8 mins read
Australia is living through a cybersecurity reckoning. In the span of less than three years, the personal data of tens of millions of Australians has been stolen, companies have gone into administration, executives have resigned, and regulators have launched federal court proceedings. Furthermore, our threat intelligence authority has confirmed that the frequency of ransomware attacks, data breaches, and average financial losses are all increasing simultaneously.
The threat from cybercrime continues to challenge Australia’s economic and social prosperity, with average reported financial losses, ransomware attack frequency, and the number of reported data breaches all increasing throughout FY25. For finance and commercial leaders in Australia’s mid-market, companies operating between roughly $10 million and $500 million in annual revenue, it is a direct and material threat to enterprise value, balance sheet stability, and director accountability.
The question is no longer whether cybersecurity deserves a seat at the finance table. It is whether finance leaders are equipped to fill it.
The scale of the problem is now undeniable
The statistics that define Australia’s current cyber threat environment are sobering. In FY24, there were 87,400 cybercrime reports. That is one every six minutes. Most crimes aren’t even reported due to embarrassment, reputation management, and potential legal or regulatory liability. And the self-reported cost of cybercrime for individuals rose 17% to an average of $30,700 per report. These are not enterprise-only numbers. They represent a pervasive and accelerating threat that touches organisations of every scale. The Australian Signals Directorate’s Australian Cyber Security Centre responded to over 1,200 cybersecurity incidents in FY25, an 11% increase on the prior year. Business Email Compromise (BEC), one of the most financially devastating attack types for mid-market companies, remains a standout concern. In FY24, total self-reported BEC losses to ReportCyber were almost $84 million, with over 1,400 confirmed reports resulting in financial losses and an average loss per incident of more than $55,000.
The data breach environment is equally stark. According to the OAIC, a total of 1,113 data breaches were reported in 2024, the highest since the Notifiable Data Breaches scheme came into effect in 2018, representing a 25% increase on 2023.
Malicious or criminal attacks accounted for 69% of all notifications in the second half of 2024. For finance leaders seeking to understand the risk landscape they are operating in, these are not abstract threat intelligence reports. They are the documented baseline of what Australian organisations face every day.
Australia’s largest breaches are a masterclass in financial consequence
The most important case studies for mid-market finance leaders are not from Silicon Valley. They are from Australian corporate history, and they carry direct lessons about what happens when cybersecurity investment fails to match the scale of the risk it seeks to mitigate.
The Optus breach of September 2022 remains the most visible starting point. The breach affected up to 10 million current and former customers, comprising approximately a third of Australia’s population, and stole information, including names, dates of birth, addresses, phone numbers, and passport and driver’s licence numbers. The OAIC subsequently sued Optus, alleging that it did not take reasonable steps to protect the data of 9.5 million customers, and Optus also faced a class action from affected customers and separate proceedings from the Australian Communications and Media Authority (ACMA).
Medibank followed months later. The OAIC alleges that Medibank failed to take reasonable steps to protect the personal information of 9.7 million Australians, despite generating revenue of $7.1 billion and a profit of $560 million in the year of the breach.
The financial aftermath has been severe. Medibank is expected to incur costs exceeding $125 million, excluding potential civil penalties. The Australian Prudential Regulation Authority (APRA) required the company to set aside $250 million as additional capital, a punitive measure specifically designed to compel Medibank to accelerate its remediation program, and one that represented close to a quarter of the group’s total health insurance-related capital at the time. This was not merely a compliance cost. Locking $250 million into a regulatory capital buffer stripped Medibank of the financial flexibility it would otherwise have had to deploy capital opportunistically. In a market where cost-of-living pressures were forcing weaker health insurers into stress, Medibank’s constrained balance sheet limited its capacity to pursue acquisitions of struggling competitors, the kind of counter-cyclical consolidation move that a well-capitalised insurer would typically use to accelerate market share growth. The capital was not lost, but it was neutralised as a strategic asset for the duration of the remediation period.
Critically, the Australian Information Commissioner told the court that Medibank’s cybersecurity budget was just $1 million in 2022, against revenue of $7.1 billion, a ratio that no finance leader in the mid-market should look at without asking the same question of their own organisation.
Latitude Financial brought the crisis into the heart of the financial services sector. In March 2023, the non-bank lender suffered a breach affecting up to 14 million customers, with the company subsequently reporting $76 million in pre-tax costs and provisions and a statutory after-tax loss of $98.2 million for the first half of 2023.
New account originations and collections were closed or severely restricted for approximately 5 weeks, resulting in a sustained loss of income before operations were restored. And in 2024, the MediSecure ransomware attack impacted approximately 12.9 million Australians, releasing sensitive personal and health information, including Medicare card numbers and prescription details, to the dark web, before the company entered voluntary administration, unable to meet the costs of investigation and response.
These are not edge cases or cautionary tales from overseas. They are Australian events, affecting Australian customers, generating Australian regulatory proceedings, and destroying Australian shareholder value.
The finance sector is specifically and persistently targeted
Mid-market finance and commercial leaders often assume that sector-level risk applies primarily to the banking giants. The data contradicts that assumption. In the January-June 2025 reporting period, the finance sector reported the second-highest number of data breaches of any industry in Australia, accounting for 14% of all notifications, behind only health services.
