Perspectives on Cyber Risk 2019


Our latest research highlights the increasing need for decisive action on cyber threats.

How do recent data protection and privacy developments affect your organisation?

Against the evolving landscape of Australia's privacy and data protection regime, we conducted our fourth annual cyber security survey to assess how Australian organisations are responding to cyber risk. More than 110 senior executives across legal, technology, finance and procurement participated in the survey.

2018 ushered in more stringent privacy and data protection laws along with harsher penalties. New incoming regulation including Australia's Notifiable Data Breach and consumer data right regimes, as well as the European Union's General Data Protection Regulation, which brought Australia closer in line with emerging international standards.

Numerous recent and high profile examples of data breaches, both in Australia and overseas, demonstrate that those organisations not designating cyber security as a top priority are exposing their business, customers and reputation to a clear, present and escalating danger.

Increased awareness and understanding of cyber risk does not always translate into action

Against this background, our latest survey results indicate that more should be done to address this danger. Respondents indicated that they are aware of the cyber threat, and year on year we have seen a significant increase in organisations' acknowledgement and understanding of the risk. However, this has not always translated into appropriate and considered action.

78% of respondent organisations said that they have a data breach response plan in place, but only 45% of survey respondents told us they regularly (at least annually) tested it.

Despite the hype, many organisations are yet to jump on board with AI and big data

Artificial intelligence (AI) and big data solutions are important drivers for organisations seeking a competitive advantage. However, our survey indicates that many organisations are yet to jump on board.

Only 25% of respondents reported that they currently use, or intend to implement in the next 12 months, AI or big data solutions. 

Of those survey respondents who are using, or who plan to implement, AI or big data solutions, only a few told us that they have undertaken a privacy impact assessment or security risk assessment of those solutions. A thorough understanding of the privacy and security impact of these new technologies will be an increasingly important aspect of understanding an organisation's cyber risk profile.

The fourth industrial revolution: at the crossroads of current and developing data-related rights

With many organisations now exploring the potential of AI, big data and the Internet of Things, the security of data as a right and an asset, as well as a liability and a cost, has taken on an increased significance. Regular, day-to-day activities that in the past would not have involved digital interaction may now leave both individuals and organisations exposed.

Organisations cannot afford to be complacent about cyber risk. They need to implement robust data governance arrangements and strategies for managing and protecting data. These should be developed with a customer-centric approach to data use.


At a time when the law cannot keep up with the pace of technological change, it is incumbent on organisations to develop their own set of baseline privacy and data protection rules.

The time to act is now.

Taking strong, decisive and consistent action is the best defence against a potential attack.

This means:

  • developing, implementing and properly resourcing a formal cyber resilience strategy, which is regularly tested and updated
  • developing and implementing tailored data breach response, business continuity and disaster recovery plans, which are regularly tested and updated
  • regularly training all staff (not just IT staff) in order to embed a culture of cyber awareness and data protection across the organisation, and to ensure that everyone understands their roles and responsibilities in the event of a cyber incident
  • undertaking privacy impact and security assessments when planning to adopt new technologies, AI or big data solutions
  • developing governance and ethical guidelines and frameworks for the implementation and use of data
  • capturing lessons learned and monitoring global developments in privacy and data protection, in order to continually assess and improve the organisation's cyber posture.

How do recent data protection and privacy developments affect your organisation?




Point of View: insights into key issues and challenges facing business today.

In this series of interviews with MinterEllison partners we hear their perspective on key areas of interest to our clients and the business community.