Cyber Incident Response Plan: Why It's Time For An Update

It has been 10 years since ASIC's Report 429 first advised companies that they needed specific Cyber Incident Response Plans, and over five years since ASIC tied the proper management of cyber incidents to directors' duties and AFS licensee obligations. Following high profile data breaches in 2022, most organisations put in place a cyber incident response plan as a component of their overall cyber response posture.

However, with many major changes to cyber threat landscape and the regulatory landscape since then, organisations need to review their cyber incident response plans.

Ransomware attacks have become more sophisticated, with an explosion in tactics like double extortion and public data leaks. The effectiveness of ransom payments has sharply declined due to government policies, insurance exclusions, and the recognition that payments rarely resolve underlying risk. In addition, the introduction of the Cyber Security Act 2024 (Cth) (Cyber Security Act) has changed the way companies engage with government and security agencies during a data breach and mandated the reporting of ransomware payments.

Most recently, the Federal Court's October 2025 decision in Australian Information Commissioner v Australian Clinical Labs Ltd [2025] FCA 1224 (ACL) clarified that 'reasonable steps' (required to be taken under privacy law to protect personal information) are assessed in light of an organisation's awareness of the prevailing cyber threat environment.

There is a strong expectation from regulators that cyber incident response plans are not 'set and forget': they must be 'state of the art' to be effective in a cyber breach. In this article, part of our series on cyber security awareness, we set out the four biggest issues that have occurred in the past 24 months that need to be in cyber incident response plans:

• Government engagement: NOCS and Report Cyber
  
• Evolutions in ransomware decision making and reporting
  
• Considering injunctive proceedings against the threat actor
  
• A focus on ensuring that the standard of care is met throughout the incident response.

New NOCS and 'ReportCyber'

Most data breach response plans include a notification to the Australian Cyber Security Centre. This remains important. However, new reporting obligations and data breach frameworks need to be reflected in cyber incident response plans.

In October 2024, the Cyber Security Act 2024 provided a legislative framework for the National Office of Cyber Security (NOCS), led by the National Cyber Security Coordinator (NCSC), to oversee a whole-of-government response to significant cyber security incidents.

The Act provides a framework for the voluntary disclosure of information by any organisation operating in Australia, or any responsible entity under the Security of Critical Infrastructure (SOCI) Act, to the NCSC relating to cyber security incidents. It also imposes limitations on how the NCSC may further use and disclose information voluntarily provided by entities.

As a matter of practicality, NOCS plays a very helpful coordinating role, assisting organisations that have been the subject of a data breach to coordinate government engagement and bring together affected state and federal agencies. This helps to mitigate the secondary harms that may result from an incident.

Legislation to ensure state agencies have statutory confidentiality obligations is still pending. However, the practical experience is that state agencies participate on the basis of agreeing to strong confidentiality obligations under the Traffic Light Protocol, and will agree to abide by limited use in order to participate in NOCS-led discussions.

Impacted organisations say that NOCS has been helpful by lowering the barriers to communicating with government agencies during a breach. It also helps by ensuring that there is coordination between the Commonwealth Government and organisations subject to a data breach.

Additionally, the Australian Cyber Security Centre's 'ReportCyber' initiative, an online system for reporting cyber crime, has streamlined the reporting to federal and state police. The portal allows one report to be made, and the initiative will refer it to the relevant law enforcement agency. These changes must be reflected in cyber incidence response plans.

Evolutions in ransomware decision making

Cyber incident response plans need to account for the dilemma of a ransomware event. Paying a ransom is strongly discouraged by government, law enforcement and increasingly by insurers. While no Australian law outright prohibits it, evolving regulations are increasing scrutiny and reporting requirements.

Under the Cyber Security Act 2024, businesses that make a ransom payment must report it to the National Office of Cyber Security within the 72 hours of payment. This new obligation sits alongside existing mandatory reporting under the Privacy Act 1988 (Cth) and the SOCI Act 2018 (Cth) for certain data and systems incidents. Together, these laws ensure that significant cyber events don't stay hidden behind closed doors.

Before any payment is contemplated, the Australian Sanctions Office's Consolidated List must be checked. Paying a sanctioned individual or entity, even inadvertently, is illegal, and ignorance is no defence. A ransom that breaches sanctions can turn a cyber crisis into a criminal one.

Increased regulatory scrutiny means ransom payments, where made, must be meticulously documented and reported to avoid penalties.

Cyber incident response plans need to reflect these new obligations, as well as provide a well thought out framework for the decision making and documentation process when dealing with a ransomware incident.

Consideration of a 'Persons Unknown' injunction

Where the identity of the threat actor is unknown, organisations may seek a Persons Unknown (PU) injunction. This type of court order can compel takedown of leaked data and prevent further distribution. Recent Australian cases such as HWL Ebsworth Lawyers v Persons Unknown (2024) 113 NSWLR 418 and The University of Notre Dame Australia v Persons Unknown [2025] NSWSC 550 have confirmed the utility of PU injunctions in NSW.

The benefits of a PU injunction include the:

• prevention of further sharing or downloading of the data;
  
• compulsion of cloud/file-sharing providers to remove leaked files;
  
• prevention of media outlets or social platforms from publishing the data;
  
• demonstration to regulators that all reasonable mitigation steps have been taken;
  
• support of insurance recovery efforts; and
  
• possibility of reducing class action exposure.

The decision to injunct needs to be made expeditiously. A cyber incident response plan needs to consider the circumstances in which an organisation might seek an injunction and determine key matters such as who would swear/affirm the supporting affidavits for the organisation, and the desired approach to confidentiality.

Lessons from ACL – meeting the standards in incident response

This month's Federal Court decision in Australian Clinical Labs (ACL) provides further important input when updating an incident response plan. It sets a practical and legal test for whether a company's cyber incident response plan will result in the company meeting its legal obligations.

Cyber incident response plans need to be holistically assessed to ensure that they provide robust cyber risk governance and effective incident response. Over reliance on third party providers is a key learning: companies cannot outsource responsibility for incident response and must be in a position to assess the adequacy of third party services. As a matter of practicality, ensuring that incident response plans include access to experienced, trusted advisors who can independently assess and advise on the incident response will be key to meeting this obligation.

Additionally, ACL was a reminder of the importance of clearly defined roles and responsibilities in an incident response plan, including practical matters such as the training and experience of the people in those roles. Building a response team with complementary expertise ensures organisations can adapt quickly and maintain control when every minute counts.

As the ACL case illustrated, courts and regulators will now scrutinise diligence, playbooks, vendor dependencies and speed of notification.

The importance of an up-to-date, actionable cyber incident response plan

Many organisations have not substantially reviewed their cyber incident response plans since they were adopted several years ago, and there are several new issues that the response plan needs to address. An up-to-date, actionable cyber incident response plan is essential for surviving a cyber breach; and the time to act is now. The cost of having an outdated cyber incident response plan is no longer theoretical – organisations must update their plan before the next incident occurs.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Lawyers Weekly Law firm of the year 2021	Employer of Choice for Gender Equality (WGEA)