Logo for Barrack Broking featuring a stylized blue and orange shield icon next to the company name.
  • 1300 605 101
Insights

Cyber Incident Response: 5 Critical Steps for Australian SMEs After an Attack

  • Risk Tip
cyber incident response small business Australia 

Most cybersecurity content tells you how to prevent an attack. 

Very little tells you what to do when one actually happens. Having a clear cyber incident response plan changes that.

That gap matters. According to the ASD Annual Cyber Threat Report 2024–25, 22% of Australian SME owners were impacted by cybercrime in 2024. The average cost per incident for small businesses climbed to $56,600 — up 14% on the previous year. And those are only the reported figures. 

The businesses that manage cyber incidents well tend to share one thing: they knew what to do before it happened. 

This cyber incident response guide covers the five steps that matter most in the immediate aftermath of a cyber attack, including your legal obligations, how to engage your insurer, and where businesses typically go wrong. 

 

  1. Contain the incident first 

The first priority is not to find out what happened. It is to stop it from getting worse. 

Depending on the nature of the incident, this might mean: 

  • Isolating affected devices from the network 
  • Disabling compromised user accounts or email access 
  • Taking systems offline temporarily 
  • Contacting your IT provider immediately 

Acting quickly here can significantly limit the spread of malware, prevent further data exfiltration, and preserve evidence for forensic investigation. 

One common mistake is rebooting or wiping affected systems too quickly. This can destroy the evidence needed to understand the attack, make a claim, or meet regulatory obligations. Unless your IT team or incident response provider advises otherwise, avoid drastic action before assessment. 

 

  1. Notify your insurer early

If you hold cyber insurance, contacting your broker or insurer should happen within hours — not days. 

This is not just good practice. Many cyber policies include notification timeframes as a condition of cover. Delayed notification can complicate a claim or, in some cases, affect whether certain costs are recoverable. 

What insurers typically want to know early: 

  • The nature of the incident (ransomware, data breach, business email compromise, etc.) 
  • When it was discovered 
  • What systems or data appear to be affected 
  • What steps have already been taken 

Insurers will often have their own incident response providers — forensic investigators, legal advisers, and communications specialists — who can be deployed quickly. Using insurer-approved providers is usually a requirement for those costs to be covered. 

Engaging your broker early also means you have someone helping you navigate the claims process while you are managing the operational chaos of a live incident. That support has real practical value. 

 

  1. Understand your legal reporting obligations

Australia’s regulatory environment around cyber incidents has changed significantly. SMEs now need to be aware of two distinct reporting frameworks. 

The Notifiable Data Breaches (NDB) scheme 

Under the OAIC’s NDB scheme, organisations covered by the Privacy Act must notify both the OAIC and affected individuals if a data breach is likely to result in serious harm. Businesses with an annual turnover above $3 million are generally covered. 

The assessment window is 30 days from becoming aware of a suspected breach. If the breach is assessed as notifiable, reporting must happen as soon as practicable. In October 2025, Australian Clinical Labs was ordered to pay $5.8 million in civil penalties after failing to meet its obligations following a data breach — a signal that enforcement is now active. 

Mandatory ransomware payment reporting 

Since 30 May 2025, businesses with an annual turnover of $3 million or more must report any ransomware or cyber extortion payment to the Australian Signals Directorate within 72 hours of making it. From 1 January 2026, the Department of Home Affairs moved to active compliance and enforcement. 

This is a significant shift. Paying a ransom is no longer a quiet internal decision — it is a regulated event with a reporting obligation attached. 

For businesses outside these thresholds, reporting obligations may still apply depending on industry, sector, or contractual requirements. Management liability exposures are also worth considering, particularly where directors had oversight of security systems. 

 

  1. Communicate carefully — with staff, clients, and suppliers

Communication during a cyber incident is one of the highest-risk elements of the response. Too little, too late, or poorly worded — and the reputational damage can exceed the operational damage. 

