Cyber risk threat increasing and regulators take action MinterEllison report

4 minute read  04.06.2021

Regulators have increased scrutiny and enforcement action regarding cyber risk, elevating it at Board and executive level in organisations, according to MinterEllison’s report: Perspectives on Cyber Risk 2021.

The Perspectives on Cyber Risk 2021, in its sixth year, noted that there are cyber risk regulatory changes relating to privacy and data protection and governance, with ASIC and the ASX increasing their focus and action. Significant changes to Australia’s privacy landscape also loom.

MinterEllison partner, Paul Kallenbach reflected that the awareness of cyber risk among the director community – and non-tech executive community – has increased substantially. “Six years ago, we were imploring those at the top of organisations to take notice of this issue – it is now expected that cyber risk has a high profile at board level,” Kallenbach said.

Regulators have been signalling action for many years and companies are elevating their levels of compliance. ASIC has now identified 'deterrence-based enforcement action' as one of its critical cyber supervisory projects for 2021.

“Woe betide any director who doesn’t consider this to be a top five risk for the organisation – the risk is prevalent and increasing and regulators are watching,” Kallenbach said.

MinterEllison found that more organisations are testing their data breach response plans, but this is still not enough, and more needs to be done to protect against cyber attacks. The report revealed that 55% of survey respondents indicated that their data breach response plans were being tested at least annually, compared with 34% last year. Those firms that are not regularly testing their plans operate at higher risk.

The existence and regular testing of data breach response plans are more prevalent in larger organisations, particularly those who have previously dealt with cyber attacks, such as the financial services sector.

“Unfortunately, the most effective lever to persuade an organisation to test its data breach response plan is for it to suffer a serious cyber risk incident. Such an incident will take a company from having a plan to testing that plan,” Kallenbach said.

Other key findings

  • Individuals remain the prime targets of cyber attacks. Despite the high-tech nature of some attacks, individuals remain the ‘weak link’, and hence a critical focus of cyber security planning. While 70% of incidents arose from phishing attacks, a further 17% of incidents involved invoice fraud, leaving just 13% of incidents arising due to technical forms attack (such as DDoS attacks).
  • The rate of adoption of external cyber frameworks remains low. External frameworks, such as the Australian Signals Directorate's Essential Eight, provide valuable guidance on best practice for managing cyber risk; however, less than 50% of organisations have taken steps to assess their cyber security maturity against such a framework.
  • Almost 40% of survey respondents faced increased cyber security risks due to the shift to remote working. Others found that COVID-19 exposed latent and underappreciated cyber issues.

MinterEllison advises organisations and their Boards to:

  • Focus on the supply chain

Organisations should develop a thorough understanding of their supply chain, including their key vendors’ IT security and operational postures to mitigate against the introduction of weak links. APRA-regulated organisations must do this in order to discharge their obligations under APRA’s Prudential Standards.

  • Build for resilience

COVID-19 has exposed the critical importance of resilience in the procurement and operation of crucial ICT systems in helping to mitigate against events that may be outside of an organisation’s control.

  • Keep up the regular training

Most cyber incidents still result from human error. A regular program of security training and awareness is critical to addressing this.

  • Don't go it alone

Organisations should consider joining an industry group or forum to share intelligence regarding cyber risk and evolving cyber threats.

To find out more, visit



For media enquiries, please contact:

Sue Woodward
Brand Marketing and Communications Lead
T+61 2 9921 4192


We're getting jabbed.

Our goal is to be 80% vaccinated by December.