How to manage cyber risk in 2026

Determining what is reasonable and sufficient 6 min read

Australian cyber risk management regimes are high-level and principles-based, offering flexibility but leaving organisations exposed if their capabilities and cybersecurity posture isn’t genuinely commensurate with the increasing and evolving risks. Regulators and courts expect far more than frameworks and checklists.

In this Insight, we look at recent enforcement activity, guidance and regulator commentary and provide 10 key considerations that will help organisations decipher their priorities for 2026.

Why 'reasonable and sufficient' is a moving target 

Increasing cybersecurity spend, and the existence of a risk management framework, some cybersecurity tech, incident response plans, annual cyber simulations and periodic control audits, is not enough.  

Recent (successful) enforcement action by the OAIC and ASIC, and statements made by APRA and the Critical Infrastructure Security Centre (CISC), make it clear that increasing cybersecurity spend, and the existence of a risk management framework, some cybersecurity tech, incident response plans, annual cyber simulations and periodic control audits, is not enough. It's a tough pill to swallow for organisations already investing heavily while battling a proliferation of threats, competition for talent and pressure to increase the proportion of budget spent on driving productivity and growth, including via technology like AI applications.

In addition to making an assessment informed by the risk profile and evolving threat landscape (a critical but often overlooked first step), organisations can take cues from the increasing body of guidance, regulatory determinations, regulator speeches, press releases and (increasingly) case law. They don’t all make headlines, but they are critical reading as the most relevant point-in-time indication of how regulators (not to mention class action plaintiffs) are approaching these issues.

Recent enforcement actions

Aside from making an assessment informed by the risk profile and evolving threat landscape (a critical but often overlooked first step), we're often left to rely on breadcrumbs in regulator speeches, regulatory determinations, press releases and (increasingly) case law. They don’t all make headlines, but they are critical reading as the most relevant point-in-time indication of how regulators (not to mention class action plaintiffs) are approaching these issues.

We've had a few of these recently. Together, they tell a story of repeated system deficiencies and current regulator focus areas. These include:

• APRA Board Member Suzanne Smith's speech, which identifies current APRA focus areas and exposes repeated system deficiencies identified via recent reporting and sector-wide audits (putting APRA-regulated entities on notice of areas to interrogate internally). It's a worthwhile read, including for non-APRA-regulated entities, as these findings tend to provide a bellwether for other parts of industry.
• The OAIC's determination made against Vinomofo, which adds to the growing guidance on the steps organisations should be taking to meet their APP 11.1 requirements (ie to take reasonable steps to protect personal information), with a particular focus on cloud and data migration projects.
• The ASD and AICD's joint publication of Cyber security priorities for boards of directors 2025-26.
• The CISC's Critical Infrastructure Annual Risk Review.
• The OAIC's new NDB statistics dashboard and blog post that includes a case study about outsourcing personal information-handling to third parties.
• The OAIC's 2024-2025 Annual Report, which includes as a regulatory focus area, ensuring emerging technologies (including AI) 'align with community expectations and regulatory requirements and [target] current and emerging harms effectively and proportionately while continuing to proactively guide compliance in a dynamic digital environment'.
• The Federal Court's approval of Australian Clinical Labs' settlement agreement with the Australian Information Commissioner. For our detailed analysis, see One cyber incident, many breaches: first civil penalty under the Privacy Act.

10 things you need to consider

1. While our cyber risk management regulatory regimes are high-level and principles-based, regulators are demonstrating via enforcement action, guidance and reporting that they have high expectations of what needs to be done to comply with those regimes. 
2. Absent more prescriptive regulation, organisations need to take cues from regulatory enforcement action, regulator speeches, press releases, guidance and case law (of course in addition to undertaking their own risk assessments).
3. Don't underinvest in IT. Actively manage legacy IT systems and proactively identify the 'hidden costs' (APRA's words) of keeping outdated technology, including costs masked by cost-cutting or optimisation strategies. APRA is frustrated with reliance on legacy systems and outdated software, which are:
   • less resilient to cyber threats because they don’t meet modern security standards;
   • harder to maintain because parts and skilled professionals are scarce; and
   • difficult to integrate with modern digital channels.
   ASD guidance for boards also warns of the 'significant and enduring risks' legacy IT poses to cybersecurity and provides questions for boards to ask, and advice for executives, on managing these risks. 
4. Culture is key. A company-wide culture that prioritises data protection through regular roles-based training, leadership accountability, robust risk assessments and documented internal policies, procedures and systems, is required.
5. Cloud dependency is receiving renewed focus across the board. The Vinomofo case shows the application of APP 11.1 to cloud services and data migration. In that case, the OAIC expected:
   