A few principles worth applying: 

  • Internal first. Ensure your team understands what has happened, what they should and should not say, and who is managing the response. Confusion inside the business usually becomes confusion outside it. 
  • Do not over-communicate externally before you have the facts. Early statements that turn out to be inaccurate create additional problems. Legal advice before external communications is worth seeking. 
  • Notify affected clients and suppliers promptly once you have confirmed what data was involved. Delayed notification erodes trust more than the breach itself in many cases. 
  • If media contact is required, have a single spokesperson and a prepared statement. Improvised comments rarely help. 

Your insurer may provide access to a communications specialist as part of your incident response support. This is worth using — particularly for client-facing businesses where trust is central to the relationship. 

 

  1. Document everything from the start

From the moment an incident is identified, documentation matters. 

This includes: 

  • Timestamps of when the incident was discovered and by whom 
  • What actions were taken and when 
  • Communications sent internally and externally 
  • Evidence preserved from affected systems 
  • Costs incurred — including staff time, IT contractors, and third-party services 

Thorough records support your insurance claim, assist any forensic or legal investigation, and help you demonstrate to regulators that you responded appropriately. 

Businesses that manage claims well are usually those that kept clear records from the outset — not those that tried to reconstruct events weeks later. 

 

What a cyber incident response plan should include 

Effective cyber incident response starts before the incident. The steps above are easier to execute when they are already mapped out

A basic cyber incident response plan for an SME should cover: 

  • Who is responsible for leading the response 
  • After-hours contact details for your IT provider, insurer, and broker 
  • A list of systems and data that would need to be assessed in an incident 
  • Pre-approved communication templates for staff, clients, and suppliers 
  • A log template for documenting the incident as it unfolds 
  • Clarity on reporting obligations relevant to your business size and sector 

A plan does not need to be complex. It needs to be accessible and understood by the people who would use it under pressure. 

If your business does not have a cyber incident response plan, or if your current cyber cover has not been reviewed recently, it may be worth a conversation with our team. Get in touch with Barrack here. 

 

FAQs 

What should a small business do first after a cyber attack? 

Contain the incident — isolate affected devices, disable compromised accounts, and contact your IT provider. Then notify your insurance broker or insurer as early as possible. his is the foundation of any effective cyber incident response.

Does my business have to report a cyber attack in Australia? 

It depends on your turnover and the nature of the incident. Businesses covered by the Privacy Act with turnover above $3 million may need to notify the OAIC under the Notifiable Data Breaches scheme. Ransomware payment reporting is also now mandatory for businesses above that threshold under the Cyber Security Act 2024. 

Will my cyber insurance cover a ransomware attack? 

Cyber policies vary significantly. Some cover ransom payments, extortion costs, and business interruption. Others include sub-limits or exclusions for certain scenarios. It is worth reviewing your policy wording with your broker before an incident occurs. 

How long do I have to report a data breach in Australia? 

Under the NDB scheme, you have 30 days to assess whether a breach is notifiable. If it is, you must report to the OAIC and notify affected individuals as soon as practicable. Ransomware payments must be reported to the ASD within 72 hours of payment. 

What is the cost of a cyber attack for an Australian small business? 

The average self-reported cost of a cybercrime incident for small businesses in 2024–25 was $56,600, according to the ASD Annual Cyber Threat Report. Costs include IT recovery, business interruption, legal advice, and client notification — not just any direct financial loss. 

 

 

Related insights 

 

Subscribe to our newest insights

Nii Author Profile
Barrack Broking
Company

In 1849, an Australian insurance company and mutual society was founded. It opened its doors in a small office above a fruit shop in Sydney, opposite Barrack Gate… and rose to become the largest insurer in the British Empire. Today, Barrack Broking is opening its doors. 170 years later, albeit embracing those same values and insuring Australian greatness.

Start a quote
This website uses cookies to improve your experience. Not keen on cookies? Opt-out if you wish.

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
NecessaryAlways Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-NecessaryEnabled
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
  • This field is for validation purposes and should be left unchanged.
Contact Us
  • This field is for validation purposes and should be left unchanged.

Share This

Select your desired option below to share a direct link to this page