Banking, financial services, and insurance held 29.73% of total Australian cybersecurity spending in 2025. This is a reflection not of enthusiasm for technology investment, but of the elevated threat environment the sector operates within.
Meanwhile, 87% of Australian and New Zealand respondents in Gartner’s annual survey of CIOs and technology executives said cybersecurity would receive their largest increase in technology investment in 2024, up from 62% in 2023. Finance leaders in the mid-market who are not making parallel moves risk falling behind both the regulatory expectation and the threat curve at the same time. The finance sector’s data, payment credentials, lending records, superannuation balances, and credit histories is among the most monetisable data available to cybercriminals. The mid-market finance company that holds this data without enterprise-grade controls is, in effect, subsidising criminal activity with inadequate protection.
Regulation is rapidly reshaping the liability landscape
The regulatory environment governing cybersecurity and data protection in Australia has undergone a material shift, and mid-market finance leaders need to understand the personal and commercial exposure this creates. The Privacy Act amendments of December 2022 increased the maximum penalty for serious or repeated privacy breaches to $50 million, or three times the value of the benefit obtained, or 30% of adjusted turnover, whichever is greater. APRA’s CPS 234 Information Security standard requires regulated entities to maintain information security capabilities commensurate with the size and extent of threats they face. The Security of Critical Infrastructure Act now extends to a broadening range of sectors and supply chain participants.
For mid-market companies embedded in financial services supply chains, as payment processors, software vendors, mortgage brokers, or data custodians, this regulatory perimeter is expanding directly towards them. Across the 2024 calendar year, data breach notifications to the OAIC were up 25% year on year, and health service providers, the financial sector, and Australian government agencies were the sectors most likely to notify of a breach and most likely to be the subject of a complaint.
Enforcement is no longer theoretical. The OAIC is in the Federal Court against both Optus and Medibank. APRA is issuing capital penalties. Class actions are proceeding. Finance leaders who treat compliance as an IT governance checkbox are accumulating legal risk that belongs squarely on the risk register they are responsible for.
Investment must be proportionate. And framed as risk management
The good news is that Australia is investing. According to Gartner, Australian organisations are forecast to spend more than AU$7.5 billion on information security in 2026, an increase of 9.5% from 2025, itself a year that saw spending grow 14.4% to almost AU$6.2 billion. The Australian Government has committed $15-20 billion to cyber domain capabilities through 2033-34 as part of the Integrated Investment Program. But at the mid-market level, the investment discipline is frequently absent. Security budgets are often set as a percentage of IT spend, or inherited from the previous year, rather than calibrated to actual risk exposure.
The Medibank example is instructive in the starkest possible terms. A cybersecurity budget of $1 million against revenue of $7.1 billion produced a $125 million remediation bill, APRA-mandated capital reserves of $250 million, and ongoing Federal Court proceedings. The ratio of prevention to consequence is not academic. Finance leaders who apply rigorous return-on-investment thinking to every other category of capital expenditure owe the same discipline to cybersecurity. That means quantifying risk in dollar terms, tying security spending to specific threat scenarios, and treating the residual risk as a line item that belongs in board papers alongside every other material financial exposure.
Conclusion
Australia’s mid-market sits at a genuinely dangerous intersection.
Companies are large enough to hold valuable, regulated data, complex enough to have supply chain dependencies that create third-party attack vectors, and frequently under-resourced relative to the threats they face.
The breaches that have defined Australia’s cybersecurity decade; Optus, Medibank, Latitude, share a common thread: the financial cost of the event vastly exceeded any plausible investment in prevention. For finance leaders in mid-market organisations, the imperative is clear. Cybersecurity is not an IT matter that occasionally reaches the CFO’s desk. It is a category of financial risk that demands the same structured governance, measurable controls, and board-level accountability as credit risk, liquidity risk, or regulatory compliance. The organisations that recognise this will be better positioned. The ones that do not are accumulating a liability they have simply not yet disclosed.
Next Steps
Three actions are worth prioritising immediately.
First, request a gap analysis between your current organisational alignment and APRA’s CPS 234 requirements, even if your organisation is not currently APRA-regulated. The standard represents the clearest available benchmark for adequate information security governance in a financial services context.
Second, translate your cyber risk exposure into financial terms: model the direct and indirect costs of a plausible breach scenario across remediation, regulatory fines, business interruption, and reputational impact, and present this to your board in the same language as your other material risks.
Third, review your cyber insurance policy in detail, specifically the exclusions, the conditions precedent around multifactor authentication and incident response planning, and whether the coverage limit reflects your actual exposure. Australia’s insurers are rapidly hardening terms, and the gap between what a policy promises and what it pays is often discovered too late.
Let’s connect.
If you have made it this far, you are probably already asking the right questions. You may not have someone to think them through with yet. I started Galah Cyber because I kept seeing the same pattern: smart, capable business leaders who understood risk deeply but had never had a straight conversation about what their cyber exposure actually looked like in dollar terms.
I genuinely enjoy those conversations. If you want to grab a coffee and talk through where your organisation stands. No presentation deck. No sales pitch. Just an honest discussion. Please reach out, and let’s find time.
