Australian government entities reported varied levels of cyber security implementation in 2024–25, with changes in key controls alongside continuing gaps in maturity, training, and incident reporting, according to new data from the Australian Signals Directorate (ASD). The Commonwealth Cyber Security Posture in 2025 report, tabled in Parliament, is based mainly on ASD’s annual Cyber Security Survey of Commonwealth entities. In 2025, 94% of federal entities participated, matching the previous year and the highest response rate recorded for the survey period.
As of June 30, 2025, the Commonwealth structure included 194 entities: 102 non‑corporate Commonwealth entities, 74 corporate entities, and 18 Commonwealth companies. Across this group, ASD assessed cyber posture against technical hardening (including the Essential Eight controls), incident preparedness and response, and leadership and planning for cyber risk. The report finds that governance arrangements to consider cyber risk are in place across much of government, but that implementation of technical controls, incident management practices, and reporting to ASD are not consistent across entities.
On technical controls, 22% of entities reached overall Maturity Level 2 across the Essential Eight mitigation strategies in 2025, up from 15% in 2024. However, this is still below 2023, when 25% of entities met Maturity Level 2. ASD links this shift to its November 2023 decision to “increase and harden the controls required to reach Maturity Level 2 in response to the threat environment.” The strengthened requirements mean entities must complete additional work to satisfy the updated mitigation thresholds.
Legacy systems are identified as a significant structural factor. The report states that “legacy IT presents significant and enduring risks to the cyber security posture of Australian government entities.” In response, ASD has issued guidance on managing legacy IT, including low‑cost mitigation options, and in October 2025 released a suite of publications on “modern defensible architecture” to guide decisions on new investments and the long‑term management or replacement of older technologies. For insurance professionals assessing public‑sector risks or dependencies on government platforms, these maturity gaps and legacy IT exposures are relevant to both frequency and severity assumptions for cyber incidents.
The survey results indicate broader uptake of formal strategies and plans. In 2025, 82% of entities reported having a cyber security strategy, up from 75% in 2024. Business continuity and disaster recovery planning more frequently incorporates cyber disruption, with 92% of entities addressing cyber security disruptions in these plans, compared with 86% the previous year. Planned improvement activity is also common. ASD reports that 91% of entities had a defined body of work planned to improve their cyber security, and 83% had secured funding for that work.
Incident readiness indicators moved in different directions. In 2025, 90% of entities had an incident response plan, up from 86% in 2024. Annual cyber security training for the general workforce was provided by 87% of entities, rising from 78% a year earlier. By contrast, training for higher‑access user groups declined. The proportion of entities providing annual privileged user training fell to 45% in 2025, from 51% in 2024. Supply chain risk assessment activity also eased: 70% of entities reported conducting supply chain risk assessments for applications, IT equipment, and services in 2025, down from 74% the year before. These results show higher coverage at the policy and broad workforce level, and lower coverage for privileged access controls and third‑party risk, both of which are central to many cyber insurance underwriting frameworks.
Despite increases in planning and training, direct reporting of incidents to ASD remains limited. Only 35% of entities indicated that they reported at least half of the cyber incidents observed on their networks to ASD in 2024. ASD supplements survey data and voluntary reporting with its own visibility across government networks. In 2025, it notified government entities 223 times of potential malicious cyber activity detected through its monitoring and telemetry.
The posture report recommends that entities continue implementing the Essential Eight to at least Maturity Level 2, prioritise effective logging, adopt active strategies for managing legacy IT, make supply chain risk assessment a standard part of new IT procurements, increase cyber incident reporting, and maintain regularly tested incident response plans. It also advises entities to “start preparing for Post Quantum Cryptography by locating and assessing algorithms that will need to transition to more secure forms of encryption.”
ASD’s Annual Cyber Threat Report 2024–25, released in October 2025, provides a broader national picture that aligns with the government survey results and is directly relevant to commercial insurers and brokers. In FY2024–25, ASD’s Australian Cyber Security Centre (ACSC) received more than 42,500 calls to the Australian Cyber Security Hotline, a 16% increase on the previous year. The ACSC responded to over 1,200 cyber security incidents, up 11%, and notified entities more than 1,700 times of potentially malicious cyber activity, an 83% rise.
Reported cybercrime losses for businesses increased across all size bands. The average self‑reported cost of cybercrime per report for businesses rose 50% to $80,850. Small businesses reported average losses of $56,600 (up 14%), medium businesses $97,200 (up 55%), and large businesses $202,700 (up 219%). Identity fraud remained the most frequently reported cybercrime type. Critical infrastructure entities were a particular focus of malicious activity. ASD’s ACSC notified critical infrastructure organisations of potential malicious cyber activity more than 190 times in the reporting period, an increase of 111% compared with the previous year. The report notes that CI remains a target for state‑sponsored actors, cybercriminals, and hacktivists because of “large sensitive data holdings and the critical services that support Australia’s economy.”
ASD reports that malicious actors are exploiting vulnerabilities in internet‑facing devices and using “living off the land” (LOTL) tradecraft, which has led network defenders to place more emphasis on understanding normal network behaviour to detect anomalies. The agency assesses that the growing use of artificial intelligence almost certainly enables malicious actors to operate at greater scale and speed. The threat report states that businesses should operate with a mindset of “assume compromise” and identifies four “big moves” to improve defences: implement best‑practice logging, replace legacy IT, effectively manage third‑party risk, and prepare for post‑quantum cryptography. For organisations operating operational technology, ASD recommends following guidance on isolating vital systems and maintaining plans for rebuilding capabilities after an incident.
For insurers and intermediaries, the government results and threat data together indicate an environment of rising incident notifications, higher reported losses, uneven control implementation, and emerging post‑quantum and AI‑related risks. These factors are likely to influence cyber insurance pricing, coverage terms, accumulation management, and the level of scrutiny applied to controls such as incident response, logging, legacy IT management, and supply chain risk across Australian public and private sector clients.
