New Australian Cybersecurity & Privacy Reforms
Blog

5Min Read: New Australian Cybersecurity & Privacy Reforms Impacting Businesses in May 2025

From May 2025, significant changes to Australia’s cybersecurity and privacy laws will come into effect, placing stricter obligations on businesses. These reforms are designed to enhance cybersecurity resilience, improve transparency, and hold organisations accountable for protecting sensitive data.

For business leaders, directors, and C-suite executives, understanding these changes is critical. Non-compliance can result in severe financial and reputational consequences.

Key Changes Businesses Need to Know

1. Mandatory Ransomware Payment Reporting

Businesses will be legally required to report any ransomware payments made to cybercriminals. The Australian Government aims to improve national threat intelligence and disrupt cybercriminal operations.

  • Who does this apply to? All organisations with an annual turnover of $10 million or more.
  • What needs to be reported? The amount paid, the reason for payment, and details about the ransomware incident.
  • Deadline: Reports must be submitted within 72 hours of payment.

Business Impact: If your company is targeted by ransomware, you will need a clear incident response plan that includes compliance with these new reporting obligations.

2. Expanded Privacy Regulations and Increased Penalties

Updates to the Privacy Act 1988 will introduce stricter data protection requirements and significantly higher penalties for data breaches.

  • Higher Penalties: Maximum fines for serious breaches will increase to up to $50 million or 30% of adjusted revenue, whichever is higher.
  • More Data Protection Requirements: Businesses must implement stronger security controls and demonstrate how they protect customer data.
  • Stricter Breach Notification Rules: The reporting threshold for a “serious data breach” will be lowered, meaning more incidents will require formal notification.

Business Impact: Organisations must reassess their data protection strategies, invest in stronger cybersecurity controls, and ensure they have a clear response plan for data breaches.

3. Stronger Cybersecurity Governance Expectations

Australian businesses will face increased regulatory scrutiny over their cybersecurity posture. Boards and executives will be held directly responsible for cybersecurity risk management.

  • Board-Level Accountability: Directors will be expected to demonstrate proactive cybersecurity oversight, similar to financial compliance requirements.
  • Regular Cybersecurity Assessments: Organisations must conduct periodic penetration testing, vulnerability assessments, and compliance audits.
  • Third-Party Security Requirements: Companies must ensure their suppliers and service providers also meet stringent security standards.

Business Impact: Executives and directors need to prioritise cybersecurity at the highest levels of governance. Failure to do so could result in legal consequences, financial losses, and reputational damage.

How Siege Cyber Can Help

At Siege Cyber, we specialise in helping Australian businesses navigate cybersecurity compliance, conduct thorough risk assessments, and strengthen their security posture.

If you have questions about the new cybersecurity and privacy reforms, we offer a free 20-minute consultation to discuss your organisation’s specific needs.

Contact us today: [email protected]