March 5, 2026
Cybersecurity has rapidly evolved from a purely technical concern into a core governance, risk, and compliance (GRC) issue. For many organisations across Australia, cyber risk is now firmly on the agenda of executive leadership and boards, and increasingly, it’s also the focus of regulators.
In Episode 57 of ChatDPS, we were joined by Steven Hunwicks and Hayden Delaney from Thomson Geer to explore the shifting cybersecurity landscape, recent regulatory actions, and what organisations should be doing now to strengthen their governance and risk posture.
The key message from the discussion was clear: Australia’s regulators have moved from education to enforcement.
For several years, Australian regulators have focused heavily on educating organisations about cybersecurity obligations and encouraging improved risk management practices.
That phase is now ending.
Recent regulatory actions from the Office of the Australian Information Commissioner and the Australian Securities and Investments Commission demonstrate a clear shift toward enforcement.
Two notable examples highlighted during the discussion include regulatory action against Australian Clinical Labs and ASIC's action against FIIG Securities. While the circumstances of these cases differ, the underlying message is the same: organisations are expected to take cybersecurity risk seriously and implement appropriate safeguards.
The regulators’ approach follows a predictable pattern. First comes awareness and guidance. Then, after the industry has had time to respond, enforcement begins.
We are now firmly in that second phase.
For many organisations, this shift means moving from informal security practices toward structured governance, risk management and compliance programs that can stand up to regulatory scrutiny.
One of the most significant changes in recent years has been the way cybersecurity is being framed within organisations.
Cyber risk is no longer simply an IT department responsibility. Instead, it is increasingly viewed as a governance and enterprise risk issue that must be addressed at the executive and board levels.
High-profile incidents involving organisations such as Optus and Medibank have helped drive this shift in perspective. These events demonstrated how cybersecurity failures can quickly become major business crises involving legal, regulatory, financial, and reputational consequences.
Boards are now expected to ask more sophisticated questions about cyber risk, resilience, and preparedness.
Organisations must be able to demonstrate that they understand their risk exposure and have taken reasonable steps to mitigate those risks.
Many organisations are now implementing formal GRC programs supported by platforms such as Drata, which help automate evidence collection, monitor security controls, and provide ongoing visibility into compliance obligations.
However, technology alone is rarely enough; organisations must also ensure that governance frameworks, policies, and risk management practices are aligned with regulatory expectations.
One of the key themes discussed in the episode is that cybersecurity risks are not the same across organisations.
Businesses often assume they must defend against every possible cyber threat equally. In reality, effective cybersecurity begins with understanding your specific business risks.
That includes examining:
• The industry or sector you operate in
• The type of data your organisation holds
• The systems and infrastructure you rely on
• The third-party suppliers and technologies integrated into your environment
For some organisations, API security and supply chain risk may be the most pressing issue. Modern digital ecosystems rely heavily on interconnected systems and APIs, creating complex networks of trust among applications.
If authentication and access controls are not properly configured, APIs can inadvertently expose sensitive data across systems.
In other organisations, the biggest risk may still be far more familiar: phishing attacks and business email compromise. Increasingly, organisations are deploying advanced email security platforms such as Abnormal Security to detect sophisticated phishing attacks, account takeover attempts, and social engineering threats that traditional email filtering tools may miss.
The key is conducting a proper risk assessment to identify where your most significant vulnerabilities lie.
Another important theme from the discussion was the role of preparation and documentation in managing cyber risk.
Many organisations focus heavily on incident response, on what to do after a breach occurs. However, regulators increasingly look at what organisations did before an incident happened.
Demonstrating proactive measures can make a significant difference.
Activities such as:
• Conducting cyber risk assessments
• Implementing governance frameworks
• Running tabletop exercises
• Training staff on cyber awareness
• Documenting security controls and policies
Can all help demonstrate that an organisation has taken appropriate steps to manage cyber risk
Many organisations we work with find that combining structured governance frameworks with tools such as Drata for compliance automation and Abnormal Security for advanced threat detection provides a strong foundation for demonstrating cyber resilience.
In some cases, the ability to clearly document these efforts may even influence whether regulators choose to pursue enforcement action.
Another important insight discussed in the episode is that cyber incidents rarely end when systems come back online.
While operational recovery may take weeks or months, the broader regulatory, legal, and governance implications can last much longer.
In many cases, organisations spend up to two years addressing the aftermath of a breach, implementing improvements, and satisfying regulatory expectations.
This reality reinforces why preparation and governance are so important.
Finally, the conversation highlighted the importance of organisational culture in cybersecurity.
Technology alone cannot solve cyber risk.
Many breaches ultimately occur because of human behaviour, whether through phishing attacks, misconfigurations, or poor security practices.
That’s why modern cybersecurity strategies combine strong governance frameworks, employee awareness programs, and advanced detection tools, including behavioural email security platforms such as Abnormal Security.
Building a cyber-resilient organisation requires embedding awareness across the entire business, not just within IT or security teams.
Cybersecurity must become part of the broader organisational culture, supported by leadership and reinforced through education, communication, and collaboration.
Cybersecurity expectations in Australia are evolving rapidly.
Regulators have made it clear that organisations must move beyond awareness and begin demonstrating mature governance, risk management, and compliance practices.
For many organisations, that journey begins with asking the right questions:
• Do we understand our cyber risk exposure?
• Are we taking reasonable steps to mitigate those risks?
• Can we demonstrate those steps to regulators if required?
For organisations navigating these challenges, working with experienced advisors, and leveraging modern security and compliance platforms such as Drata and Abnormal Security can make the process significantly easier.
At Data Protection Services, we regularly help organisations assess their cyber risk posture, navigate regulatory requirements, and implement practical governance frameworks that stand up to regulatory scrutiny.
.svg)