A cyber incident is reported in Australia every six minutes, according to data cited by Gallagher. The broker says the first 48 hours after a breach are critical in determining how much damage is contained - or amplified.
Gallagher’s cyber specialists note that ransomware and extortion attacks now commonly involve data exfiltration, with attackers threatening to release sensitive information even after systems are restored. That shift increases legal, regulatory and reputational exposure, turning a technical disruption into a broader business risk within days.
In this environment, decisions made early can carry long-term consequences. Organisations must assess whether data has been accessed or removed, consider notification obligations under the Privacy Act and the Notifiable Data Breaches scheme, determine how and when to communicate with stakeholders, and decide whether to engage with threat actors. According to Gallagher, these streams cannot be managed in isolation, as technical actions, public statements and regulatory disclosures can influence one another.
“Early action enables organisations to capture and preserve forensic evidence, prevent further access and data compromise and understand the situation before assumptions harden into poor decisions,” said Robyn Adcock, national placement manager, cyber & technology at Gallagher.
Gallagher advises that the immediate focus should be on stabilising operations. This includes isolating affected systems, securing backups and credentials, preserving forensic evidence and escalating to specialist incident response providers. Establishing a clear internal decision-making structure is also considered critical to avoid fragmented or conflicting actions.
Where ransom demands are involved, specialist negotiators may be engaged to verify claims that systems can be decrypted, confirm whether data has been exfiltrated and seek to reduce demands. Gallagher notes that some organisations restore systems independently and avoid payment, while others weigh a reduced ransom against the cost of extended downtime and regulatory exposure. Any payment decision is subject to Australian law. The Autonomous Sanctions Act 2011 and the Criminal Code prohibit providing funds to designated individuals or terrorist groups, including those linked to modern slavery or human trafficking. Since May 2025, businesses with annual turnover of $3 million or more must also report any ransomware payment to the Australian Signals Directorate within 72 hours.
Regulatory risk can escalate quickly if notification obligations are mishandled. Under the Privacy Act, entities must assess whether a breach is likely to result in serious harm and, if so, notify both the Office of the Australian Information Commissioner and affected individuals as soon as practicable. Gallagher warns that delays or inconsistent messaging can increase legal and reputational exposure.
Preparation before an incident occurs is another theme in Gallagher’s guidance. Organisations with established response plans and access to specialist advisers are described as better positioned to use time and resources effectively during a crisis. Cyber insurance is framed not only as financial protection but as a mechanism for coordinated response, providing access to forensic investigators, legal advisers, crisis communications professionals and extortion negotiators. Insurers and brokers can also help ensure response steps align with policy conditions, reducing the risk of later coverage disputes.
According to Gallagher, the consistent lesson from real-world breaches is that speed, coordination and specialist input shape outcomes. For businesses operating in an environment where cyber incidents are frequent and increasingly complex, the window for decisive action may be narrow.
