Cyber Attacks in Australia: An Action Plan for Boards

The digital age has made it easier for cybercriminals to launch attacks from anywhere in the world. Unfortunately, Australian businesses, particularly those holding sensitive data, are feeling the impact. Recent statistics from the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) reveal the three most frequently reported cybercrimes in the country: email compromise, online banking fraud, and business email compromise (BEC) fraud. What’s especially concerning is that BEC alone accounted for nearly $84 million in self-reported losses, with each confirmed case averaging over $55,000 in financial damage.

To mitigate these growing risks and cut losses, the Cyber Security Act 2024 introduced reforms that have fundamentally altered the way organisations approach cybersecurity. Since becoming a law in 2024, it has established clearer board-level responsibilities, enhanced risk management obligations, and imposed stricter requirements for incident disclosure. These regulatory shifts underscore the need for more proactive governance at the top.

This guide will inform Australian boards about the state of cyber risks and demands in the country, the importance of cybersecurity in the future, and the steps they must take to help safeguard their organisations and ensure business continuity.

Cyber Attacks Australia: Real-World Incidents

As cyber risks grow in scope and severity, Australian boards and executives must stay informed and prepared. No organisation is immune. Regardless of size, sector, or reputation, cybercriminals are constantly probing for weaknesses, continually evolving their tactics to bypass defences.

Recent incidents in Australia highlight just how widespread and damaging these attacks can be.

1. Genea Fertility Clinic Data Breach

In February 2025, Genea, one of the biggest fertility clinics in Australia, suffered a ransomware attack allegedly carried out by the infamous Termite group. Approximately 940 gigabytes of patient information, including personal details, Medicare card numbers, test results, and medical histories, was compromised and posted on the dark web. The investigation remains open, and efforts to identify and track down the perpetrators continue.

2. Ambulance Victoria Insider Data Theft

A month after the high-profile breach at Genea, an insider threat attack occurred at Ambulance Victoria, a government-run emergency transport provider in Australia. A former employee illicitly transferred the personal and financial data of around 3,000 staff members, including home addresses, bank details, salaries, and emergency contacts. Currently, authorities are investigating, and affected staff have been offered identity protection services.

3. Coordinated Pension Fund Attacks

April was also a busy month with four major cyber incidents disrupting Australian companies. One of the most significant was the coordinated credential‑stuffing attack on superannuation funds. Six major pension providers, AustralianSuper, Australian Retirement Trust, Rest Super, Insignia Financial, and Hostplus, were targeted. AustralianSuper alone had 600 compromised accounts and approximately A$500,000 stolen from four members, while Rest Super reported 20,000 accounts accessed (with about 8,000 individuals’ data exposed).

What role should boards play in cyber risk management?

The scale of recent cyberattacks in the country has made one thing clear: cybersecurity is now a core business risk. It demands attention not just from IT departments but from the boardroom. Recognising the urgency, many boards are stepping up their efforts. PwC’s 26th Global Digital Trust Insights 2024 found that 74% of Australian organisations plan to increase their cybersecurity budgets in the year ahead, up from 60% in 2023.

While boosting budgets is a step in the right direction, it’s only part of the solution. The future of cybersecurity lies in its integration into the overall business strategy and culture to achieve cyber resilience. Here’s how boards can do it:

Align cybersecurity priorities with business goals

A good security investment supports organisational goals rather than hinders them. Boards should always be aware of how cybersecurity efforts contribute to the company’s objectives, from maintaining competitiveness to operating efficiently and creating value for stakeholders. To achieve this, they require regular strategy reviews that factor in new threats, technological upgrades, and evolving business priorities.

As artificial intelligence (AI) now drives most attacks, such as deepfake phishing and adaptive malware, boards must strengthen their risk management and establish cybersecurity committees to provide stronger oversight. The committee should include board members with demonstrated cybersecurity expertise, whether through professional experience, specialised education, or industry involvement. This expertise helps ensure board discussions about cyber risk are informed by practical understanding rather than theoretical concepts.

Strategic alignment also requires boards to consider cybersecurity implications in major business decisions. Mergers and acquisitions, new tech implementations, and market expansion strategies all carry potential risks that must be evaluated at the board level. If they don’t, it can create significant vulnerabilities and missed opportunities.

Make sure cybersecurity is always on the agenda

Rather than an occasional topic addressed only during crises or annual reviews, cybersecurity should be a standing agenda item for board meetings. Regular cybersecurity discussions help ensure that emerging threats and changing risk profiles receive appropriate attention, enabling proactive rather than reactive decision-making.

Regular board attention to cybersecurity also signals organisational commitment to all stakeholders, including employees, clients, partners, and regulators. This commitment can strengthen security culture, improve incident response effectiveness, and demonstrate governance maturity to external stakeholders.

Prioritise regulatory compliance

Australia’s regulatory environment for cybersecurity has undergone significant transformation with the introduction of the Cyber Security Act 2024 and related legislative changes. A key feature of this new framework is the establishment of the Cyber Incident Review Board (CIRB).

