Cyber Security Act 2024 — Regulatory Notice. Non-compliance can attract civil penalties of up to $99,000 for a body corporate. Ensure your statutory reporting obligation is documented.
You have 72 hours.
Most boards have no process.
The Cyber Security Act 2024 requires entities with turnover above $3M — and all critical-infrastructure entities, regardless of turnover — to report a ransomware payment to the ASD within 72 hours of the payment being made. When the incident occurs, you cannot afford to build your disclosure process from scratch under maximum stress.
Statutory Reporting Window
Download the compliance diagnostic to confirm your organisation can evidence its reporting readiness.
The organisation must be able to evidence that it met its statutory reporting obligation.
Failure to disclose within the 72-hour window triggers direct financial exposure and prolonged regulatory scrutiny.
Unclear Reporting Trigger
If the trigger for awareness is not explicitly defined, the statutory clock begins without the board’s knowledge, risking enforcement action.
Lack of Documented Protocol
Without a pre-approved escalation protocol, real-time debates delay the evidentiary record required by the ASD portal.
Incomplete Data Points
The ASD-managed portal requires specific technical and operational data points that are often omitted in standard IT incident response playbooks.
Can you currently evidence these requirements?
The following represents the critical evidentiary gaps identified in recent cyber governance audits regarding the 2024 Act.
Point 1 Statutory Threshold
Confirmation that the entity meets the AUD $3m turnover threshold (or is a critical-infrastructure entity) and acknowledges the scope of the Act.
Point 2 Escalation Protocol
A formal link exists between the technical incident response team and the board’s statutory reporting lead.
Point 3 Decision Authority
A pre-approved framework defines who explicitly authorizes the notification to the ASD-managed portal.
Access the Diagnostic
Aligned with ACSC guidance on the Cyber Security Act 2024 reporting workflows. Instant download.
Diagnostic Unlocked.
This diagnostic is provided for informational purposes to assist with governance readiness. It does not constitute legal advice.
Download PDFFailed the Assessment?
If your readiness indicates critical exposures, consider the Disclosure Protocol Sprint to formalize your documented decision authority.
View Remediation Sprint →The Disclosure Protocol Sprint
A time-boxed executive session to remediate governance gaps, establish a documented decision tree, and ensure your team is prepared to meet its statutory reporting obligations.
Executive Alignment
Direct engagement with the CFO and General Counsel to formalize escalation protocols and define specific trigger conditions.
Board-Ready Artifacts
Creation of a pre-approved Executive Decision Tree and fully populated ASD reporting templates ready for immediate deployment.
Legal Alignment
Ensuring your technical response playbooks do not inadvertently compromise legal privilege or breach statutory timelines.