The recent Qantas cyber-attack, regulator action against Optus, the rising prevalence of AI use and a new Government cyber security consultation are timely reminders that the risks to organisations and individuals from cyber and data incidents have not diminished. These events reinforce the critical role boards should play in overseeing an organisation wide approach to identifying digital risks and building cyber and data resilience.
The significant Qantas cyber incident from July 2025, which exposed the personal information of 5.7 million customers, serves as a stark reminder that cyber threats remain one of the most pressing governance challenges facing Australian boards today.
Supply chain cyber risks: Qantas and OAIC action against Optus
The Qantas incident, which occurred when a cyber-criminal reportedly targeted one of the airline’s contact centres and gained access to a third-party customer management platform, also highlights the risks that can eventuate in digital supply chains. As organisations of all sizes increasingly rely on third parties for key digital systems and infrastructure, the necessity for effective risk oversight of these provides has grown.
Separately, the Office of the Australian Information Commissioner (OAIC) on 8 August 2025 announced it had commenced civil proceedings against Optus related to the September 2022 cyber incident and resulting data breach. The OAIC alleges Optus seriously interfered with the privacy of approximately 9.5 million Australians by failing to take reasonable steps to protect their personal information. The OAIC further alleges that Optus failed to adequately manage cyber security risk in a manner that corresponded with the nature and volume of personal information that Optus held and the size and risk profile of the company.
Carly Kind, the Australian Privacy Commissioner, in a release accompanying the action highlighted the risks that come with complex digital supply chains:
…the Optus data breach highlights some of the risks associated with external-facing websites and domains, particularly when these interact with internal databases holding personal information, as well as the risks around using third-party providers.
Key AICD cyber and data governance guidance
Governing through a cyber crisis
The AICD resources Governing Through a Cyber Crisis (developed with Ashurst and the Cyber Security Cooperative Research Centre (CSCRC)) and the Cyber Security Governance Principles (developed with the CSCRC) have a number of key messages for all Australian boards for how to prepare, and respond to, a critical cyber incident:
- All organisations should have a comprehensive and up-to-date response plan, with the board participating in simulation exercises to test the plan with management;
- Communications to staff, customers and government/regulators should be timely, transparent and offer practical advice (e.g. change passwords) and should be updated as more about the incident is known; and
- The board should oversee a response that is aware of and responsive to, the human impact of a critical incident, including on customers and staff.
The Qantas response indicates that the company had prepared for the eventuality of a significant cyber and data incident, including having a comprehensive approach to communicating with impacted customers. However, the incident is a reminder that even well prepared and resourced companies can fall victim to targeted cyber-attacks.
Digital supply chain risks
In May this year the AICD, in partnership with Allens and the Melbourne Business School, published Data Governance Foundations for Boards. This publication, in addition to the Cyber Security Governance Principles, provides guidance to directors on how to oversee risks in increasingly complex and interdependent digital supply chains. Key principles conveyed in the publications include:
- The board should have visibility, via a map or stocktake, of key providers who support the organisation’s critical data and digital assets, including the providers’ location and interdependencies with other IT systems and infrastructure;
- There should due diligence of the provider’s data and cyber security posture and settings, including adherence to standards benchmarks (e.g. ISO 27001) and notification obligations; and
- The organisation has effective access controls in place that cover how data is transmitted, managed and stored between the organisation and the provider.
The AICD guidance stresses that the board should be cognisant that the organisation itself, in most cases, may be held legally responsible for failings of the provider and that ultimately the cyber resilience of the provider is a key component of the organisation’s overall cyber posture.
New Government cyber consultation
The Department of Home Affairs (Home Affairs) has launched a consultation on Horizon 2 of the 2023-2030 Australian Cyber Security Strategy. Horizon 2 is seeking to build on the cyber reforms introduced in 2024, such as ransomware reporting, with a particular focus on the resilience of individuals, small businesses and not-for-profits (NFPs).
- The consultation is seeking feedback in a number of areas, including:
- Practical steps to build the cyber resilience of small businesses and NFPs;
- The role that a specific cyber standard and certification process tailored for small businesses and NFPs could play in building resilience;
- Accessibility of cyber insurance products; and
- The effectiveness of the Security of Critical Infrastructure Act 2018 in addressing cyber risks.
The AICD will be providing a submission to this consultation and member feedback is welcome at policy@aicd.com.au.
Latest news
Already a member?
Login to view this content