Commonwealth Numbered Acts

CYBER SECURITY ACT 2024 (NO. 98, 2024) - SECT 62

  (1)   The functions of the Board are:

  (a)   to cause reviews to be conducted by review panels in relation to cyber security incidents, or series of related cyber security incidents, to:

  (i)   identify factors that contributed to the incident or series of incidents; and

  (ii)   make recommendations to government and industry about actions that could be taken to prevent, detect, respond to or minimise the impact of, incidents of a similar nature in the future; and

  (iii)   report publicly on the review; and

  (b)   any other functions conferred on the Board by this Act or the rules.

Note:   See section   46 in relation to the circumstances in which a cyber security incident may be reviewed.

  (2)   It is not a function of the Board to:

  (a)   apportion blame in relation to a cyber security incident; or

  (b)   provide the means to determine the liability of any entity in relation to a cyber security incident; or

  (c)   allow any adverse inference to be drawn from the fact that an entity is the subject of a review.

However, even though blame or liability may be inferred, or an adverse inference may be made, by a person other than the Board, this does not prevent the Board from carrying out its functions.

  (3)   The Board has power to do all things necessary or convenient to be done for or in connection with the performance of the Board's functions.

  (4)   The Board must not perform a function or exercise a power under this Part at a particular time if the performance of the function or the exercise of the power at that time would prejudice the investigation of, or the conduct of proceedings relating to, an offence or a contravention of a civil penalty provision under a law of the Commonwealth or of a State or Territory.

  (5)   The rules may prescribe the circumstances in which cyber security incidents are a series of related incidents for the purposes of this section.

Note:   For example, the rules may prescribe that cyber security incidents are a series of related incidents if the incidents involve a common type of impacted system or a common attack method.