Cyber Security (Cyber Incident Review Board) Rules 2025
I, Tony Burke, Minister for Home Affairs, make the following rules.
Dated 27 February 2025
Tony Burke
Minister for Home Affairs
Cyber Security (Cyber Incident Review Board) Rules 2025
I, Tony Burke, Minister for Home Affairs, make the following rules.
Dated 27 February 2025
Tony Burke
Minister for Home Affairs
Part 1—Preliminary
1 Name
2 Commencement
3 Authority
4 Definitions
Part 2—Cyber Incident Review Board
Division 1—Preliminary
5 Simplified outline of this Part
Division 2—Reviews by the Board
6 Purpose of this Division
7 Requirement to consider referrals
8 Matters Board must consider when prioritising referrals and reviews
9 Terms of reference for reviews
10 Timing of reviews—non‑interference with investigations etc.
11 Notification of reviews
Division 3—Board members
12 Purpose of this Division
13 Eligibility for appointment as a Board member
14 Acting appointments of standing members of the Board
15 Disclosure of interests to the Minister
16 Disclosure of interests to the Board
17 Other paid work
18 Leave of absence of Board members
19 Resignation of Board members
20 Termination of appointment of Board members
Division 4—Expert Panel
21 Purpose of this Division
22 Appointments to the Expert Panel
23 Appointments of Expert Panel members to the review panel for a review
24 Remuneration etc. of Expert Panel members appointed to a review panel for a review
25 Disclosure of interests to the Board
26 Resignation of members of the Expert Panel from the Expert Panel
27 Termination of appointment of Expert Panel members from the Expert Panel
Division 5—Other matters relating to the Board
28 Purpose of this Division
29 Convening meetings
30 Presiding at meetings
31 Voting at meetings
32 Conduct of meetings
33 Minutes
34 Decisions without meetings
This instrument is the Cyber Security (Cyber Incident Review Board) Rules 2025.
(1) Each provision of this instrument specified in column 1 of the table commences, or is taken to have commenced, in accordance with column 2 of the table. Any other statement in column 2 has effect according to its terms.
Commencement information | ||
Column 1 | Column 2 | Column 3 |
Provisions | Commencement | Date/Details |
1. The whole of this instrument | The later of: (a) the start of the day after this instrument is registered; and (b) at the same time as Part 5 of the Cyber Security Act 2024 commences. |
|
Note: This table relates only to the provisions of this instrument as originally made. It will not be amended to deal with any later amendments of this instrument.
(2) Any information in column 3 of the table is not part of this instrument. Information may be inserted in this column, or information in it may be edited, in any published version of this instrument.
This instrument is made under the Cyber Security Act 2024.
Note: A number of expressions used in this instrument are defined in the Act, including the following:
(a) Chair;
(b) Cyber Incident Review Board;
(c) cyber security incident;
(d) Expert Panel.
In this instrument:
Act means the Cyber Security Act 2024.
Australian Government security clearance has the same meaning as in the Criminal Code.
Board member means any member of the Cyber Incident Review Board (including the Chair).
paid work means work for financial gain or reward (whether as an employee, a self‑employed person or otherwise).
security classification has the same meaning as in the Criminal Code.
The Cyber Incident Review Board causes reviews to be conducted in relation to certain cyber security incidents. The purpose of a review is to make recommendations to government and industry about actions that could be taken to prevent, detect, respond to or minimise the impact of, cyber security incidents of a similar nature in the future.
A review panel will be established for each review in accordance with the terms of reference for the review. A review panel consists of the Chair, the standing members of the Board that are specified in the terms of reference for the review and the members of the Expert Panel appointed to assist in relation to the review.
This Part provides for procedures for reviews, appointments of Board members and Expert Panel members, and the procedures of the Board.
This Division is made for the purposes of subsection 46(5) of the Act.
If a written referral is made to the Board under subsection 46(1) of the Act, the Board must:
(a) consider the referral; and
(b) decide whether a review should be conducted under section 46 of the Act in relation to any matter raised in the referral.
