Australian organisations report greater capability to identify and prioritise cyber threats, but many still lack tested plans to restore operations after a major incident, with implications for insurers and intermediaries focused on business interruption and operational resilience.
Datacom’s 2026 Cybersecurity Index, based on research conducted by Omdia in November 2025 with 506 Australian security leaders, finds that most organisations are confident in their ability to monitor cyber risk, but fewer have structured approaches to recovery. According to the index, 77% of security leaders believe they have sufficient visibility across risks, vulnerabilities, and compliance, and 70% say they have the resources to respond to a cyberattack. In contrast, only 32% of organisations report having a formal business continuity or cyber incident response plan. Among large enterprises, this rises to 36%, while for small and mid-sized businesses it falls to 29%. “Australian organisations have built powerful radar, but many still lack a safe runway when an incident hits. The focus must shift from ‘monitor and escalate’ to ‘engineer and stabilise.’ Resilience is now the differentiator – rehearsed response, clear delegations, and time to recovery metrics that business leaders understand,” said Mark Hile, managing director, infrastructure products, Datacom.
Datacom’s analysis indicates that many organisations expect to be fully operational within days of a serious incident, yet actual recovery time for complex events can extend into weeks or months. The report links extended disruption to untested plans, fragmented security tooling, limited visibility across supply chains, and unclear decision-making structures during crises, rather than to gaps in alerting. “What separates organisations that recover in days from those that take months isn’t detection capability – it’s practice. A plan that’s never been tested isn’t a plan. Regular exercises build muscle memory, so response becomes automatic, coordinated, and fast in the event of a cyber incident,” said Datacom chief information security officer Collin Penman (pictured).
The index notes that many Australian organisations have developed structured day-to-day security operations. Just over half of respondents rated themselves as “proactive and optimised” or “fully optimised and continuously improving” in areas such as Threat Informed Defence (51%) and cyber intelligence-driven prioritisation (51%). Automation is common across incident workflows. Datacom reports that 97% of organisations have partial or full automation in incident detection and response. The company says this level of automation means organisations are positioned to adopt AI-enabled cybersecurity tools, including autonomous investigation agents, orchestration capabilities, and decision-support systems for analysts.
According to Datacom, these tools can help turn alerts into coordinated action by stabilising systems during disruption, supporting cross-team response and contributing to shorter recovery times when incidents occur. At the same time, the report suggests resilience is not yet embedded as a design and testing principle in many environments. Datacom outlines a series of measures it considers important for “real” cyber resilience, including designing for failure rather than assuming prevention, focusing board reporting on outcomes such as containment and stabilisation time, planning with longer recovery windows in mind, testing recovery under realistic conditions, investing in modern backup and restoration environments, automating containment and restoration workflows, involving external partners in recovery planning, and treating AI as a resilience design issue from the outset.
Data sovereignty is described in the index as a key consideration, particularly for organisations in regulated sectors, including entities captured by the Security of Critical Infrastructure Act. The report finds that 65% of Australian organisations are concerned about data sovereignty and the long-term availability of in-country AI compute capacity. Despite these concerns, Datacom notes limited large-scale movement away from offshore platforms and characterises government responses as more measured than in regions such as the European Union or South Korea. “Sovereignty is no longer a theoretical conversation – it’s a practical risk assessment. Australian organisations want confidence that their data, their compute capacity, and their critical workloads will remain available and under their control, regardless of what happens globally. The answer isn’t isolation; it’s smart partnership, combining local infrastructure, trusted regional capability, and global technologies engineered for resilience,” Hile said.
The index also highlights shifts in security operating models. Reported use of managed security service providers (MSSPs) has moved from 55% to 45%, suggesting fewer organisations are relying on traditional, fully outsourced approaches. Datacom expects more co-sourced, automated security operations centres to sit alongside internal teams, rather than replacing them. Security priorities heading into 2026 are reported as stable: threat detection and monitoring, employee culture and training, and data protection remain at the top of the agenda. However, the finding that only 32% of organisations have tested continuity or incident response plans underlines the resilience gap identified in the report. Responsibility for cybersecurity continues to sit mainly within IT and security teams, and Datacom notes that 36% of Australian security leaders report burnout in their teams, driven by event volume, compliance requirements, and limited staffing.
The index’s conclusions align with how many insurers and intermediaries describe current cyber risk trends in Australia, particularly around the move from viewing cyber cover as a pure risk transfer instrument toward broader discussions of operational resilience and financial impact. In comments issued to Insurance Business, Robyn Adcock, national placement manager cyber and technology at Gallagher, said: “The gap between perceived and actual cyber risk is narrowing. What was once largely a discussion about risk transfer and appropriate coverage matured into conversation about operational resilience. Today, Gallagher spends significant time working with clients to not only identify risks to critical data and systems, but evaluate impacts to revenue, cash flow, and profitability when those systems are disrupted.” Adcock said underwriting approaches across the market vary, with some insurers maintaining detailed technical assessments and control expectations, while others pursue lower-friction entry points. In this environment, she said, the way cyber risk is described and evidenced can influence capacity, pricing stability, and claims outcomes, with brokers often interpreting between technical security measures and commercial terms.
On the insurer side, QBE reports that many incidents continue to be initiated through identity compromise and human behaviour, including phishing, credential misuse, and basic access control weaknesses. Ransomware remains a major driver of incidents in QBE’s data, and its threat intelligence places Australia as the ninth most targeted country for ransomware attacks. In comments issued to Insurance Business, Ben Richardson, cyber product lead, QBE Insurance Australia, said: “A consistent theme we’re seeing in our global threat intelligence is that cyber incidents are still being enabled by human behaviour and identity compromise. Phishing, credential misuse, and basic access weaknesses remain common entry points.”
Richardson said that once attackers gain access, incidents can escalate quickly, which places emphasis on governance, preparedness, and clarity of decision-making as key factors shaping severity, containment, and recovery. He added that insurers can contribute before an incident occurs through services such as threat intelligence insights, governance guidance, and executive tabletop exercises, and that when an incident does occur, cyber cover can provide both financial support and access to specialist legal, technical, and response resources.
