Cybersecurity Act drives surge in reporting as attacks rise
Australia's Cybersecurity Act 2024 is reshaping how companies respond to cybercrime, as new federal data points to a sharp rise in attacks and growing financial and reputational risks for businesses in 2026.
The law, which took effect 12 months ago, has introduced mandatory incident reporting and new security requirements for connected devices. It has also placed fresh scrutiny on the governance of cyber risk at board and executive level.
Recent federal government figures show Australian losses to cybercrime rose 50% on the previous year, with more than 1,000 notifiable data breaches recorded in 2024. The increase follows a series of high-profile incidents across finance, telecommunications and insurance, which exposed weaknesses in how organisations manage sensitive data and digital infrastructure.
The Office of the Australian Information Commissioner reported 1,113 notifiable data breaches in 2024, the highest number since mandatory reporting began in 2018. The breaches affected a wide range of sectors that depend on large volumes of customer data and digital channels.
A deeper analysis of incidents in 2024 showed that 47 million online accounts were compromised. The volume highlighted growing exposure to identity theft, account takeover and financial fraud.
"47 million online accounts were compromised in 2024, which is nearly one every second," said Joe De Martino, Artificial Intelligence of Things expert, Dahua Technology.
Cyber incidents have continued at scale. Airline group Qantas disclosed that data on 5.7 million customers was accessed by cybercriminals in 2025. The compromised information included customer names and email addresses. Industry analysts said such data can circulate on dark web marketplaces and can support phishing campaigns, identity theft and online scams.
Business groups and security specialists now describe cybersecurity as a core operational discipline. They place it alongside finance and supply chain management as a factor that directly affects cash flow, reputation and customer trust.
Recent events outside classic cyberattacks have also increased attention on resilience. The Optus network outage in 2023 did not stem from malicious activity. The disruption still damaged the company's reputation and raised questions among customers and regulators about the reliability of essential services.
Regulatory penalties for mishandling data have also increased. Serious failures can attract fines of up to AUD $50 million or a proportion of revenue, depending on the nature and scale of the contravention.
"It is in business' best interests to implement robust cybersecurity. The penalties for failing to properly protect data are serious, reaching up to AUD$50million in some instances," said De Martino.
The new regime
The Cybersecurity Act 2024 sets out how Australia will handle cyber incidents at a national level. The law seeks to improve transparency, co-ordination and baseline security standards across the economy.
Businesses with annual turnover above AUD $3 million must now report ransomware payments within 72 hours. The requirement increases visibility of attacks and payments. It also provides law enforcement and policymakers with a clearer view of threat patterns and criminal actors.
The Act includes a "limited-use" obligation for voluntarily shared incident information. Authorities can use shared data for cyber defence and response. They must limit its use in civil or regulatory enforcement. Policymakers expect this to encourage organisations to disclose more details on incidents without fear of immediate legal exposure.
The law also creates a Cyber Incident Review Board. The board runs no-fault reviews after significant incidents. It then publishes recommendations for sectors and the wider economy. The approach reflects aviation-style safety investigations that focus on learning rather than blame.
A key change affects consumer smart devices, including many Internet of Things products. New security standards ban universal default passwords across devices. They require a public mechanism for vulnerability reporting. They also require a clearly stated support period for security updates.
The Australian framework aligns with emerging rules in other major markets that target insecure connected devices. Regulators are concerned that unmanaged cameras, sensors and other "always-on" devices act as backdoors into corporate and home networks.
Business response
The federal government has set out its ambition for a more cyber mature economy. It also highlights a need for a stronger cybersecurity workforce and for safer technology across sectors.
Companies face rising scrutiny from customers, regulators and insurers. Early adopters of advanced security practices seek to reduce disruption risk and avoid sudden compliance costs. Late movers risk higher premiums, tougher terms of cover and reputational damage after incidents.
Technology vendors are adjusting their own practices under the new environment. Dahua Technology, which focuses on video-centric Artificial Intelligence of Things systems, states that it invests around 10% of annual earnings in research and development. It allocates part of this to cybersecurity.
The company operates a 24/7 Product Security Incident Response Team. The team handles vulnerability reports and co-ordinates fixes. Dahua also runs a Cybersecurity Centre that supports transparent reporting of product issues and distribution of security patches.
Security advisers say these kinds of measures reflect a wider shift from minimum compliance towards continuous risk management. They emphasise that law and regulation set only a baseline for defence.
"It's important to remember this law (Cybersecurity Act) sets the floor, not the ceiling. The burden of implementation, and the benefits of resilience, sit squarely with boards and executive teams," said De Martino.
Government data indicates that one cybercrime is now reported every few minutes in Australia. Policymakers and industry figures expect that businesses which embed cybersecurity into strategy and governance will shape the country's digital competitiveness over the next decade.