Note: Subsection 46(2) of the Act sets out limitations on when a review may be conducted under that section.
The Board must have regard to the following matters when prioritising referrals received under subsection 46(1) of the Act and reviews conducted under section 46 of the Act:
(a) the severity and scale of impact of the cyber security incidents to which those referrals and reviews relate;
(b) the availability and capacity of standing members of the Board;
(c) the availability and capacity of members of the Expert Panel;
(d) the relevance of the skills, knowledge or experience of members of the Expert Panel to those referrals and reviews.
(1) The terms of reference for a review by the Board must:
(a) specify the number of standing members of the Board who will conduct the review; and
(b) specify the number of members of the Expert Panel to be appointed to assist the Board in relation to the review; and
(c) specify the minimum level of Australian Government security clearance, or equivalent security clearance recognised by the Commonwealth, required for a standing member of the Board to hold in order to participate in the conduct of the review; and
(d) specify any eligibility requirements, additional to those set out in paragraphs 23(b) and (c), for the appointment of members of the Expert Panel to assist the Board in relation to the review.
Note: For the purposes of paragraph (d), additional eligibility requirements may relate to particular skills, qualifications, expertise or experience.
(2) The Board may, with the approval of the Minister, vary the terms of reference for a review.
A review must not be conducted at a particular time if the Chair considers that conducting the review at that time would interfere with or prejudice the investigation of, or the conduct of proceedings relating to, an offence or a contravention of a civil penalty provision under a law of the Commonwealth or of a State or Territory.
Note: A review may only be conducted after the incident or series of incidents, and the immediate response, has ended: see paragraph 46(2)(b) of the Act.
(1) As soon as practicable after deciding to conduct a review, the Board must publish, on the Department’s website or in any other way the Board considers appropriate, notification that the review will be conducted.
(2) The notification must include:
(a) the number of the standing members of the Board who will conduct the review; and
(b) the number of the Expert Panel members to be appointed to assist in the conduct of the review; and
(c) details of the cyber security incident, or series of cyber security incidents, that will be the subject of the review; and
(d) a brief description of how the incident or series of incidents meets the requirements in subsection 46(2) of the Act; and
(e) proposed timeframes for the conduct of the review; and
(f) such other information that the Board considers appropriate to include in the notification.
This Division is made for the purposes of subsections 64(4), 66(4) and 69(1) of the Act.
(1) A person is only eligible to be appointed as a Board member, under section 64 or 66 of the Act, if:
(a) the person either:
(i) holds, or is eligible to hold, an Australian Government security clearance that allows the person access to information that has a security classification of at least secret; or
(ii) holds an equivalent security clearance recognised by the Commonwealth for the purposes of allowing the person access to information that has a security classification of at least secret; and
(b) the person:
(ii) has obtained an educational qualification in the field of cyber security or information security; or
(iii) has significant experience working in the field of cyber security or information security; or
(iv) holds a relevant Commonwealth, State or Territory government position at an appropriately senior level; or
(v) has significant experience in audit, assurance or review processes, public administration or financial or prudential regulation; or
(vi) has significant experience in incident management or crisis response;
(vii) has significant experience in a critical infrastructure sector (within the meaning of the Security of Critical Infrastructure Act 2018); or
(viii) has significant academic qualifications or knowledge in a relevant field.
(2) Before appointing a person as a Board member, the Minister must be satisfied that:
(a) the person meets the eligibility requirements mentioned in subsection (1); and
(b) the person has appropriate qualifications, knowledge, skills or experience to perform the role.
(3) The Minister may appoint a person who holds a State or Territory government position only with the agreement of the State or Territory concerned.
(1) The Minister may, by written instrument, appoint a person to act as a standing member of the Board:
(a) during a vacancy in the office of a standing member of the Board whether or not an appointment has previously been made to the office; or
(b) during any period, or during all periods, when a standing member of the Board:
(i) is absent from duty or from Australia; or
(ii) is, for any reason, unable to perform the duties of the office of a standing member of the Board.
