Australia has formally activated the Cyber Incident Review Board (CIRB)-a statutory body with enforcement powers-placing the country among a select group of jurisdictions that have codified independent mechanisms for reviewing significant cyber events. The move signals a deliberate shift from reactive, penalty-focused oversight to a structured, learning-oriented approach to national cyber risk management.
The Cyber Incident Review Board was established under Part 5 of the Cyber Security Act 2024, which received Royal Assent on 29 November 2024. The board's operating rules-the Cyber Security (Cyber Incident Review Board) Rules 20251Cyber Security (Cyber Incident Review Board) Rules 2025-commenced on 30 May 2025, formally activating the body and triggering the Expression of Interest process for its Expert Panel.
Mandate and Mission: No-Fault Reviews, Systemic Lessons
The Cyber Security Act 2024 establishes the CIRB as an independent advisory body tasked with conducting no-fault, post-incident reviews of significant cyber security incidents in Australia. The "no-fault" framing is deliberate: rather than assigning blame, the board's mandate is to identify systemic gaps and generate actionable recommendations to improve how Australia prevents, detects, and responds to cyber threats.
Reviews will identify contributing factors to help sectors prepare for future attacks. Upon completing a review, the board will issue recommendations to government and industry aimed at preventing, responding to, or minimizing the impact of similar incidents and strengthening Australia's cyber resilience.
The board will review an incident only after it has occurred and initial investigation and response efforts have concluded. This sequencing ensures the CIRB does not interfere with live operational or law enforcement activities-a boundary explicitly enshrined in the Act, which stipulates the board will not disrupt ongoing incident response or regulatory, operational, or law enforcement processes surrounding the same incident.
Board Composition: Sector Depth and Security Clearance Requirements
The government has appointed a panel of senior cybersecurity and industry leaders to the CIRB. The board is chaired by Narelle Devine, Global Chief Information Security Officer at Telstra. Other members include Debi Ashenden of the University of New South Wales, Valeska Bloch from Allens, Jessica Burleigh of Boeing Australia, Darren Kane from NBN Co, Berin Lautenbach of Toll Group, and Nathan Morelli from SA Power Networks-bringing experience across cybersecurity operations, legal frameworks, governance, national security, and critical infrastructure.
The Expert Panel-drawn from a broader pool-is intended to comprise industry participants, subject matter experts, cybersecurity specialists, academics, and other individuals appointed to assist the board in reviewing specific incidents. To be eligible, individuals must hold or be eligible to hold a Negative Vetting Level 1 (NV1) Australian Government security clearance.
The ministerial mandate for appointing board members spans several competency domains: eligible standing members must have qualifications in law, cybersecurity or information security, significant experience in incident management or crisis response, audit and review processes, public administration, financial or prudential regulation, or significant experience within Australia's designated critical infrastructure sectors.
A Key Differentiator: Compelled Disclosure
One structural feature distinguishes Australia's CIRB from comparable mechanisms in other jurisdictions. Unlike its U.S. counterpart, which relied entirely on voluntary cooperation, Australia's board can compel information from entities that decline to participate-including specific documents related to a cyber security incident.
This compelled disclosure capability directly addresses a known weakness in earlier review board models-notably the U.S. Cyber Safety Review Board, whose reviews were criticized for failing to focus on specific incidents attributable to single-company failures, limiting their ability to drive accountability.
The CIRB also operates within a broader international context. The European Union established a similar mechanism under its Cyber Solidarity Act, tasking ENISA with conducting post-incident reviews of significant cross-border attacks, though this review function has yet to be exercised. Australia's initiative places it among a small group of jurisdictions that have formalized independent review mechanisms to assess significant cyber incidents and improve long-term resilience.
Embedded in a Broader Legislative Framework
The CIRB does not operate in isolation. It forms one of four central pillars of the Cyber Security Act 2024, which also introduced:
- Mandatory ransomware reporting: Organizations with annual turnover equal to or greater than AUD $3 million must report any ransomware or extortion payments within 72 hours to the Cyber and Infrastructure Security Centre (CISC), part of the Department of Home Affairs. Ransomware accounted for 71% of all extortion-related cyber security incidents responded to by the Australian Signals Directorate in FY 2023-2024.
- Limited Use obligations: A limited use obligation for the National Cyber Security Coordinator clarifies and controls how voluntarily provided information during a cyber incident may be shared or used-a provision designed to encourage private sector disclosure without creating regulatory exposure.
