ato logo
Search Suggestion:

Tax Profession Cyber Security Working Group key messages 5 December 2024

Key topics discussed at the Tax Profession Cyber Security Working Group meeting 5 December 2024.

Last updated 9 March 2025

Australian Taxation Office and Tax Practitioners Board

The Australian Taxation Office (ATO) outlined current focus areas of work, including an update on the post implementation review of stage one of the client-to-agent linking rollout. The ATO is identifying and tracking cyber threats and the risks associated with using certain apps and software.

The Tax Practitioners Board provided insights into the value of utilising trusted cloud hosting and considering the risks of other devices not traditionally considered in a cyber security regime, such as internet connected home appliances. The group also discussed the need to consider the risks of submitting sensitive information to artificial intelligence (AI) services.

Member comments

Changes such as client-to-agent linking are a compromise between the user experience of legitimate users and minimising the fraudulent behaviour of bad actors.

While AI can be an incredibly powerful and useful tool, it can have security, safety, and ethical implications for both businesses and individuals.

Innocuous software and hardware can be weaponised for nefarious purposes by a range of domestic and international parties. Consideration needs to be given to access, data and platform risks.

Forward work program

Key areas of focus for the group's forward work program were discussed. The agreed priorities are:

  • data security and protection
  • social engineering
  • access management
  • incident response
  • risk management
  • email security.

It is anticipated deep dives will be conducted on each topic in future meetings, with action items identified to support tax professionals in managing these risk areas.

Member comments

Social engineering is becoming more prevalent as a tactic used by scammers and should be included as one of the priority items to address.

Key messages and resources to be shared should be identified as an outcome for each meeting.

Other business

The group discussed:

  • the Cyber Security Act 2024, members are particularly interested in the introduction of mandatory reporting obligations for ransomware and cyber extortion
  • the Small Business Cyber Resilience Service (provided by IDCARE), a government initiative for small businesses to seek cyber education and support
  • the government-funded Cyber Wardens program, which members agree is a valuable resource to be promoted to the tax profession.

QC103877