   • enhanced security logging for databases housing sensitive information;
   • strong cloud security controls, access monitoring controls and real-time alerts and incident response mechanisms; and
   • more robust security policies supported by a privacy and security-focused culture led by qualified staff.
   APRA’s Suzanne Smith also highlighted cloud-related data and resilience risks, stating that regulated organisations need: 
   
   • a comprehensive understanding of supply-chain vulnerabilities;
   • contingency plans to mitigate disruptions;
   • strong contract management, thorough risk assessments and solid partnerships with key suppliers; and
   • ongoing monitoring to ensure continuity of operations.
6. Notify incidents early, even if information is imperfect. This has now been reemphasised by APRA and is consistent with what the OAIC has been telling us for some time.
7. Stress test whether controls-testing programs are robust and fit-for-purpose (they often aren't). Consider the design and effectiveness of testing programs, including testing frequency, coverage and techniques (ie testing programs shouldn't just check whether controls work, but should also test whether they are adequately protecting the right things). Testing scenarios should include multi-entity, multi-vendor failures, and clear customer outcome metrics when operating in contingency modes (ie both complete failures and 'degraded mode' operations). Checks should go beyond checking documents, to properly validating whether tolerance levels, mapping and testing capture real points of failure and vulnerability across first, second, third and further parties. 
8. For APRA, incident patterns that call for broad visible controls, disciplined testing and timely notifications include:
   
   • accidental data disclosure (eg sensitive customer reports being distributed to the wrong recipient). This highlights weak data-handling procedures, inadequate data leakage limits and lack of compensating controls while also putting vulnerable persons at risk of harm, particularly where domestic violence is involved.
   • credential compromise and a lack of strong authentication. This is enabling credential stuffing and spraying attacks to be more effective than they should be, testing detection and response maturity.
   • insufficient network monitoring and management, allowing malicious activity to go undetected or limiting the ability to respond while maintaining customer service. The OAIC also outlined minimum security logging and access monitoring expectations in the Vinomofo determination, and the ASD guidance includes board-level questions to test event logging adequacy.
   • service provider incidents, underscoring third-party assurance gaps and the effectiveness of techniques to limit contagion.
9. Entities should identify and address third-party and concentration risk, including by mapping service interdependencies and routinely undertaking credible scenario testing. In its recent blog post, the OAIC also emphasised the need for third-party diligence, contractual clauses on the retention or destruction of data, and regular cybersecurity assessments and audits of existing vendors to evaluate the effectiveness of controls and practices and confirm compliance with relevant security standards, contractual requirements and legal obligations.
10. Existing regulatory regimes require organisations to manage emerging AI risks and APRA has stepped up monitoring to enforce compliance. APRA is also monitoring the possibility that data aggregation could lead to growing concentration risk with single-source providers of data and foundational AI models, driving greater homogeneity and potentially biased data sets in the financial sector. Current and emerging harms presenting by emerging technologies (including AI) was also flagged as a major area of focus in the OAIC's Annual Report.

Looking ahead

Managing cyber risk in 2026 requires more than compliance checklists. Principles-based regimes offer flexibility, but regulators expect organisations to go beyond high-level frameworks and demonstrate robust, tested and adaptive controls commensurate to the nature and size of applicable risks. Recent monitoring and enforcement activity by the OAIC, ASIC and APRA highlight gaps in legacy IT management, cloud security, incident response preparedness and technical authentication, detection, alerting and access controls.

Organisations must also address third-party and concentration risks, and prepare for emerging challenges such as AI-related risks and supply chain vulnerabilities.

Taking cues from regulator speeches, case law and guidance is critical to meeting rising expectations and avoiding costly enforcement action.