- Smart device security standards: Minimum cybersecurity requirements for internet-connectable products, phased in from mid-2025 onward.
The CIRB's activation coincides with ransomware reporting rules commencing on 30 May 2025-the same date as the board's own operational rules-creating a synchronized pipeline from incident disclosure through to systemic analysis.
The initiative sits under the Cyber Security Act 2024 and forms part of Australia's 2023-2030 Australian Cyber Security Strategy, reflecting a broader push to position the country among the most cyber-secure nations by the end of the decade.
Implications for Critical Infrastructure and OT Operators
For industrial operators, the CIRB's activation arrives against an already demanding compliance backdrop. Under the Security of Critical Infrastructure (SOCI) Act, utilities must notify of any OT breach that threatens safe supply within 12 hours. Australia now designates 11 sectors as critical infrastructure-including energy, water, and transport-under the SOCI Act framework.
The board's inclusion of members with critical infrastructure backgrounds-spanning power networks, logistics, and defense-adjacent aerospace-suggests reviews involving operational technology (OT) environments will benefit from sector-specific expertise. Manufacturers and industrial operators evaluating their incident response posture should note that a CIRB review could follow any significant cyber event, even absent regulatory enforcement action.
For manufacturers and OT operators seeking to contextualize Australia's CIRB within the wider Asia-Pacific regulatory landscape, earlier analysis of APAC OT cybersecurity regulation heterogeneity and the surge in OT cyber-physical incidents provides important context on compliance and resilience pressures facing the region.
The background driving the CIRB's formation reflects the scale of disruption Australia has already absorbed. The board's creation follows a series of major cyber incidents, including breaches involving health insurer Medibank and telecom provider Optus. These events exposed sensitive customer data and triggered widespread public concern, increasing pressure on the government to strengthen cybersecurity oversight. The Medibank breach of 2022 exposed 9.7 million records, with remediation costs estimated at approximately AUD $250 million.
Industry Outlook: Learning Culture Over Punitive Posture
Australia's Cyber Security Minister Tony Burke positioned the board in explicitly operational terms. "We know that cyber attacks are constant. This guarantees we learn from every attack and keep increasing our resilience," Burke stated in a government media release.
The board will play a key role in strengthening cybersecurity and national resilience by supporting the government in reviewing and assessing significant cyber security incidents and recommending actions to prevent, detect, respond to, or minimize the impact of similar incidents in the future.
Industry observers will monitor whether the CIRB's no-fault framework succeeds in generating genuine transparency from affected organizations-particularly large enterprises and critical infrastructure operators for whom disclosure has historically carried reputational and regulatory risk. The Limited Use protections embedded in the Cyber Security Act 2024 are designed to address this tension directly, though legal commentators note the protection does not prevent regulators from obtaining underlying information through other means, including regulatory investigatory powers or mandatory reporting regimes under the Privacy Act 1988, the SOCI Act, or the Telecommunications Act 1997.
The board's ability to publish findings publicly-translating post-incident analysis into sector-wide guidance-will ultimately determine whether the CIRB catalyzes a genuine shift in Australia's cyber resilience posture or becomes another layer of compliance overhead.
FAQ
What triggers a CIRB review? The board may review a significant cyber security incident following a written referral. Reviews commence only after initial incident response and investigation efforts have concluded, ensuring the CIRB does not disrupt active containment or law enforcement activities.
Can organizations be forced to cooperate? Yes. Unlike voluntary models used in other jurisdictions, Australia's CIRB can compel the production of information and specific documents from entities that decline to engage voluntarily-a legally binding mechanism that strengthens the board's investigative capacity.
Who sits on the Expert Panel? The Expert Panel is drawn from a broader pool of industry specialists, cybersecurity professionals, academics, and subject matter experts. Members must hold at least a Negative Vetting Level 1 (NV1) security clearance. Appointments are part-time and capped at four years.
How does the CIRB interact with mandatory ransomware reporting? Ransomware payment reports submitted to the Australian Signals Directorate (ASD) feed into the government's broader threat intelligence picture. The CIRB may subsequently review incidents involving ransomware where systemic lessons can be extracted, though the two mechanisms operate independently.
What does this mean for OT and critical infrastructure operators? OT operators in designated critical infrastructure sectors face layered obligations-12-hour OT breach notification under the SOCI Act, 72-hour ransomware payment reporting under the Cyber Security Act, and potential CIRB review of significant incidents. Operators should ensure incident response plans address all three layers and that IT/OT coordination is exercised regularly.
