AI-driven threats and rising regulatory demands

Cyber criminals continue to weaponise AI to scale social engineering tactics, exploit zero-day vulnerabilities faster than defenders can patch, and target the expanding attack surface created by supply chain platforms and connected devices.

Boards and management teams must treat cyber resilience as a strategic priority, invest in defensive AI and strengthen governance frameworks, uplift privacy and SOCI readiness, and establish an organisational culture that anticipates where threat actors will move next.

The next wave of cyber resilience requires business leaders to view AI as both a strategic asset and a potential vulnerability.

Threat actors are using AI to automate phishing attacks, generate deepfakes, and accelerate ransomware campaigns. In response, organisations are deploying AI tools to strengthen existing threat detection and incident response capabilities. Business leaders must continue to actively govern AI’s defensive and offensive uses, ensuring ethical deployment, robust oversight, and ongoing education.

Prepare for increased enforcement action

Under the Cyber Security Act 2024, entities with $3 million+ turnover must report ransomware payments within 72 hours (effective May 2025).

In good news following the introduction of mandatory reporting requirements, fewer business leaders are paying and they are paying less. McGrathNicol research shows that the average cyber ransom paid has dropped to $711,000, from a high of $1.35 million in 2024. The pace of ransomware attacks is unrelenting however, and with 81% of Australian executives still ‘willing’ to pay, more work needs to be done.

The Privacy and Other Legislation Amendment Act 2024 also introduced sweeping changes, including a statutory tort for serious invasions of privacy and enhanced OAIC enforcement powers. By December 2026, organisations must comply with new transparency requirements for automated decision-making and the Children’s Online Privacy Code. The Sydney Tools breach, which exposed 34 million customer records, underscores the real-world consequences of privacy failures. Regulators are expanding enforcement powers and increasing penalties under the new Act.

Similarly, ASIC has stepped up security-related enforcement actions with a clear link to directors’ duties under s912A of the Corporations Act, and APRA’s CPS 234 makes boards ultimately accountable for information security.

What does good cyber hygiene look like?

ASIC has taken action against organisations recently for failing to implement basic cyber hygiene controls. In doing so, they are sending a clear signal: directors are expected to own cyber risk, not delegate it. The Australian Cyber Security Centre’s Essential Eight’s updated guidance emphasises the need for phishing-resistant multi-factor authentication (MFA) and patching of critical vulnerabilities within 48 hours. Business leaders should also consider the applicability of other standards, including the updated SMB1001:2025 certification which complements global frameworks including ISO/IEC 27001.

Cyber risk poses a fundamental test of boardroom leadership. The pressing question is whether executive teams will take decisive ownership or wait until regulatory scrutiny or a major breach makes these decisions for them.

Key actions to take

• Embed cyber risk – set clear risk appetite and resilience objectives in governance frameworks and allocate resources.

• Uplift technical controls – align to the latest industry frameworks and upgrade your organisation’s security measures to keep pace with evolving threats.

• Test and train – run cyber incident simulations involving executives and staff to identify critical weaknesses under the stress of realistic scenarios. A proactive approach will not only strengthen technical preparedness but also foster an organisation-wide culture of security awareness.

• Strengthen privacy protections – conduct a privacy gap analysis, map high-risk data processing, uplift breach response plans, and embed privacy-by-design into digital initiatives.