Perspectives on cyber risk: new threats and challenges in 2022

For Australian organisations, cyber resilience is more important than ever.

In the seventh edition of our Perspectives on Cyber Risk report, our findings point to a dangerously evolving cyber landscape. Organisations are facing a greater volume of cyber attacks. They are suffering increasingly severe financial and reputational consequences, and are more exposed than ever across complex supply chains.

Lawmakers and regulators are responding accordingly.

Organisations must comply with new laws, including the new Security of Critical Infrastructure (SOCI) legislation and ransomware-specific regulation, and Privacy Act amendments have been proposed.

Privacy and corporate regulators, such as the Office of the Australian Information Commissioner (OAIC), the Australian Securities and Investments Commission (ASIC), the Australian Competition and Consumer Commission (ACCC) and the Australian Prudential Regulation Authority (APRA), have put organisations on notice that they will take enforcement action against those who fail to comply with regulatory obligations and standards.

But with proper planning, there are steps organisations can take to protect their organisations and mitigate against cyber risk.

In this Report, we discuss insights and trends revealed by both our annual survey and our qualitative interviews with information security leaders. We look at the evolving regulatory landscape, how cyber risk measures are impacting specific industries, and what organisations should consider doing now.

Cyber risks are higher than ever and their impacts increasingly severe – every organisation needs to take steps to respond accordingly.”

Paul Kallenbach

Key takeaways in Perspectives on Cyber Risk 2022

With ransomware attacks more prevalent, the cyber risk landscape is becoming increasingly threatening.

2020-21 saw a 15% increase in ransomware-related cybercrime compared to the previous financial year, as reported in the Australian Cyber Security Centre’s Annual Report. In 2020-21, the ACSC responded to nearly 160 cyber security incidents related to ransomware.

Many organisations we interviewed told us they had received additional budget to mitigate a ransomware attack – though few had developed a ransomware playbook to implement should one occur.

Governments around the world are responding. The Australian Government released its Ransomware Action Plan in October 2021, which sets out its intention to introduce ransomware-specific laws.

Board awareness and education is a primary concern as the risks escalate and the stakes become higher.

Increased regulation (including the new SOCI laws) impose onerous new obligations on organisations across many sectors of the economy.

Within that context, Board members are increasingly exposed – both legally and reputationally – if they are not making informed and proactive decisions to manage cyber risk.

Australian organisations are finding it difficult to fill specialist cyber security roles.

Many organisations said that finding qualified and experienced IT security personnel continues to be a significant challenge. This is exacerbated by the ‘great resignation’ and global resourcing issues, but the cyber resourcing problem predates them.

Cyber insurance is becoming increasingly difficult to obtain – and is not a panacea.

In our one-on-one interviews, technology and information security leaders told us that cyber insurance is becoming increasingly more expensive and its coverage more limited – both in terms of the extent of policy exclusions, and the lower available limits.

Leaders recognise that cyber insurance is not (and has never been) a panacea for cyber risk. They must continue to take proactive steps to uplift their cyber resilience.

Talk to us about we can help you take proactive steps to uplift your organisation's cyber resilience.