5 questions to answer in the wake of a cyber attack

The government has also been working hard to bolster cyber security. On the legislative side, Cyber Security Minister, Tony Burke, introduced Australia’s first stand-alone Cyber Security Act (which passed last month) that forces critical infrastructure providers – including some financial services institutions (FSI) – to overhaul deficient risk management programs.

David Rajkovic, the managing director of cyber resilience company Rubrik A/NZ, has said that as the operating landscape is changing so fast, members of the finance industry need to understand the drivers, implications, and compliance strategies behind Australia’s enhanced regulatory regime.

He said: “Australia is not alone in mandating greater cyber resilience in its financial services sector. While APRA has highlighted the area as one of increased focus, more prescriptive guidance is needed on what ‘good’ cyber resilience looks like.

“Internationally, for example, the UK’s financial regulator has taken a more detailed approach. It has similarly highlighted cyber resilience as a key focus area and also introduced a March 2025 deadline for organisations under its purview to demonstrate resilience of ‘Important Business Services’.

“Critically, these systems are stress-tested with simulated attacks to gauge the effectiveness of any resilience strategy. While matching the pace of international regulatory action might be behind APRA’s increased focus, the reality of cyber activity on home soil can’t be ignored.”

Indeed, the Office of the Australian Information Commissioner’s (OAIC) latest Notifiable Data Breaches report found that the financial services sector experienced the third-highest number of data breaches in the first half of this year, behind only healthcare and public sector.

“It is clear financial institutions are major targets of cyber attack groups. With international regulators taking the initiative to safeguard critical payment infrastructure, APRA would be remiss if it didn’t follow suit,” Rajkovic said.

However, he said that there has been a shift in the expectations around cyber resilience, with the regulatory focus on recovery suggesting that it is impossible to stop every single attack.

“Organisations now need to adopt an ‘assumed breach mindset’ and prove their ability to rapidly recover critical operations following an attack,” he said.

Rubrik’s A/NZ MD said there were five key questions leaders need to rapidly answer in the event of an incident.

Can we recover?

“This question can be hard to answer. Attackers know the only thing standing between them and a successful ransom is their victim’s backup data and recovery capability. In fact, recent research found 99 per cent of organisations reported malicious actors attempting to impact data backups during a cyberattack,” Rajkovic said.

What do we recover?

“Understanding the full blast radius of an attack and exactly what data has been encrypted is key for recovery procedures to begin as soon as possible,” he said.

How far back do you need to go to find a clean copy of that data?

“Finding a clean recovery point should also include a comprehensive scan of the backup data for indicators of compromise to ensure the organisation isn’t re-infected with the same malware,” Rajkovic said.

What was stolen?

While large-scale data encryption can severely disrupt operations, it is also important to know that attackers increasingly opt for double extortion attacks where data is both encrypted and stolen, Rajkovic said.

“Knowing whether sensitive data was taken means impacted stakeholders can be notified as soon as possible.”

How long will it take?

The final and perhaps most crucial thing to know is how long recovery will take, according to the cyber specialist.

He said: “For business-critical systems, recovery plans need to be regularly tested, proven and documented, with automation supporting both simulated scenarios and the acceleration of actual recovery wherever possible.

“If any of these are unknown, so too is the organisation’s ability to recover – not just from cyber incidents, but from outages, cloud instance failures, and even insider threats. These unknowns add to the time that will be needed to recover. The critical thing to consider is the tolerance of the business function to an extended outage.”

As well as considering the above questions, Rubrik A/NZ’s MD said that organisations should also consider the ‘Minimum Viable Business’ (MVB) strategy to surpass current regulations and the stricter standards many expect in the future.

An MVB represents the smallest version of a business that still fulfils the critical value-generating activities while dealing with unexpected business interruptions. The applications and data required to execute these functions would have greater protections and more sophisticated recovery plans to ensure they could be brought back online as soon as possible.

“For financial services institutions, this means maintaining core functions and services necessary for operational continuity during disruptions. Banks, for example, might prioritise essential services such as deposit and withdrawal processing, payment systems, and basic lending. This ensures critical financial services remain available to customers, maintaining trust and stability in the financial system,” he said.

“Ultimately, recent attacks and widespread outages have exposed the consequences of mass data loss. Minimising the impact of future attacks, particularly as geopolitical tensions rise, is a priority for regulators and legislators – so it should be a priority for business leaders too.”

[Related: Borrowers targeted in new financial scam]