Law Council of Australia

Business Law Section

Code of Practice for Cyber Incident Response Providers

Submission Date: 2 October 2025

The Media & Communications Committee of the Law Council of Australia’s Business Law Section (the Committee) welcomes the opportunity to respond to the Department of Home Affairs—National Office of Cyber Security’s proposed voluntary Code (the draft Code), which has been co-designed by the National Office of Cyber Security, the Australia Signals Directorate (ASD) and industry. In view of the limited time to respond, this submission combines overarching views with some targeted responses.

Overarching views

The draft Code has been thoughtfully prepared with a focus on practical guidance. It is intended to be adopted by providers specialising in the technical component of cyber incident response and on the assumption that information-sharing with the ASD, Australian Cyber Security Centre (ACSC) and National Cyber Security Centre (NCSC) will be consistent with the ‘limited’ use regime set out in the Intelligence Services Act 2001 (Cth) and the Cyber Security Act 2024 (Cth). The concern the Committee has previously raised in relation to the limited use regime remains under this Code. There is no legal immunity provided in exchange for the information-sharing efforts and there is a high probability of breaching obligations of confidentiality and waiving client legal privilege. This brings tension between a range of legal rights, obligations, voluntary codes of practice and the rule of law.

Targeted responses

Definitions

The Code is intended to be adopted by cyber security incident response providers. A cyber security incident response provider is defined broadly as ‘usually an external organisation that provides direct and timely assistance in the remediation and future prevention of cyber incidents’. This definition refers only to remediation and future prevention, yet a common theme in the Guiding Principles is ‘containment’ which incident responders also play a role in supporting during an incident, as demonstrated in Guiding Principle 2(a) and (d) and Guiding Principle 3.

Accordingly, the Committee suggests changing the definition to:

Cyber security incident response providers—’an internal cyber security specialist or external organisation that provides direct and timely assistance in the detection, containment, remediation and future prevention of cyber incidents’

Related Documents

Last Updated on 11/11/2025

Share

Tags

Most recent items in Business Law Section


Trending Items in Business Law Section