a ransom payment will be required to disclosure certain information that is known or reasonably available to them, including:

  • Details of the cyber security incident, including its impact on the reporting business entity.
  • The demand made by the extorting entity.
  • The amount of the ransomware payment.
  • Any communications with the extorting entity relating to the incident, demand, and the payment.

The exact information required for the notification has yet to be finalised. The aim of this mandate is to increase transparency around these practices, thereby strengthening the national defence strategies against cybercriminals.

1 July 2025 – APRA’s CPS  230

All APRA-authorised entities, including banks, insurers, and superannuation fund managers, are preparing for the upcoming Prudential Standard CPS 230 Operational Risk Management, which comes into effect on 1 July 2025.  This new standard replaces the existing CPS/SPS 232 Business Continuity Management and CPS/SPS/HPS 231 Outsourcing. CPS 230 introduces a transformative approach to operational risk management, encompassing business continuity, governance, and service provider management.

Over the past decade, many software providers have shifted from on-site, custom installations to cloud-based services, allowing them to deliver adaptable solutions at lower costs. However, this shift has also created new risks, including an over-reliance on third parties (with the potential issues from dependency on a single provider) and offshore arrangements. The Cloud Strike outage illustrates how the absence of ‘fourth-party’ protection in the regulatory framework can create systemic vulnerabilities. Fortunately, improving this protection is a flagship element of CPS 230, which requires entities to understand their operational risk end-to-end, including throughout their entire supply chain.

Under CPS 230, APRA regulated entities will be responsible for ensuring that operational risk management is central to their governance framework.  This may require an overhaul of agreements with material service providers to include required controls and protections against disruptions. Among other requirements, CPS 230 will mandate APRA entities maintain a service provider management policy that covers provider selection, essential rights in agreements, ongoing performance monitoring, and a register of its material service providers that must be submitted to APRA annually.

30 November 2025 – Security Standard for Smart Devices

The consumer market is increasingly populated with devices that can connect to the internet and each other, sharing personal and sensitive information.

To address security concerns around these devices, new regulations will be introduced that enforce stricter password requirements for all internet-connected and network-enabled devices to safeguard against unauthorised access to customer information.

Manufacturers will be required to provide a statement of compliance for each relevant product and offer clear instructions for consumers on how to report any security issues.  Additionally, they must publish the duration of their security update support, which cannot be shortened once announced.

While these regulations are still under development, it is important to assess how they might impact your business model. Although desktop computers, laptops, and phones are excluded from this category, the scope of this legislation is quite broad. It would be wise to consider proactive measures to protect your business in light of these potential reforms and determine if further safeguards are necessary, particularly if your operations rely heavily on such technology.

We will discuss each of these in more details as their commencement dates approach.

 

[1]  Australia hit by 47 million data breaches in 2024 – one every second | Insurance Business Australia.

Return To Top
Related articles
Media room