Overview

A cyber incident is a legal event. The obligations it triggers, the liability it creates and the regulatory scrutiny it attracts are determined by what the contracts say, what the governance frameworks require and what decisions are made in the hours immediately following. Preparedness is a legal function. Response is a legal function. The technical workstream and the legal workstream must run in parallel from the outset.

We advise boards, executives, regulated entities, major corporates, government agencies and infrastructure operators before, during and after cyber incidents. The work spans governance and readiness, incident response and crisis management, regulatory engagement across multiple frameworks simultaneously, and the insurance and liability consequences that follow. Clients include organisations in financial services, healthcare, critical infrastructure, government, media, technology and defence, where the consequences of incidents extend well beyond the systems affected.

Areas of expertise

Our  experience

Regulated financial services entity – Post-incident regulatory engagement

Advised a regulated financial services entity on post-incident engagement with the OAIC and prudential regulators following a cybersecurity event. Work focused on strengthening cyber governance and compliance frameworks in response to regulator feedback, and managing the entity's ongoing obligations under APRA's CPS 234 cybersecurity requirements through the post-incident period.

Infrastructure operator – Ransomware attack and cyber insurance claim

Advised an infrastructure operator on cyber insurance coverage and claims following a ransomware attack that affected operational systems. Work covered advocating for coverage under the policy, managing the interaction between the insurance claim and ongoing regulatory obligations, coordinating with forensic investigators and managing the overall recovery strategy.

Government procurement – Cybersecurity and data protection requirements

Advised on the development of cybersecurity and data protection requirements for major government procurement contracts. Work covered risk allocation in technology supply agreements, vendor compliance obligations and security-by-design requirements in ICT contracting frameworks. The practice regularly advises Commonwealth and state agencies on cybersecurity requirements in technology procurement, including ASIC's evidence management platform procurement and the Australian Taxation Office's A$560 million next-generation contact centre program.

Artrya – Cross-border data and cybersecurity compliance

Advised Australian AI health company Artrya on a cross-border data agreement for EU medical datasets underpinning AI research and regulatory pipeline development, requiring privacy compliance, cross-jurisdictional IP structuring and cybersecurity obligations across Australian and EU frameworks. Also advised Artrya on its US market entry for AI-powered diagnostic software, including HIPAA compliance, data residency requirements and privacy risk under Australian, US federal and state law.