Cyber Incident Reporting in Australia: Who to Notify and When

When a cyber attack happens, the immediate priority is stopping the damage. But once you've got things under control, a second priority kicks in: notifying the right people.

For Australian businesses, some of these notifications are legally required — and missing them can result in significant fines. Others are voluntary but strongly recommended. Knowing the difference, and understanding who to contact and when, can make the aftermath of an incident considerably less stressful.

Australia's Cyber Incident Reporting Landscape

Australia has several overlapping frameworks that govern incident reporting. The key ones small businesses need to understand are:

• The Notifiable Data Breaches (NDB) scheme under the Privacy Act 1988
• ReportCyber, the national cybercrime reporting platform operated by the Australian Federal Police (AFP) and Australian Signals Directorate (ASD)
• The Cyber Security Act 2024, which introduced new mandatory reporting obligations for ransomware payments
• Industry-specific obligations (particularly for businesses in financial services, healthcare, and critical infrastructure)

The Notifiable Data Breaches Scheme

If your business has an annual turnover of $3 million or more, you are covered by the Privacy Act and the Notifiable Data Breaches (NDB) scheme. Some smaller businesses are also covered — for example, if you handle health information, operate a credit reporting business, or have opted in voluntarily.

Under the NDB scheme, you must notify the Office of the Australian Information Commissioner (OAIC) and affected individuals if a data breach is likely to result in serious harm to any individual whose information was involved.

The assessment process works like this:

1. You become aware of a potential breach
2. You have 30 days to assess whether it is likely to result in serious harm
3. If it meets the threshold, you must notify the OAIC and affected individuals as soon as practicable

Notifications to the OAIC are made through the online form at oaic.gov.au. Notifications to individuals must include what information was involved, what the breach was, what you're doing about it, and what affected individuals can do to protect themselves.

Failure to comply with NDB obligations can result in penalties of up to $50 million for serious or repeated breaches under the Privacy Act amendments that took effect in 2023.

The Cyber Security Act 2024: Ransomware Payment Reporting

A significant new obligation came into effect with the Cyber Security Act 2024. Under this law, businesses that make a ransomware payment (paying cybercriminals to unlock your data or prevent its release) must report that payment to the government within 72 hours.

This reporting obligation applies to businesses with an annual turnover above $3 million. The report goes to the Australian Signals Directorate (ASD) via the ReportCyber portal.

It's important to note: reporting a ransomware payment is mandatory, but the government is not requiring you to get prior approval before paying. The law is about gathering intelligence on the ransomware threat landscape, not punishing victims. However, paying ransoms is still strongly discouraged by the ACSC — there's no guarantee you'll get your data back, and it funds criminal activity.

ReportCyber: Voluntary Reporting to the AFP and ASD

Even when reporting isn't legally required, the ACSC strongly encourages all Australian businesses to report cybercrime through ReportCyber at cyber.gov.au/report.

Reports to ReportCyber help the government understand the threat landscape and can sometimes lead to investigation and prosecution. More practically, reporting can connect you with support resources and, in some cases, threat intelligence that helps you understand and contain the attack.

ReportCyber accepts reports of:

• Ransomware and malware attacks
• Business email compromise (BEC)
• Phishing and fraud
• Unauthorised access to systems or accounts
• Online scams targeting businesses

Notifying Your Cyber Insurer

If you have cyber insurance — and if you don't, you should consider it — your policy will have specific notification requirements. Most policies require you to notify your insurer within a set timeframe after becoming aware of an incident, often 24 to 72 hours.

Failing to notify your insurer promptly can jeopardise your claim. Check your policy now, before an incident happens, so you know what's required and who to call.

Notifying Customers, Partners, and Other Stakeholders

Beyond formal regulatory reporting, you may have contractual obligations to notify business partners, clients, or suppliers if their data or systems have been affected. Review your contracts and service agreements to understand these obligations.

Even when notification isn't contractually required, transparency is usually the right approach. Customers who find out about a breach from the media rather than from you will be far less forgiving than those who received a timely, honest notification.

Industry-Specific Obligations

Depending on your industry, additional reporting obligations may apply:

• Healthcare: The My Health Records Act and Australian Privacy Principles impose specific obligations on healthcare providers
• Financial services: APRA-regulated entities (banks, insurers, superannuation funds) have obligations under CPS 234 to notify APRA of material cyber incidents
• Critical infrastructure: Operators of critical infrastructure assets have obligations under the Security of Critical Infrastructure Act 2018

If you're in any of these sectors, speak with your industry association or a specialist lawyer to understand your specific obligations.

Key Takeaways

• If you hold personal information and a breach is likely to cause serious harm, you must notify the OAIC and affected individuals under the NDB scheme within 30 days of becoming aware
• Under the Cyber Security Act 2024, ransomware payments must be reported to ASD within 72 hours (for businesses with $3M+ turnover)
• All cybercrime should be reported to the AFP/ASD via ReportCyber at cyber.gov.au/report, even when not legally required
• Notify your cyber insurer promptly — usually within 24 to 72 hours of an incident
• Check your contracts for any notification obligations to clients or partners

Knowing your reporting obligations before an incident happens is far better than figuring it out under pressure. Use Flagged's free cyber risk assessment to identify gaps in your incident preparedness — including whether your reporting processes are ready.