Is your business cyber ready?

New privacy laws bring new responsibilities for businesses

In today’s digital landscape, Australian businesses face a dual challenge: evolving cyber threats and new regulatory obligations. With ransomware, business email compromise, AI-powered scams, and deepfake fraud on the rise – alongside the new Privacy Act reforms now in place – it’s more important than ever to take proactive steps to protect your business and your customers’ data.

Know what’s at stake

Cyberattacks and data breaches are now the top concern for Australian businesses. And it’s not hard to see why. In 2024, the Australian Signals Directorate reported the average cost of a cyber crime Australia event was $63,600 for large businesses, $62,800 for medium businesses and $49,600 for small businesses. But the real cost including legal impact, reputational damage and business disruption can be much higher.

Privacy Act 2024 changes raise the bar for data protection

In December 2024, the Australian Government introduced major reforms to the Privacy Act 1988. These changes came into effect in June 2025 and are designed to meet the changed digital landscape. They put in place increased expectations around how businesses handle personal information. Here’s what’s new:

• Clearer rules on how businesses must protect and manage personal information
• Stronger tiered penalties for non-compliance, with new powers for the Office of the Australian Information Commissioner (OAIC) to investigate and enforce the rules
• A new legal right for people to take action if their privacy is seriously invaded
• New requirements around automated decision making – including AI and chatbots – which will roll out in 2026.

What does this mean for your business?

It’s not enough to just have a privacy policy on file. You need to show – through both technical systems and business practices – how your business actively protects personal information. Transparency and accountability are now essential.

“These changes come with increased regulatory risk for businesses and require forward planning and strong attention to detail around culture, governance, and resilience after a breach has occurred,” says Ben Richardson, Cyber Product Lead at QBE Australia.

What’s legally required under privacy law in Australia – and what’s just smart business?

Australia’s updated privacy laws set a clear baseline for businesses. Some actions aren’t optional – they’re legal requirements. For example, when the Privacy Act law applies to your business, you must:

• Take reasonable steps to protect personal information from theft, misuse, interference, unauthorised access, or disclosure.
• Report a cyber crime by notifying the OAIC of serious data breaches
• Keep your privacy policy up to date
• Know you’re also responsible for how third-party digital supply chain providers handle your data (if you work with them).

As your first line of defence, it’s a good idea to:

1. Read about your obligations
2. Consider if your approach is compliant
3. Review and update your technical and governance frameworks, as needed.

Meeting your privacy obligations and protecting your business means going beyond the basics. To stay resilient, the Government strongly recommends you go further, by:

• Embedding a culture of privacy that enables compliance
• Establishing robust and effective privacy practices, procedures and systems
• Evaluating your privacy practices, procedures and systems to ensure continued effectiveness
• Enhancing your response to privacy issues.

Cyber insurance isn’t part of your legal obligations – but it can be a smart move. It adds a vital layer of protection that can help keep your business afloat if a privacy or cyber event occurs.

New and emerging threats: what your cyber risk assessment should include

Emerging technologies like AI are introducing new risk, such as deepfake scams, dynamic strains of ransomware, and synthetic identity fraud.

In one case, cybercriminals used a deepfake video call to impersonate a CFO and trick a finance officer into transferring US$25 million.

This kind of attack highlights the constantly changing risk environment and need for strong access and verification procedures, as well as a culture of cyber awareness. It also shows why regular cyber security risk assessments are essential.

Six smart steps to be cyber ready

To meet your obligations and reduce the risk of a cyber event, here’s what you could focus on:

1. Strengthen your data security with cyber security and risk controls

You’re now expected to take reasonable technical and organisational steps to protect personal information under the Privacy Act. That includes implementing strategies, where relevant around:

• Governance, culture and training
• Internal practices, procedures and systems
• ICT security
• Access security
• Third-party providers (including cloud computing)
• Data breaches
• Physical security
• Destruction and de-identification
• Standards.

Tip: “Businesses should limit and segregate access as much as possible, so if a specific credential does get breached, the impact is contained,” said Mr Richardson.

2. Update your privacy policy to meet privacy law Australia requirements

Your privacy policy must clearly explain:

• What personal data you collect and why
• How it’s disclosed and shared
• How individuals can access or update their data.
• How they can contact you.

Tip: By 2026, future legislative reform will mean you’ll need to disclose within privacy policies any use of automated decision making – like AI.

3. Regularly train your people to manage cyber security and risk

Privacy compliance isn’t just an IT issue – it’s a business issue. Make sure your team:

• Understands what personal information is
• Knows how to handle it securely
• Can spot and report suspicious activity.

Tip: Regular staff training is now considered a baseline expectation.

4. Be prepared with a cyber risk management plan

You need a clear, documented incident response and business continuity plans for responding to cyber incidents like data breaches, ransomware, or phishing attacks. This includes:

• Notifying affected individuals quickly
• Reporting eligible breaches to the OAIC
• Keeping records of all incidents and even near misses.

“Most importantly…businesses should make sure they have detailed disaster recovery, business continuity, and incident response plans for a wide variety of threat scenarios,” Mr Richardson said.

Tip: It’s key to build resilience after a breach has occurred, and a fast, transparent response can reduce your legal and reputational damage.

5. Review your third-party risks as part of your cyber security risk assessment

If you share data with vendors, cloud providers, or partners, you’re still responsible for how it’s handled. Make sure:

• Contracts include privacy and security obligations (for example audit and notification provisions for security events)
• You know where your data is stored and who can access it (and ensure access controls are implemented thereafter to further protect from credential theft risks).

Tip: ‘We didn’t know’ won’t cut it under the new rules.

6. Consider cyber insurance

Even with strong controls, breaches can happen. Business cyber insurance  can:

• Cover the financial, operational, and reputational impact of digital threats (both threat actor related and data and privacy related)
• Support resilience and business continuity after an incident
• Provide access to cyber and legal experts during a crisis on call 24/7.

Tip: Almost half of Australian consumers say they’ll stop using a service after a data breach. Protecting your data and reputation is critical.

Your trusted partner

As Qualified Practising Insurance Brokers, we work hard to find the best insurance solutions for our clients. As your risk and resilience partner, we’re here to support you with practical insights and expert guidance. Contact us today.

Article Courtesy of QBE Risk Insights