Australia names Cyber Incident Review Board to formalise post-breach lessons

The federal government on Monday named the chair and members of a new Cyber Incident Review Board, formalising a body charged with running no-fault post-mortems on major cyber attacks against Australian organisations.

Telstra global chief information security officer Narelle Devine will chair the board. Six other members were appointed: Professor Debi Ashenden of the University of New South Wales, Allens partner Valeska Bloch, Boeing Australia chief information security officer Jessica Burleigh, NBN Co chief security officer Darren Kane, Toll Group global head of information security Berin Lautenbach, and SA Power Networks head of cyber security and IT resilience Nathan Morelli.

The board operates under the Cyber Security Act 2024, the omnibus legislation passed after the 2022 Optus and Medibank breaches. It sits inside the broader 2023-2030 Australian Cyber Security Strategy, which targets making Australia one of the world's most cyber-secure nations by the end of the decade.

"We know that cyber attacks are constant. This guarantees we learn from every attack and keep increasing our resilience," Minister for Cyber Security Tony Burke said in a statement.

What the board does

The CIRB will conduct independent reviews of significant cyber incidents affecting government agencies, critical infrastructure operators and large private-sector organisations. Findings are intended to surface systemic gaps and produce sector-wide recommendations, not apportion blame to any single victim.

Unlike the model it draws on, the United States Cyber Safety Review Board, the Australian body has the legal power to compel information from organisations that decline to participate voluntarily. The US board, established in 2022 under the Biden administration, was disbanded by the Trump administration earlier this year. It produced three public reports during its run, including a 2024 finding that Microsoft suffered "a cascade of avoidable errors" in the breach of senior US officials' email accounts.

Australian officials had flagged the compulsory-information powers as a deliberate design choice during consultation on the Cyber Security Act, after industry feedback that voluntary regimes leave the most useful evidence with the most reluctant respondents.

Membership and reach

The roster spans telecommunications, cloud and broadband infrastructure, energy, aviation, logistics, legal counsel and academia. Five of the seven members are women.

Several appointees come with direct operational experience of the breach period that drove the act through parliament. Devine moved to Telstra in 2022 from Defence. Kane has run security at NBN Co through years of state-aligned and criminal probing of the national broadband network. Morelli's appointment from SA Power Networks pulls the Security of Critical Infrastructure Act regime into the new review framework.

The board will publish reports following each completed review. Government has indicated those reports will be sanitised where necessary to protect ongoing operational matters but otherwise made available to industry and the public.

What happens next

The CIRB is expected to begin its first reviews this year. Home Affairs has not named which incidents will be picked up first. The Cyber Security Act gives the board discretion to self-initiate reviews or take direction from the Minister, and incidents do not have to trigger mandatory reporting under the act to fall within scope.

Industry submissions on the operating rules closed earlier this year. The Cyber and Infrastructure Security Centre has published an explanatory document setting out the procedures the board will follow when issuing notices, handling protected information and finalising findings.