Note: The Minister may appoint a standing member of the Board to act as the Chair: see section 68 of the Act.
(2) A person must not be appointed to act as a standing member of the Board unless the Minister is satisfied that the matters in section 13 are satisfied in relation to the appointment to act.
Note: This means that a person cannot be appointed to act as a standing member of the Board if the person is not eligible to be appointed as a Board member under section 13.
Before appointment
(1) Before the Minister appoints, under section 64 or 66 of the Act, a person as a Board member, the person must disclose to the Minister all interests, pecuniary or otherwise, that the person is aware of having in a matter of a kind likely to be considered by the Board.
Disclosures after appointment
(2) A disclosure by a Board member under section 29 of the Public Governance, Performance and Accountability Act 2013 (which deals with the duty to disclose interests) must be made to the Minister.
(3) Subsection (2) applies in addition to any rules made for the purposes of section 29 of the Public Governance, Performance and Accountability Act 2013.
(4) For the purposes of the Act, this instrument and the Public Governance, Performance and Accountability Act 2013, a Board member is taken not to have complied with section 29 of the Public Governance, Performance and Accountability Act 2013 if the Board member does not comply with subsection (2) of this section.
(1) A Board member who has an interest, pecuniary or otherwise, in a matter being considered, or about to be considered, by the Board in a review conducted under section 46 of the Act must disclose the nature of the interest to the Board.
(2) The disclosure must be made as soon as possible after the relevant facts have come to the Board member’s knowledge.
(3) The disclosure must be recorded:
(a) if the disclosure is made at a meeting of the Board—in the minutes of that meeting; or
(b) otherwise—in the minutes of the next meeting of the Board after the disclosure is made.
(4) Unless the Board otherwise determines, the Board member:
(a) must not be present during any deliberation by the Board on the matter; and
(b) must not take part in any decision of the Board with respect to the matter.
(5) For the purposes of making a determination under subsection (4), the Board member:
(a) must not be present during any deliberation of the Board for the purpose of making the determination; and
(b) must not take part in making the determination.
(6) A determination under subsection (4) must be recorded in the minutes of the meeting of the Board.
A Board member must not engage in any paid work that, in the Minister’s opinion, conflicts or could conflict with the proper performance of the Board member’s duties.
The Chair
(1) The Minister may grant leave of absence to the Chair on the terms and conditions that the Minister determines.
Other Board members
(2) The Chair may grant leave of absence to any other Board member on the terms and conditions that the Chair determines.
(3) The Chair must notify the Minister if the Chair grants a Board member leave of absence for a period that exceeds 3 months.
(1) A Board member may resign the member’s appointment by giving the Minister a written resignation.
(2) The resignation takes effect on the day it is received by the Minister or, if a later day is specified in the resignation, on that later day.
(1) The Minister may terminate the appointment of a Board member:
(a) for misbehaviour; or
(b) if the Board member is unable to perform the duties of the Board member’s office because of physical or mental incapacity.
(2) The Minister may terminate the appointment of a Board member if:
(a) the Board member:
(i) becomes bankrupt; or
(ii) applies to take the benefit of any law for the relief of bankrupt or insolvent debtors; or
(iii) compounds with the Board member’s creditors; or
(iv) makes an assignment of the Board member’s remuneration for the benefit of the Board member’s creditors; or
(b) the Board member is absent, except on leave of absence, from 3 consecutive meetings of the Board; or
(c) the Board member engages in paid work that, in the Minister’s opinion, conflicts or could conflict with the proper performance of the Board member’s duties (see section 17); or
(d) the Board member fails, without reasonable excuse, to comply with section 29 of the Public Governance, Performance and Accountability Act 2013 (which deals with the duty to disclose interests) or rules made for the purposes of that section; or
(e) the Minister ceases to be satisfied of any of the matters in subsection 13(1) (eligibility for appointment as Board member) in relation to the Board member.
This Division is made for the purposes of subsection 70(5) of the Act.
(1) An appointment to the Expert Panel is on a part‑time basis.
