Getting your Trinity Audio player ready...
null

A cyber incident is reported in Australia every six minutes1. When a cyber breach hits, time becomes a significant risk factor.

Ransomware, extortion and data exfiltration events can quickly spread, with the delay between detection and action typically determining the scale of damage. Therefore, the first 48 hours are crucial, when organisations can either limit damage or lose control of the situation.

So, what are the best steps to take if your company falls victim to a cyberattack?

The first 48 hours: When a cyber breach becomes a business-wide issue

Extortion and ransomware incidents involve data exfiltration, in which attackers threaten to release sensitive data even after systems are restored. This introduces legal, regulatory and reputational risks that can quickly spiral. To contain the damage, the situation demands coordinated leadership and specialist support within the first 48 hours of the incident.

During this phase, organisations need to make difficult and time-sensitive calls to determine:

  • Whether data has been accessed or removed
  • If and when regulators need to be notified
  • How to communicate the threat internally and externally
  • Whether to engage with threat actors, and how.

These decisions are interconnected — what you communicate publicly can affect negotiations and your technical actions can affect regulatory outcomes. Without coordination, actions in one area can undermine the actions in another.

Expert's advice on the immediate actions that matter most

In the first few hours after a breach is identified, business leaders should focus on setting clear and disciplined priorities. The goal is to stabilise the situation and key actions could be:

  • Isolating affected systems to prevent further spread
  • Securing backups and access credentials
  • Preserving logs and evidence for forensic investigation
  • Escalating to specialist incident response support
  • Establishing a clear decision-making structure internally.
Early action enables organisations to capture and preserve forensic evidence, prevent further access and data compromise and understand the situation before assumptions harden into poor decisions.
Robyn Adcock, national placement manager, Cyber & Technology, Gallagher

Specialist negotiators work to slow down the situation, validate whether attackers can actually decrypt systems, confirm whether data has been stolen and reduce ransom demands. Skilled negotiation can bring down the inflated ransom amount or remove some extortion elements altogether.

In some cases, organisations successfully recover systems independently and avoid payment. In others, paying a reduced ransom becomes a commercial decision when weighed against the costs of prolonged downtime, regulatory exposure and reputational damage. However, this decision is governed by laws.

Under the Autonomous Sanctions Act 2011 and the Criminal Code, it is illegal to provide funds to designated individuals or terrorist groups — including those involved in modern slavery or human trafficking2.

Furthermore, as of May 2025, any Australian business with an annual turnover of $3 million or more that chooses to make a payment must report it to the Australian Signals Directorate (ASD) within 72 hours3. Thus, making the right decisions involves having as much information as possible and the right specialists in place to support and advise.

Cyber incidents often escalate into regulatory issues in Australia. Under the Privacy Act, organisations must assess and report significant data breaches to both the regulator via the Notifiable Data Breaches scheme and any affected individuals as soon as possible4. Poor handling of this compulsory notification process can lead to increased regulatory risk, legal exposure and long-term reputational harm.

There are additional regulatory considerations as new laws come into place. New mandatory security standards for internet of things (IoT) devices now require manufacturers to eliminate default passwords and provide clear paths for security updates5.

Communication is a critical part of cyber incident response management. Messaging to staff, customers, suppliers and regulators needs to be coordinated, accurate and timely to satisfy regulatory obligations, provide appropriate information and mitigate reputational fallout. Many cyber insurance responses include access to crisis communications specialists to help manage this risk.

In July 2025, an Australian telecommunications provider confirmed a breach affecting 5.7 million customers. The attack targeted a third-party customer service platform used by a call centre6.
Tactic: Scammers used AI-powered voice phishing to impersonate IT staff and trick employees into granting system access. While financial data remained secure, hackers exfiltrated names, birth dates and frequent flyer travel histories.
Takeaway: Modern hackers don't typically 'break in' with code; they 'log in' with stolen personas. Your strongest firewall isn't just a piece of software; it's a business-wide awareness and staff team trained to pause when a digital request demands urgency without a secondary confirmation.

