Australia has formally established a Cyber Incident Review Board to conduct no-fault, post-incident reviews of significant cybersecurity incidents, to extract actionable lessons and strengthen national resilience. The board will examine major cyber events and provide recommendations to government and industry to improve how organisations prevent, detect, respond to, and minimize the impact of future attacks. The initiative sits under the Cyber Security Act 2024 and forms part of the country’s 2023–2030 Australian Cyber Security Strategy, reflecting a broader push to position Australia among the world’s most cyber secure nations by the end of the decade.
“We know that cyber attacks are constant. This guarantees we learn from every attack and keep increasing our resilience,” Tony Burke, Australia’s minister for cyber security, said in a media statement this week. “The Cyber Incident Review Board will examine major cyber security events, develop findings, and provide recommendations to improve national cyber resilience across government and industry.”
He added that Australia is fortunate to have highly experienced cybersecurity leaders guiding this work. “These appointments reflect our collective commitment to keeping Australians safe in an increasingly complex cyber environment.”
The Cyber Incident Review Board includes Narelle Devine, global chief information security officer at Telstra, who will serve as chair. The board also includes Debi Ashenden, director of the Institute for Cyber Security at the University of New South Wales, Valeska Bloch, partner and head of cyber at Allens, Jessica Burleigh, chief information security officer at Boeing Australia, Darren Kane, chief security officer at NBN Co, Berin Lautenbach, global head of information security at Toll Group, and Nathan Morelli, head of cyber security and IT resilience at SA Power Networks.
The seven-member board brings together senior cyber leaders from across industry, academia and critical infrastructure, combining technical, governance and national security expertise to deliver independent advice. Its mandate centres on learning systematically from incidents rather than assigning blame, signalling a shift toward operational accountability and continuous improvement across the cyber ecosystem. They pull together cybersecurity expertise along with strong technical, governance, legal, national security and community experience, positioning the board to provide trusted and independent advice to government and industry.
According to the Department of Home Affairs, the review mechanism is intended to tighten collaboration between government and industry and turn lessons from major cyber incidents into practical resilience measures for businesses, communities and the wider economy. The board will conduct reviews only after an incident has concluded and initial response and investigation activities are complete. Its work will examine either a single event or clusters of similar incidents, grouped by shared characteristics such as attack vectors, affected systems or known vulnerabilities.
The government said an Expert Panel, drawn from industry specialists across the public and private sectors, will support the Cyber Incident Review Board. Members will contribute expertise in cybersecurity, legal matters and relevant sector domains to inform the board’s reviews.
The board will launch an expression of interest process to identify and appoint qualified candidates, in line with eligibility requirements set out in the Cyber Security (Cyber Incident Review Board) Rules 2025. Individuals must hold, or be eligible to obtain, a Negative Vetting Level 1 Australian Government security clearance, which is required for consideration for appointment to review panels examining specific cyber incidents.
Appointments to the Expert Panel are part-time and for a fixed term specified in the instrument of appointment, with a maximum duration of four years.
Eligibility requires that individuals hold, or be eligible to obtain, an Australian Government security clearance permitting access to information classified at least secret, or an equivalent clearance recognised by the Commonwealth. Candidates must also demonstrate relevant expertise through qualifications or experience. This may include a degree in law with substantial professional experience, formal education in cyber security, information technology, computer networks or software engineering, or significant practical experience in cyber or information security.
Additional qualifying backgrounds include senior roles in government, experience in audit, assurance or regulatory functions, incident management or crisis response, work in critical infrastructure sectors as defined under the Security of Critical Infrastructure Act (SOCI) 2018, or strong academic credentials in a related field.
Appointments are not considered public office positions under the Remuneration Tribunal Act 1973, and remuneration applies only when a member is selected to serve on a review panel for a specific incident. Before any appointment is made, the Chair must be satisfied that the candidate meets all eligibility criteria and has the necessary qualifications, knowledge, skills or experience. Where a candidate holds a State or Territory government position, the appointment requires the agreement of the relevant jurisdiction.
Modeled on the now-defunct U.S. Cyber Safety Review Board (CSRB), created under Executive Order 14028 in 2021 and designed as a public–private body to investigate major cyber incidents and extract lessons to strengthen national resilience. The CSRB reviewed high-profile events such as Log4j and Microsoft Exchange compromises, highlighting systemic security gaps and recommending stronger authentication, monitoring and transparency. While it advanced post-incident learning, questions persisted around its reliance on voluntary cooperation and limited enforcement powers.