(2) A member of the Expert Panel holds office for the period specified in the instrument of appointment. The period must not exceed 4 years.
(3) A person is only eligible to be appointed as a member of the Expert Panel if:
(a) the person either:
(i) holds, or is eligible to hold, an Australian Government security clearance that allows the person access to information that has a security classification of at least secret; or
(ii) holds an equivalent security clearance recognised by the Commonwealth for the purposes of allowing the person access to information that has a security classification of at least secret; and
(b) the person:
(i) has obtained a degree from a university, or an educational qualification of a similar standing, in the field of law and has significant experience working in that field; or
(ii) has obtained an educational qualification in the field of cyber security, information technology, computer networks or software engineering; or
(iii) has significant experience working in the field of cyber security or information security; or
(iv) holds a relevant Commonwealth, State or Territory government position at an appropriately senior level; or
(v) has significant experience in audit, assurance or review processes, public administration or financial or prudential regulation; or
(vi) has significant experience in incident management or crisis response;
(vii) has significant experience in a critical infrastructure sector (within the meaning of the Security of Critical Infrastructure Act 2018); or
(viii) has significant academic qualifications or knowledge in a relevant field.
Note 1: An appointment to the Expert Panel is not a public office within the meaning of the Remuneration Tribunal Act 1973: see subsection 70(4) of the Act.
Note 2: A member of the Expert Panel is only to be remunerated when the member is appointed to a review panel for a review: see section 24 of this instrument.
(4) Before appointing a person as a member of the Expert Panel, the Chair must be satisfied that:
(a) the person meets the eligibility requirements mentioned in subsection (3); and
(b) the person has appropriate qualifications, knowledge, skills or experience to perform the role.
(5) The Chair may appoint a person who holds a State or Territory government position only with the agreement of the State or Territory concerned.
A member of the Expert Panel may only be appointed, under subsection 70(3) of the Act, to the review panel for a review if the Chair is satisfied that:
(a) the person meets the eligibility requirements (if any) specified in the terms of reference for the review for the purposes of paragraph 9(1)(d) of this instrument; and
(b) the member has appropriate qualifications, knowledge, skills or experience to assist the Board in relation to the particular review; and
(c) the member will not be engaged in any paid work that conflicts, or could conflict, with the proper performance of the member’s duties assisting the Board in relation to the review.
Note: One or more members of the Expert Panel are to be appointed by the Board, in accordance with the terms of reference for a review under section 46 of the Act, to the review panel for the review to assist in the review: see subsections 46(4) and 70(3) of the Act.
(1) This section applies if a member of the Expert Panel is appointed, under subsection 70(3) of the Act, to the review panel for a review.
Note: An appointment to assist in a review is not a public office within the meaning of the Remuneration Tribunal Act 1973: see subsection 70(4) of the Act.
(2) An Expert Panel member is to be paid the remuneration that is determined by the Chair by legislative instrument.
(3) An Expert Panel member is to be paid the allowances that are determined by the Chair by legislative instrument.
(4) The Chair may, by legislative instrument, determine:
(a) remuneration for the purposes of subsection (2); and
(b) allowances for the purposes of subsection (3).
Resignation
(5) An Expert Panel member may resign the member’s appointment to the review panel for a review by giving the Chair a written resignation.
(6) The resignation takes effect on the day it is received by the Chair or, if a later day is specified in the resignation, on that later day.
Revocation of appointment to the review panel for a review
(7) The Chair may revoke the appointment of a member of the Expert Panel to the review panel for a review:
(a) for misbehaviour; or
(b) if the member of the Expert Panel is unable to perform the duties of the member’s office because of physical or mental incapacity; or
(c) if the member:
(i) becomes bankrupt; or
(ii) applies to take the benefit of any law for the relief of bankrupt or insolvent debtors; or
(iii) compounds with the member’s creditors; or
(iv) makes an assignment of the member’s remuneration for the benefit of the member’s creditors; or
(d) if the member fails, without reasonable excuse, to comply with section 25 (which deals with the duty to disclose interests); or
(e) if the Chair ceases to be satisfied of any of the matters in subsection 22(3) or section 23 in relation to the member.