The CIRB’s role is to review a cyber incident after it has occurred to evaluate the organisation’s handling of the breach and suggest areas for improvement. As such, companies must now prepare not just for incident response, but for potential government review of their cybersecurity practices. This requires maintaining comprehensive documentation of security decisions, controls, and incident response activities.

The new framework also includes provisions that encourage voluntary information sharing with government agencies by providing legal protections for companies that report incidents. Boards should ensure their organisations can take advantage of these protections while meeting mandatory reporting requirements under various regulatory frameworks, including the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022, a government-mandated law that expands cyber risk obligations for operators of critical infrastructure.

Ensure holistic board oversight

Board oversight should focus on strategic cyber risk rather than technical implementation details. This responsibility covers understanding the organisation’s risk appetite, ensuring appropriate risk management frameworks are in place, and monitoring the effectiveness of cybersecurity investments. At the same time, ensuring everyone seated in the boardroom is knowledgeable about emerging threats and industry best practices is important for maintaining effective oversight.

Boards must also lead the charge in preparing for crisis scenarios. Cybersecurity incidents often trigger larger organisational crises that require board-level coordination across legal, communications, operations, and executive functions. As the strategic lead, boards must oversee and align recovery plans across departments to ensure a unified and effective response. Establishing and regularly testing these coordination mechanisms is a critical governance responsibility that can significantly reduce the impact of a cyber incident.

Cybersecurity Threats Australia: How Boards Should Respond to a Cyber Incident

The initial hours and days following the discovery of a cyber attack are critical for minimising damage and securing an adequate response. During these times, the people at the top — C-suite executives and board members — play a crucial role in providing strategic direction without getting in the way of the response team.

So, what should boards do when they’re first notified of an attack?

Step 1: Oversee incident response preparedness

Upon notification of a cyber incident, the board’s immediate priority should be to make sure that the organisation’s incident response plan is being executed. This usually includes confirming that appropriate internal and external resources have been mobilised, legal counsel has been engaged, and regulatory notification requirements are being addressed.

However, effective execution depends on whether those plans are well-maintained from the outset. Alarmingly, PwC revealed that only 36% of Australian organisations reported having an up-to-date and regularly tested disaster recovery and backup plan. This is where the board’s oversight becomes critical. As part of their governance responsibilities, the board must make certain that the organisation develops, tests, and regularly updates incident response plans.

Step 2: Monitor the situation

Next, the board should request immediate briefings on the scope and nature of the incident, potential business impact, and response activities underway. However, these briefings should be structured to avoid overwhelming response teams with reporting requirements during crucial response phases. Remember, their priority should be containing and resolving the incident, not spending valuable time reporting to the board.

That said, boards still need to stay alert and engaged throughout the incident. This awareness is key to making prompt and, if necessary, radical decisions on response and recovery. For example, this could include temporarily shutting down key systems to prevent further breaches or reallocating significant resources to facilitate faster containment efforts.

Step 3: Guide strategic communication

Cyber incidents often attract significant media attention and concern among stakeholders. Boards must see to it that communication efforts, including interviews and press releases, are aligned with both legal obligations and reputation management goals. Often, it includes working closely with legal counsel to ensure that public statements are accurate, compliant, and do not compromise ongoing investigations, or expose the organisation to further legal risk.

Looking Ahead: The Future of Cybersecurity in the Boardroom

There’s no warning for when an attack will strike. The only certainty is that cybercriminals are always active—the defences must be too. Instead of reactive incident responses, boards must take proactive steps to build organisational cyber resilience. This shift emphasises the organisation’s ability to continue operating during and after an attack. Building cyber resilience requires investment in backup systems, recovery processes, and business continuity capabilities that allow rapid restoration of critical functions following cyber incidents.

The board’s role in building cyber resilience includes ensuring adequate investment in both prevention and recovery capabilities, while understanding that perfect security is neither achievable nor cost-effective. This balanced approach requires sophisticated risk management that considers both the likelihood and potential impact of various threat scenarios.

Cyber resilience also extends to supply chain risk management. The board should guarantee that appropriate due diligence processes are in place for evaluating and monitoring third-party cyber risks, and that contracts include relevant cybersecurity requirements and liability provisions.

Build Cyber Resilience Across Australian Organisations with Convene

Successful organisations are led by boards that treat cybersecurity as a strategic advantage rather than a liability. To support this approach, a purpose-built board portal, such as Convene, empowers boards to govern effectively and securely.

Convene enables secure collaboration during and after meetings by enforcing strict role-based access controls, so only authorised individuals can access sensitive materials. Its enterprise-level encryption protects data at every point, while multi-factor authentication provides an added layer of security. These features ensure that board activities remain confidential and protected, even in the face of increasing cyber threats.

But more than just a meeting platform, Convene is designed to support the governance standards promoted by the Australian Institute of Company Directors (AICD). Developed by a CMMI Level 5 certified company and powered by Amazon Web Services, Convene meets global benchmarks for software excellence. It is also accredited under the Australian Government’s Information Security Registered Assessors Program (IRAP), meaning boards can trust that their information is handled with the highest levels of integrity and compliance.

Learn how Convene can help fortify your cyber defences. Book a demo with one of our product experts today.