How cyber risk preparation changes outcomes

The possibility of a cyberattack has increased over time and what separates resilient organisations from vulnerable ones is the capability to take swift, meaningful action during a crisis. Experts advise immediate action is critical with a cyber incident.

Real-world cyber incidents show a consistent pattern:

  • Companies with a clear cyber response plan make good use of time and resources.
  • Companies with specialist support make informed decisions.
  • Companies with cyber insurance typically avoid prolonged downtime and incur lower total losses.

Understanding the real pressures of a cyber breach and planning for them before a loss occurs enables businesses to respond more effectively when it matters most. Drawing on the expertise within the insurance relationship can help stress-test incident response plans and identify gaps in cover.

The role of insurance in accelerating response

Cyber insurance plays a central role in the event of a breach — not just as financial protection, but as a response mechanism. Through insurer-led incident response services, organisations gain immediate access to experienced forensic teams, legal advisers, crisis communications specialists and extortion negotiators. This coordinated approach reduces fragmentation at a time when clarity is essential.

Insurers and brokers also help ensure cyber response actions align with policy conditions, reducing the risk of coverage disputes later. Just as importantly, they keep the focus on recovery — limiting business interruption, managing third-party exposure and supporting post-incident remediation.

Achieving cyber resilience calls for cyber risk insurance coverage that can be tailored to respond with speed to complex security issues.

This might include access to damage limitation experts and forensic analysis, regulatory compliance and systems support to enable return to normal operations as quickly as possible.

The first 48 hours after a cyber breach are often the most decisive. This is the window when fast, coordinated action can contain damage, protect your data and limit disruption to your business.

Our team works with you long before an incident occurs. We help you assess vulnerabilities, strengthen your cyber risk management practices and design insurance cover that reflects how your business actually operates. If a breach does happen, we can connect you quickly with trusted specialists in incident response, legal guidance and digital forensics to support an effective recovery.

Having the right plan and the right partners ready before an incident occurs makes all the difference. Whether you are a small business or a global organisation, we can help you prepare, respond and recover without unnecessary complexity or one-size-fits-all solutions.

Connect with us

Sources

1"Annual Cyber Threat Report 2024-2025," Australian Government, 14 Oct 2025.

2"Autonomous Sanctions Act 2011," Australian Government, 9 Apr 2024.

3Hunwicks, Steven. "Australia's mandatory ransomware payment reporting rules: What your organisation needs to know," Thomas Geer, 16 Oct 2025.

4"Part 4: Notifiable Data Breach (NDB) Scheme," Australian Government, accessed 9 Jan 2026.

5"Security Standards for Smart Devices," Australian Government, 11 Dec 2025.

6Ann-Marie. "Qantas Trims Exec Bonuses After Data Breach Despite Record Profits," Tech Informed, 8 Sept 2025.

Disclaimer

Gallagher provides insurance, risk management and benefits consulting services for clients in response to both known and unknown risk exposures. When providing analysis and recommendations regarding potential insurance coverage, potential claims and/or operational strategy in response to national emergencies (including health crises), we do so from an insurance and/or risk management perspective, and offer broad information about risk mitigation, loss control strategy and potential claim exposures. We have prepared this commentary and other news alerts for general information purposes only and the material is not intended to be, nor should it be interpreted as, legal or client-specific risk management advice. General insurance descriptions contained herein do not include complete insurance policy definitions, terms and/or conditions, and should not be relied on for coverage interpretation. The information may not include current governmental or insurance developments, is provided without knowledge of the individual recipient's industry or specific business or coverage circumstances, and in no way reflects or promises to provide insurance coverage outcomes that only insurance carriers' control.

Gallagher publications may contain links to non-Gallagher websites that are created and controlled by other organisations. We claim no responsibility for the content of any linked website, or any link contained therein. The inclusion of any link does not imply endorsement by Gallagher, as we have no responsibility for information referenced in material owned and controlled by other parties. Gallagher strongly encourages you to review any separate terms of use and privacy policies governing use of these third party websites and resources.

Insurance brokerage and related services to be provided by Arthur J. Gallagher & Co (Aus) Limited (ABN 34 005 543 920). Australian Financial Services License (AFSL) No. 238312

MORE NEWS & INSIGHTS