The Cyber Security Act 2024 sets up the Cyber Incident Review Board (the CIRB). The CIRB is an independent advisory body. Its role is to review cyber security incidents that affect Australia.
Recent cyber-attacks have shown that Government and industry need to learn more from these events. The CIRB helps both sectors improve their response to future attacks.
The CIRB will only review an incident after it has occurred, and initial efforts are complete. Reviews will focus on a single incident or a group of similar incidents. These may share features such as attack method, type of system affected, or a known vulnerability.
The CIRB does not assign blame or determine who is responsible for an incident. Published reviews will not include personal or classified information, including anything that could affect national security, defence, or international relations of the Commonwealth.
Once a review is finished, the CIRB will give advice to Government and industry. These recommendations aim to strengthen Australia’s cyber security defences. The affected organisation or organisations will receive a draft report and can give feedback before the findings are published.
Board Appointments and the Expert Panel
Following commencement of Part 5 of the Cyber Security Act 2024 and the Cyber Security (Cyber Incident Review Board) Rules 2025 on 30 May 2025, the Minister for Cyber Security will appoint members to the Cyber Incident Review Board. Once the Board is in place, the Department will begin an expression of interest process to form an Expert Panel. The Expert Panel will include industry professionals with strong experience in cyber security, legal or sector specific areas.
You can register your interest in recruitment activities for the Expert Panel by emailing: CIRB.Enquiries@homeaffairs.gov.au.