Disclosure before appointment to the Expert Panel
(1) Before a person is appointed as a member of the Expert Panel, the person must give written notice to the Chair of all interests, pecuniary or otherwise, that the person has or acquires and that conflict or could conflict with the proper performance of the person’s duties as a member of the Expert Panel.
Disclosure during appointment to the Expert Panel
(2) A member of the Expert Panel who has an interest, pecuniary or otherwise, in a matter being considered or about to be considered by the Board must disclose the nature of the interest to the Chair.
(3) The disclosure under subsection (2) must be made as soon as possible after the relevant facts have come to the member’s knowledge.
(4) Unless the Board otherwise determines, the member of the Expert Panel must not be present during any deliberation by the Board on the matter.
(5) For the purposes of making a determination under subsection (4), the member of the Expert Panel must not be present during any deliberation of the Board for the purpose of making the determination.
Records
(6) A determination under subsection (4) must be recorded by the Board.
(7) A disclosure under this section must be recorded by the Board.
(1) A member of the Expert Panel may resign the member’s appointment to the Expert Panel by giving the Chair a written resignation.
(2) The resignation takes effect on the day it is received by the Chair or, if a later day is specified in the resignation, on that later day.
Note: Resignation from the Expert Panel also means the person is not a member of any review panel for a review as the person is no longer a member of the Expert Panel.
The Chair may terminate the appointment of a member of the Expert Panel:
(a) for misbehaviour; or
(b) if the member of the Expert Panel is unable to perform the duties of the member’s office because of physical or mental incapacity; or
(c) if the member:
(i) becomes bankrupt; or
(ii) applies to take the benefit of any law for the relief of bankrupt or insolvent debtors; or
(iii) compounds with the member’s creditors; or
(iv) makes an assignment of the member’s remuneration for the benefit of the member’s creditors; or
(d) if the member fails, without reasonable excuse, to comply with section 25 (which deals with the duty to disclose interests); or
(e) if the Chair ceases to be satisfied of any of the matters in subsection 22(3) in relation to the member.
Note: Termination from the Expert Panel also means the person is not a member of any review panel for a review as the person is no longer a member of the Expert Panel.
This Division is made for the purposes of subsection 73(2) of the Act.
(1) The Board must hold such meetings as are necessary for the efficient performance of its functions.
(2) The Chair:
(a) may convene a meeting at any time; and
(b) must convene a meeting within 30 days after receiving a written request to do so from another member of the Board.
(1) The Chair must preside at all meetings at which the Chair is present.
(2) If the Chair is not present at a meeting, the other Board members present must appoint one of themselves to preside.
(1) A question arising at a meeting of the Board is to be determined by a majority of the votes of the Board members present and voting.
(2) The person presiding at a meeting of the Board has a deliberative vote and, if the votes are equal, a casting vote.
The Board may, subject to this instrument and the Act, regulate proceedings at its meetings as it considers appropriate.
Note: Section 33B of the Acts Interpretation Act 1901 contains further information about the ways in which Board members may participate in meetings.
The Board must keep minutes of its meetings.
(1) The Board is taken to have made a decision at a meeting if:
(a) without meeting, a majority of the Board members entitled to vote on the proposed decision indicate agreement with the decision; and
(b) that agreement is indicated in accordance with the method determined by the Board under subsection (2); and
(c) all the Board members were informed of the proposed decision, or reasonable efforts were made to inform all the Board members of the proposed decision.
(2) Subsection (1) applies only if the Board:
(a) has determined that it may make decisions of that kind without meeting; and
(b) has determined the method by which Board members are to indicate agreement with proposed decisions.
(3) For the purposes of paragraph (1)(a), a Board member is not entitled to vote on a proposed decision if the Board member would not have been entitled to vote on that proposal if the matter had been considered at a meeting of the Board.
(4) The Board must keep a record of decisions made in accordance with this section.