Voluntary cyber incident disclosure: legal guidance for Australian organisations

It has been a year since the Australian government introduced a voluntary cyber security disclosure regime to encourage timely, frank cooperation between business and government during cyber incidents. As private organisations navigate this regime, many are considering whether to volunteer information during cyber incidents. The regime restricts how government can use voluntarily disclosed information, creating a protected channel for incident response. This article explains how it operates and provides practical guidance for organisations seeking to leverage voluntary disclosure pathways while managing legal risks.

The voluntary cyber security disclosure pathway is part of a suite of cyber security legislative reforms which were introduced in late 2024. It creates parallel information use restrictions under Part 4 of the Cyber Security Act 2024 (Cth) (CSA) and Part 6 of the Intelligence Services Act 2001 (Cth) (ISA) (the limited use obligation regime). These restrictions protect information that organisations voluntarily share with the Commonwealth Government in relation to cyber incidents (Voluntary Disclosure Information). The regime aims to promote open communication with government in response to cyber security incidents by limiting government entities from using this information against organisations in civil or regulatory action. However, it still allows regulators to obtain the same information through their existing powers and preserves law enforcement and national security functions. 

Organisations should consider voluntary disclosure as part of a broader review of their cyber security response plan, which should also reflect other key changes to the cyber threat and regulatory landscape. 

When might an organisation wish to make a voluntary disclosure?

An organisation impacted by a cyber security incident may receive significant benefits from voluntarily disclosing information to the National Cyber Security Coordinator (NCSC) and to the Australian Signals Directorate (ASD) under the limited use regime. This may be the case where government involvement would expedite identification, containment and recovery, reduce response costs, and minimise financial, operational and reputational harms for the organisation. These benefits increase with early engagement. Benefits may include:

• Threat disruption, enhanced intelligence and technical expertise: Organisations may gain access to threat intelligence, forensic capabilities and technical expertise that most typically lack in-house. Government may be able to pass details to law enforcement to pursue perpetrators, potentially disrupt threat actors and in some cases recover assets. Voluntary Disclosure Information could also consolidate threat intelligence to generate tailored advice on vulnerabilities and mitigations, with anonymised insights potentially shared back to industry.
   
• Coordinated whole-of-government response: For significant incidents, disclosure could enable the NCSC to mobilise Commonwealth and State support to help mitigate and resolve the incident. For example, where identity documents are involved in a major data breach, the NCSC can coordinate and expedite licence and passport replacement and materially reduce customer harm and reputational damage. Additionally, where an incident threatens market stability or critical infrastructure, proactive NCSC engagement can unlock government support to mitigate systemic risk.
   

• Reputation and stakeholder management: Targeted ministerial briefing can support coordinated public messaging and stakeholder management, particularly important for incidents with significant public concern.

Choosing your disclosure pathway: NCSC and ASD

Organisations impacted by a cyber security incident (impacted entity) have the option to make voluntary disclosures to both the NCSC under the CSA and the ASD under the ISA. Each pathway is available simultaneously and offers distinct capabilities, while providing similar limited use protections for the impacted entity. The choice to engage one or both bodies should be informed by the nature of the incident and the specific assistance required, as each pathway is designed to achieve different objectives.

In practice, organisations may benefit from disclosing to both the NCSC and the ASD. Once either the NCSC or the ASD has been provided with information, they may also make a secondary disclosure to the other body if they consider their involvement is necessary for the incident response.

NCSC: Coordination and consequence management

Organisations might engage the NCSC (supported by the National Office of Cyber Security) under the Cyber Security Act limited use regime where the cyber security incident may be serious and an urgent response is required. This is particularly where the response requires coordination of government entities and ongoing consequence management. The NCSC is best placed to facilitate a whole-of-government response, manage public communications and coordinate support across Commonwealth and State bodies.

ASD: Technical assistance and threat disruption

Organisations may engage the ASD under the ISA limited use regime for technical assistance, up-to-date threat intelligence, and cyber vulnerability support in response to a cyber security incident or a cyber security vulnerability. The ASD provides specialist expertise in threat analysis, forensic support, and disruption of malicious actors.

Organisations should consider both disclosure pathways as complementary options, each serving different but equally important roles in incident response. Utilising both the NCSC and ASD can maximise the benefits of government support and ensure a comprehensive approach to managing and resolving cyber security incidents.

What can Voluntary Disclosure Information be used and disclosed for?

The legislation requires that the NCSC and ASD only use and disclose Voluntary Disclosure Information for permitted cyber security purposes. This is primarily to assist the impacted entity in responding to, mitigating or resolving the cyber security incident.

