A cyber incident is a legal event. The obligations it triggers, the liability it creates and the regulatory scrutiny it attracts are determined by what the contracts say, what the governance frameworks require and what decisions are made in the hours immediately following. Preparedness is a legal function. Response is a legal function. The technical workstream and the legal workstream must run in parallel from the outset.
We advise boards, executives, regulated entities, major corporates, government agencies and infrastructure operators before, during and after cyber incidents. The work spans governance and readiness, incident response and crisis management, regulatory engagement across multiple frameworks simultaneously, and the insurance and liability consequences that follow. Clients include organisations in financial services, healthcare, critical infrastructure, government, media, technology and defence, where the consequences of incidents extend well beyond the systems affected.
Areas of expertise
Cyber risk is a governance obligation, not only a technical one. Boards carry specific responsibilities for cyber risk oversight, and regulators including APRA, the Australian Signals Directorate, Critical Infrastructure Security Centre, and the OAIC assess governance frameworks when determining enforcement responses to incidents. The adequacy of what was in place before the incident is the first question asked after it.
We advise boards and senior management on establishing and maintaining cyber governance frameworks that satisfy regulatory requirements across the Privacy Act, the Security of Critical Infrastructure Act, the Cyber Security Act 2024 (Cth), and APRA's prudential standards including CPS 234. Work covers cybersecurity policies, board-level reporting structures, escalation protocols, vendor and supply chain risk management, and the governance arrangements required for AI deployment and emerging technology where cybersecurity risk intersects with data protection and automated decision-making accountability. Clients include major corporations, regulated financial institutions, government agencies and critical infrastructure operators subject to multiple overlapping frameworks.
The legal workstream of a cyber incident begins at detection. Privilege must be established over forensic investigation materials before external advisors are engaged. Breach assessment, evidence preservation, notification timing and regulator engagement must be managed simultaneously. Decisions made in the first 24 to 72 hours determine the regulatory and litigation exposure for months that follow.
We lead the legal response to cyber incidents including data breaches, ransomware attacks, system compromises and supply chain intrusions. Work covers breach assessment under the critical cybersecurity incident or ransomware payment (cyber extortion) notification schemes, evidence preservation, privilege protection over forensic materials, coordination with technical advisors, insurers, communications teams and executive management, and preparation for regulatory engagement before formal notification is made. The approach integrates the legal workstream with the operational response, ensuring every decision is made with awareness of the regulatory and litigation risk it carries.
Cybersecurity obligations in Australia are layered across multiple frameworks and regulators. The Privacy Act, the Security of Critical Infrastructure Act, the Telecommunications Act, APRA's CPS 234, the Cyber Security Act 2024 and sector-specific obligations in financial services, health and government apply concurrently to many organisations. Compliance is not a single program. Enforcement responses require coordinating legal positions across regulators whose interests and disclosure requirements are not always aligned.
We advise on compliance program design across the full regulatory landscape, on regulatory engagement strategy and on responses to investigation and enforcement action. We represent organisations responding to investigation and enforcement by the OAIC, APRA and the Australian Signals Directorate. Post-incident regulatory engagement is among the most complex work in this space: the positions taken with one regulator affect the positions available with another, and the disclosure required by one may create exposure before another. This practice has particular depth in financial services and government, where cyber obligations carry the highest regulatory scrutiny and the consequences of enforcement are most severe.
Cyber insurance is a significant and often contested financial resource in the aftermath of an incident. Policy terms are drafted before the incident occurs; coverage disputes arise after it, when the cost is known and the insurer's position has hardened. The interaction between the insurance claim, the regulatory investigation and any third-party liability exposure requires careful management from the outset.
We advise on cyber insurance coverage including notifying insurers, formulating claims strategies and managing coverage disputes where policy terms are contested following a breach or ransomware event. Work also covers third-party liability exposures arising from cyber incidents: customer claims, contractual indemnities, class action exposure and regulatory penalties. We work closely with the Insurance and Risk practice on policy interpretation and claims management, and with the Arbitration, Litigation and Dispute Resolution and Class Actions practices where coverage or liability disputes require contested proceedings. Cyber insurance obligations are also addressed at transaction stage in technology procurement contracts, SaaS agreements and supply chain arrangements, where the allocation of cyber risk between parties determines coverage adequacy when an incident occurs.
Thomsons advises the world’s leading companies on cybersecurity and legal architecture for blockchain and digital asset systems, treating protocol design and cyber‑risk as a single compliance and operational problem. We design incident response and breach‑notification playbooks, key and wallet‑management policies, encryption and supply‑chain controls, and resilience measures that meet data‑protection, critical‑infrastructure and sectoral regulator expectations. We align token and product classification with sanctions / cross‑border data flows, and structure intellectual property (IP) rights, licence and liability allocations for smart contracts, node operators, custodians and protocol contributors. We stress‑test governance, disclosure and (when necessary) remediation pathways pre‑deployment to reduce regulatory and enforcement risk and to secure scalable market access.
Advised a regulated financial services entity on post-incident engagement with the OAIC and prudential regulators following a cybersecurity event. Work focused on strengthening cyber governance and compliance frameworks in response to regulator feedback, and managing the entity's ongoing obligations under APRA's CPS 234 cybersecurity requirements through the post-incident period.
Infrastructure operator – Ransomware attack and cyber insurance claim
Advised an infrastructure operator on cyber insurance coverage and claims following a ransomware attack that affected operational systems. Work covered advocating for coverage under the policy, managing the interaction between the insurance claim and ongoing regulatory obligations, coordinating with forensic investigators and managing the overall recovery strategy.
Government procurement – Cybersecurity and data protection requirements
Advised on the development of cybersecurity and data protection requirements for major government procurement contracts. Work covered risk allocation in technology supply agreements, vendor compliance obligations and security-by-design requirements in ICT contracting frameworks. The practice regularly advises Commonwealth and state agencies on cybersecurity requirements in technology procurement, including ASIC's evidence management platform procurement and the Australian Taxation Office's A$560 million next-generation contact centre program.
Artrya – Cross-border data and cybersecurity compliance
Advised Australian AI health company Artrya on a cross-border data agreement for EU medical datasets underpinning AI research and regulatory pipeline development, requiring privacy compliance, cross-jurisdictional IP structuring and cybersecurity obligations across Australian and EU frameworks. Also advised Artrya on its US market entry for AI-powered diagnostic software, including HIPAA compliance, data residency requirements and privacy risk under Australian, US federal and state law.