October marks Cyber Security Awareness Month

It is a great time to remind clients that cyber threats are increasing, affecting businesses of every size and encouraging businesses to embed cyber safety into their daily routines. Here are some simple but powerful habits your team can adopt:

• Use strong, unique passphrases: Combine four or more random words (e.g. ocean lamp tiger cloud) and add special characters or numbers. Avoid quotes, personal details, or predictable phrases.
• Keep devices updated: Regular software updates help protect against the latest threats.
• Enable multi-factor authentication (MFA): Adds an extra layer of protection by requiring two or more forms of ID (e.g. passphrase and biometrics).
• Ensure sensitive data is encrypted at rest and in transit: Don’t rely solely on backup strategies. When attackers skip encryption and go straight to data theft, your backups won’t protect against reputational damage or privacy breaches.
• Invest in regular cyber awareness training and phishing simulations: around 70% of breaches involve staff mistakes like clicking phishing links or misconfiguring systems.

This year’s Cyber Security Awareness Month also coincides with the release of the Australian Government’s Annual Cyber Threat Report 2024–25, which highlights a sharp rise in cybercrime and reinforces the need for proactive cyber hygiene. The report reveals that the average cost of cybercrime for medium-sized businesses has surged by 55% to $97,200 per incident, with email compromise and identity fraud among the most reported threats. The message is clear: all businesses must operate with a mindset of “assume compromise” and prioritise the protection of their most critical digital assets.

Windows 10 Retirement: A Cyber Risk Businesses Can’t Ignore

Microsoft has ended support for Windows 10 since 14 October 2025, which means no more security updates, bug fixes, or technical support. Businesses still using it beyond this date face growing cyber risks and potential compliance issues.

Why It Matters

• Unpatched vulnerabilities become easy targets for attackers.
• Cloud tools and Microsoft 365 apps may stop working reliably.
• Regulators may view outdated systems as a failure to protect sensitive data.

Challenges for SMEs

• Older hardware may not support Windows 11.
• Legacy apps and devices may need upgrades.
• Staff may need training to adapt to the new system.

What You Can Do

• Start planning your migration now.
• Audit your devices and software.
• Review your cyber insurance and D&O policies to ensure they cover outdated systems and related liabilities.

Treat this transition as an opportunity to modernise your IT environment and strengthen your cyber posture.

Qantas Breach: The Long Tail of Cyber Incidents

Although the breach was publicly confirmed on 13 October 2025, it’s important to note that the ransomware attack occurred back in July. Qantas revealed that after ransom demands were not met, personal data from up to 5 million customers had been leaked on the dark web, including names, contact details, dates of birth, and frequent flyer numbers. The data was stolen from a Salesforce database used by Qantas and its third-party service providers. The attack was carried out by a group known as Scattered Lapsus$ Hunters, which has targeted dozens of global brands. In response, Qantas obtained a NSW Supreme Court injunction to restrict publication of the stolen data, and its board-imposed bonus cuts on senior executives as a form of accountability.

This case also highlights why timing matters in cyber incidents. Even though the breach occurred months earlier, the public impact and regulatory scrutiny escalated in October, showing how cyber events often unfold over time. Legal responses, forensic investigations, and ransom negotiations can delay public disclosure, while reputational damage may peak long after the initial breach. It reinforces the need for businesses to monitor post-breach activity for months, not just days, and to have robust response plans that account for extended fallout.

Cyber Enforcement Tightens: A Wake-Up Call for All Businesses

On 8 October 2025, the Federal Court handed down a landmark decision, ordering Australian Clinical Labs to pay $5.8 million in penalties following a ransomware attack on its subsidiary, Medlab Pathology and holding the company responsible for failing to take reasonable steps to protect personal data and delayed notifying regulators and affected individual. The breach exposed sensitive health data of over 223,000 individuals, and the ruling marks the first time civil penalties have been imposed under the Privacy Act.

This case marks a turning point in Australia’s privacy enforcement, with regulators sending a clear message: cybersecurity negligence will carry serious financial and reputational consequences. Timely breach response and transparent communication are no longer optional.

These developments follow major reforms to the Privacy Act 1988, which came into effect in June 2025. The changes introduced stronger penalties, expanded powers for the OAIC, and a new legal right for individuals to take action if their privacy is seriously invaded. Businesses must now show through systems and practices, how they actively protect personal data. Transparency and accountability are legal obligations, not just best practice.

But beyond operational lessons, this case also highlights the critical role of insurance in managing cyber risk. By the time a business reaches the point of facing a regulatory fine, it has often already incurred substantial costs like forensic investigations, legal defence, breach notification, PR crisis management, and technical recovery. Without adequate cyber insurance limits, these costs can quickly overwhelm even well-resourced organisations.

AI Breach in NSW: A New Cyber Risk

On 7 October 2025, the NSW Reconstruction Authority confirmed a serious data breach after a contractor uploaded sensitive flood victim data to ChatGPT, an unauthorised public AI platform. The file contained personal and health details of over 3,000 individuals, making this one of Australia’s first known government breaches involving AI misuse. The file was uploaded in March 2025, but the incident was only disclosed publicly six months later, raising concerns about transparency and response protocols.