Other permitted purposes include: 

• supporting Commonwealth and State bodies' incident responses; 
   
• performing their own incident response roles; 
   
• briefing Ministers; 
   
• preventing or mitigating national or critical infrastructure risk; 
   
• supporting intelligence agencies; and 
   
• supporting Commonwealth enforcement bodies (noting that Voluntary Disclosure Information cannot, with limited exceptions, be used in civil or regulatory enforcement against the impacted entity itself).

Where the NCSC or ASD shares limited use information with another entity (such as State bodies or other Commonwealth bodies), those secondary recipients are bound by the same limited use restrictions and must handle the information in accordance with the CSA and ISA frameworks.

Limited use regime protections for impacted entities who voluntarily disclose information

The limited use regime provides key protections for impacted entities that voluntarily disclose cyber security incident information:

• Protection from use in civil enforcement: Voluntary Disclosure Information cannot be used to investigate or enforce civil penalties or take regulatory action against the impacted entity. However, they do not protect criminal offences or contraventions of the limited use regime itself.
   
• Inadmissibility: Voluntary Disclosure Information is generally inadmissible against the impacted entity in criminal and civil proceedings, except for specified Criminal Code offences (relating to false or misleading information or obstruction of Commonwealth public officials), coronial inquiries, and Royal Commissions.
   
• Preservation of legal professional privilege: Providing Voluntary Disclosure Information does not waive legal professional privilege (except for coronial inquiries and Royal Commissions).
   
• Non-compellability in proceedings: The NCSC and ASD are non-compellable to give evidence about Voluntary Disclosure Information (except in coronial inquiries).

Understanding the limitations of the limited use regime

The limited use regime offers important protections and provides the private sector with an available resource for responding to cyber security incidents. However, organisations should be aware of the following limitations and continuing obligations when disclosing Voluntary Disclosure Information:

• Key limited use obligation exceptions and boundaries: Limitations on the use of Voluntary Disclosure Information do not apply to information that becomes lawfully public, information already in the public domain, information provided to meet other mandatory reporting regimes, or information the government has obtained through independent means. Additionally, as indicated above, coronial inquiries, Royal Commissions and certain federal court proceedings are not covered by privilege or inadmissibility protections.  
   

• Not a safe harbour from regulatory action: The regime restricts how voluntarily disclosed information may be used by government bodies, not whether regulators can investigate the impacted entity. Regulators retain full power to compel the same information using their existing statutory powers and may still do so independently of any voluntary disclosure.
   

• Mandatory reporting obligations remain separate and applicable: Voluntary disclosure does not relieve entities of mandatory cyber security incident reporting and disclosure requirements under other statutory regimes (e.g. ransomware payment reports under the CSA, and reporting obligations under the Security of Critical Infrastructure Act 2018 (Cth) Part 2B, and the Privacy Act 1988 (Cth)). Organisations cannot treat voluntary disclosure as a substitute for these separate obligations.
   

• Privacy obligations continue to apply: For voluntary disclosures to the NCSC under the CSA, Privacy Act 1988 (Cth) obligations continue to apply to all disclosure and handling of personal information. 

Practical considerations for implementing voluntary disclosure

To maximise the benefits of voluntary disclosure while managing legal risks, organisations should integrate the following steps into their cyber security incident response planning:

• Map potential decision pathways for NCSC escalation (coordination and consequence management) versus ASD escalation (technical assistance), including contact protocols and privilege considerations. This enables voluntary disclosure pathways to be utilised early in material incidents where desirable.
   
• When deciding what information to voluntarily disclose, share factual, necessary information that enables assistance or a permitted cyber security purpose.
   
• Assess whether personal information is included in Voluntary Disclosure Information, and if so, whether any action is required to ensure compliance with the Privacy Act 1988 (Cth) before disclosing. 
   
• Keep Voluntary Disclosure Information clearly marked and distinct from materials provided under other legal obligations, as mandatory disclosures are excluded from limited use protections.
   
• Maintain privilege where possible. While privilege is preserved for Voluntary Disclosure Information, certain proceedings (including Royal Commissions and coronial inquiries) can override the privilege protection.
   
• Be aware that the process may be iterative and may involve the NCSC or ASD returning with further questions or organising meetings to discuss the cyber security incident. This may include meetings with secondary recipients involved in the whole-of-government response to the cyber security incident.
   
• Ensure that any mandatory reporting obligations are also met within required timeframes.

Key takeaway for organisations managing cyber incidents

The limited use obligation regime represents a significant development in the Australian government’s cyber security incident response role, creating a structured pathway for government-industry collaboration during cyber incidents. The regime offers meaningful protections to the private sector to encourage disclosure to government. However, organisations should approach voluntary disclosure strategically in light of the legal position, understanding both the benefits and limitations, maintaining compliance with separate mandatory obligations and integrating disclosure pathways into broader incident response planning. Early engagement with the NCSC and/or the ASD with a clear understanding of the legislation and the disclosure process is key to leveraging government support effectively while managing legal and regulatory risks.