Stakeholders we work with on cyber resilience

We work closely with other members of the Council of Financial Regulators and various Government departments and agencies.

Council of Financial Regulators (CFR)

The CFR has four members: the Australian Prudential Regulation Authority (APRA), the Australian Securities and Investments Commission (ASIC), the Australian Treasury and the Reserve Bank of Australia (RBA). The CFR facilitates cooperation and collaboration across member agencies, with the ultimate aim of promoting the stability of the Australian financial system and supporting effective and efficient regulation.

The CFR’s Cyber and Operational Resilience Working Group is responsible for coordinating initiatives aimed at improving the cyber resilience of the Australian financial system, such as the Cyber Operational Resilience Intelligence-led Exercises (CORIE) Framework.

The CFR is responsible for facilitating cross-agency coordination and communications during cyber-attacks. To facilitate cross-agency coordination, member agencies have developed a cyber-attack response protocol (CART). A similar protocol has also been developed with New Zealand financial regulators, given the strong links between the Australian and New Zealand financial systems.

For more information go to:

• Cyber Security – Financial Stability – Council of Financial Regulators
• Cyber Operational Resilience Intelligence-led Exercises (CORIE) Framework
• Trans-Tasman Council on Banking Supervision – About – Council of Financial Regulators.

Department of Home Affairs (Home Affairs)

The Department of Home Affairs is responsible for Australia's cyber security policy, strategic direction, and for implementing the Australian government’s cyber security strategy.

The Department’s portfolio comprises the National Cyber Security Coordinator, the National Office of Cyber Security, and the Critical Infrastructure Security Centre.

National Cyber Security Coordinator (the Coordinator)

The Coordinator is part of the Department of Home Affairs. The Coordinator’s role is to lead the coordination of national cyber security policy, responses to cyber incidents of national significance, cyber incident preparedness efforts, and enhancements to Commonwealth cyber security capability.

For more information see: Cyber Coordinator.

National Office of Cyber Security (NOCS)

The NOCS, which is part of the Department of Home Affairs, was established in 2023 to support the Coordinator functions in coordinating responses to cyber incidents of national significance. During an incident, NOCS acts as the central contact point for affected organisations, helps manage consequence management efforts, and works with government and industry to address secondary harms from incidents.

For more information see: National Office of Cyber Security (NOCS).

Critical Infrastructure Security Centre (CISC)

The CISC is part of the Department of Home Affairs. The CISC is responsible for the security, continuity and resilience of Australia’s critical infrastructure, in partnership with government, industry and the broader community. It administers the Cyber Security Act 2024 and the Security of Critical Infrastructure Act 2018 (SOCI Act). The CISC is responsible for overseeing the compliance of owners and operators of critical infrastructure assets, including assets that are declared as ‘systems of national significance’, with their obligations under the SOCI Act.

For more information see: Critical Infrastructure Security Centre.

Australian Signals Directorate (ASD)

The ASD, which operates under the Intelligence Services Act 2001, is a statutory agency within the Defence portfolio. ASD’s role is to defend Australia from global threats and advance the national interest by providing foreign signals intelligence, cyber security, and offensive cyber operations as directed by the Government. The ASD’s key functions include:

• collecting and communicating foreign signals intelligence
• preventing and disrupting offshore cyber-enabled crime
• providing cyber security advice and assistance to the Australian government, businesses, and individuals
• supporting military operations
• protecting the specialised tools the ASD uses to fulfill its functions
• cooperating with, and assisting, the national security community’s performance of its functions.

For more information see: ASD's purpose | Australian Signals Directorate.

Australian Cyber Security Centre (ACSC)

The ACSC leads the Australian Government’s cyber security efforts. The ACSC is responsible for:

• threat monitoring and intelligence sharing
• publishing notifications, alerts and advisories on cyber threats and providing technical advice to individuals, businesses and government
• providing 24/7 technical incident response advice and assistance to Australian organisations that have been impacted by a cyber security incident
• improving the cyber resilience of the Australian community through proactive advice and exercises
• supporting collaboration between Australian organisations and individuals on cyber security issues through its Partnership Program.

The ACSC provides technical guidance and support to entities affected by a cyber incident when the incident is serious enough to warrant their involvement, particularly when critical infrastructure is affected.

For more information see: Australian Signals Directorate and Australian Cyber Security Centre.

Australian Prudential Regulation Authority (APRA)

APRA is the prudential regulator of the financial services industry. It oversees banks, credit unions, building societies, general insurance and reinsurance companies, life insurance, private health insurance, friendly societies and most of the superannuation industry.

APRA-regulated entities must comply with APRA prudential standards relating to information security and operational risk management, including notification requirements in the event of an incident.

ASIC, as the regulator of the conduct of Australian companies, financial markets, financial services entities and credit providers, works closely with APRA.

Office of Australian Information Commissioner (OAIC)

The OAIC is Australia’s privacy regulator. It is responsible for administering the Privacy Act 1988, which deals with the protection of and how businesses handle personal information.

The OAIC and the protection of personal information are an essential part of the ring of defence to protect Australia’s cyber security.

Where a cyber security incident involves a data breach (that is, when personal information held by a business is accessed, disclosed without authorisation or is lost), the business must advice the OAIC under its Notifiable Data Breaches scheme, if the data breach is likely to cause serious harm.

For more information see: OAIC.