This is of Australia’s first known government breaches involving AI misuse, highlighting the emerging risk of “shadow AI” where staff or contractors use unvetted tools to process sensitive data.

The NSW Government has launched an independent review and notified the Privacy Commissioner. While no evidence has yet emerged that the data was accessed or leaked, the reputational and regulatory implications are significant.

Why These Incidents Matter for All Businesses — Key Lessons & Tips

Recent breaches involving Qantas, NSW Government, and Australian Clinical Labs highlight urgent cyber risks that affect organisations of all sizes. Whether you're a listed company, large corporate or an SME, the lessons are clear:

1. Third-party risk is real: Breaches often originate from vendors, cloud platforms, or contractors. 30% of cyber incidents stem from third-party relationships, and attackers increasingly exploit SMEs as stepping stones to reach larger targets

Even if your systems are hosted externally, your business remains accountable for data protection. Regulators and clients will look to you, not your vendor, if a breach occurs. Cyber insurance helps demonstrate governance, but it’s not a substitute for secure practices. Tools like Microsoft 365 or AWS aren’t foolproof: stolen credentials or misconfigured settings can expose sensitive data.

Tip: Review vendor contracts and clarify breach response roles. Use third-party backup tools as cloud platforms are not full backup solutions.

2. Regulatory pressure is rising: Boards are now linking executive pay to cyber resilience. Cyber risk is increasingly viewed as a legal and financial issue, not just an IT concern, with regulators like ASIC treating cyber governance as a fiduciary duty. Governance failures and reputational damage from breaches can trigger Directors & Officers (D&O) liability claims, especially if boards fail to oversee cyber risk effectively

Tip: It’s essential that leadership teams understand their responsibilities under the Privacy Act and Corporations Act. Ensure your D&O and Cyber policies provide comprehensive coverage, including regulatory fines (where insurable), incident response, and legal support. Cyber hygiene must be embedded into daily operations to safeguard people, data, and reputation.

3. Ransomware Payments Must Be Reported: Since 30 May 2025, businesses with annual turnover of $3 million or more must report any ransomware or cyber extortion payments within 72 hours. This includes payments made via cryptocurrency or by third parties on your behalf. Failure to report can result in fines of up to $19,800. The new rules aim to improve visibility of cyber threats and strengthen Australia’s national response.

Tip: Review your incident response plan to ensure it includes ransomware payment scenarios. Assign clear internal roles for breach reporting. Early coordination can help avoid penalties and reputational damage.

4. Ransomware is evolving: Attackers are increasingly skipping traditional encryption and focusing solely on data theft and extortion. Even businesses with strong backup strategies may still be vulnerable, as sensitive customer or employee data is now the primary target as highlighted in recent cases.

Tip: Ensure sensitive data is encrypted at rest and in transit.

5. AI misuse is emerging: Staff using unauthorised AI tools can trigger serious breaches.

Tip: Implement AI usage policies and train staff on secure platforms, including guidance on using secure, approved AI platforms for any data-related tasks.

NEW OFFERING: Personal Cyber Protection for Employees

Looking to enhance your employee benefits program? A growing number of businesses are now offering Personal Cyber Insurance to their staff, an innovative way to extend cyber protection beyond the workplace and into employees’ homes.

This Group Personal Cyber Insurance is designed to safeguard employees and their families against the increasing risks of cybercrime, including identity theft, phishing scams, and ransomware.

Why it’s gaining traction:

• The policy is taken out by the business and automatically covers each employee.
• No excess payable on claims.
• $20,000 coverage per employee, with a $2,500 sublimit for cyber extortion and legal costs.
• Premium of $25.00 per employee (excluding costs), with a minimum premium of $300.
• No proposal form required.
• Includes 24/7 incident response and breach coaching.
• Covers the whole family, not just the employee.
• This offering is proving popular among employers who want to provide meaningful, modern protection as part of their benefits package—especially in light of the growing number of phishing and scam attempts reported across Australia.

Final Thought: Why Now Is the Right Time for Cyber Insurance

How Cyber Insurance Helps

A strong cyber policy can cover:

• Forensic investigations and breach response
• Legal defence and regulatory fines (where insurable)
• Notification and PR costs
• Third-party liability claims

If you don’t yet have cyber insurance, now is a great time to act. The market is highly competitive, and even a basic policy with a $1 million limit and minimum entry requirements can offer meaningful protection.

If you already have cyber cover, this is the moment to review your limits and consider increasing them to ensure you’re adequately protected against today’s evolving threats.

*This newsletter was independently written and compiled using publicly available information, regulatory updates, and original analysis. All case references and insights are paraphrased and cited where applicable. No content has been copied or reproduced from third-party publications. Any similarity to other materials is purely coincidental and reflects common industry themes.