Key Trends in Cyber Security and Data Privacy (2026): a General Counsel lens
Cyber security and data privacy are now core governance tests – demanding clear decision-making authority, disciplined escalation and evidence that withstands scrutiny.
From a General Counsel perspective, the board conversation has clearly moved from “do we have policies?” to “can we make defensible decisions under pressure, and will the evidence stand up later?” Organisations that perform well treat cyber and privacy as governance capabilities that work in real time: clear decision rights, escalation pathways that people use, decision‑ready reporting, and evidence of discipline that can be relied on during (and after) an incident.
Regulatory expectations are sharpening, and the message is consistent: be able to show what was done, what was tested, and why leaders could reasonably rely on it.1 Across key trends, the practical board question is the same: are we getting decision‑ready information early enough, with clear escalation triggers, and evidence that the controls work effectively in practice?
Five key trends are shaping cyber security and data privacy in 2026:
1) Enforcement is moving from “best practice” to demonstrable governance
Privacy enforcement is converging on a practical test: can the organisation show that the controls it relies on are appropriate to the nature and volume of information held, its risk profile, and foreseeable threats, and that those controls are implemented and maintained in practice?2 The OAIC’s civil penalty proceedings against Optus are a visible example, with allegations framed around whether Optus took reasonable steps commensurate with its size, risk profile and the data it held.3
“Reasonable steps” is not undefined. OAIC APP11 guidance explains that reasonable steps include technical and organisational measures.4 In practice, boards should expect management to be able to evidence at least: strong identity and access controls, monitoring and logging that is actively used, patch cadence and vulnerability management, workforce awareness, and incident response and recovery that is exercised – not just documented.5
GC lens: the governance failure is rarely the absence of a policy. It is the absence of evidence that the policy is operating, particularly where an organisation has made promises to customers or counterparties about security. Where assurance exceeds evidence, exposure multiplies across regulatory, contractual, class action and reputational channels.
2) “Adequate controls” now means control effectiveness, not control existence
Courts and regulators are increasingly focused on whether controls were fully implemented, maintained, and monitored for effectiveness.6 In ASIC v RI Advice Group Pty Ltd (No 3), Justice Rofe acknowledged the now familiar point that while cybersecurity risk cannot be reduced to zero, it can be materially reduced through adequate documentation and controls.7 The message is not perfection; it is disciplined uplift and evidence that stands up later.
The decision in ASIC v FIIG Securities Limited provides a practical illustration of what “adequate” looks like when tested in a regulated setting.8 The point for boards outside financial services is not to replicate the statutory framing, but to adopt the same discipline: identify the material cyber risks, implement controls proportionate to the organisation’s risk profile, and be able to evidence control effectiveness over time. ASIC’s public commentary also reinforces that inadequate controls put clients and companies at real risk, and that the consequences can far exceed the cost of implementing adequate controls in the first place.9
What regulators now consider “adequate” changes what boards should accept as assurance: reporting must evidence end‑to‑end control effectiveness. Governance-useful reporting answers: what has changed since last reporting, what is most exposed, what would hurt most if compromised, what decisions are required, and what evidence supports management confidence? And in an AI‑accelerated environment, reporting must also support escalation at the pace necessary to manage risk.
GC lens: defensibility in an incident is often determined months earlier by whether the organisation has a clear “crown jewels” view (the critical services, systems, and data that would cause material harm if disrupted), evidence of control effectiveness, and rehearsed decision rights.
3) Third‑party and supply chain risk is now the dominant operational reality
Third-party arrangements are often central to significant incidents, particularly where external-facing systems or outsourced handling of personal information are involved.10 AI tools, systems and software add another layer of dependency: new products, new integrations, and new data pathways. Even where the technical compromise occurs in a vendor environment, the organisation is usually the one facing customers, regulators and media, and often remains accountable under privacy laws and contractual commitments.11
Third‑party risk cannot be outsourced by contract.11 Contracts matter, but they do not substitute for visibility, assurance and readiness. Organisations need to know which vendors are critical, what data sits where, what incident notification and cooperation obligations exist, and what the fallback is if a provider suffers a sustained service interruption.
GC lens: the contract is a powerful tool, but it is not a safety net. The legal question is not “do we have a clause?” but “will this clause work at 2am during a live incident?” In practice, the lever is often both contractual and relational: having the contractual rights to demand timely notice, cooperation and access to information is essential, but speed and effectiveness frequently depend on pre‑built working relationships, clear operational points of contact, and rehearsed joint playbooks with critical suppliers.
4) AI is accelerating both cyber exposure and privacy risk through speed and scale
AI belongs in a cyber and privacy discussion because it is changing the dynamics of attack and defence. Widely available models can lower the barrier to sophisticated cyber activity, accelerate vulnerability discovery and exploitation, and scale social engineering.12 That means existing controls are tested more often, under greater pressure, and at a faster cadence.
The practical governance implication is not to chase novelty. It is to shorten the control cycle: patching discipline, identity and access management, layered defence, and third‑party dependency governance become more important, not less. Boards should expect management to explain how the organisation is adjusting its operating discipline: what is now treated as urgent, what escalates sooner, and what is tested more frequently.
Privacy risk is also amplified through staff usage patterns. Generative AI tools can create new privacy and data leakage pathways if data boundaries are unclear or unenforced.13 “De‑identifying” by changing names is not a dependable control if the content still contains sensitive context or could be reidentified.14
GC lens: AI increases the premium on decision‑ready assurance, specifically governance that allows leaders to move quickly with confidence because data boundaries, escalation triggers and control effectiveness are clear and evidenced.
5) Disclosure and stakeholder trust: resilience is communications governance
When incidents occur, organisations are judged not only by what happened, but by what they did next: speed, accuracy, empathy and credibility. Transparency is not a communications campaign; it is governance discipline. Organisations that respond well have pre‑agreed decision rights, a rehearsed process for validating facts, and one agreed fact base across legal, risk, technology, operations and communications.
GC lens: The practical work is establishing clear decision rights and escalation pathways, supported by decision‑ready reporting and evidence discipline so that the organisation can act quickly, communicate consistently, and demonstrate defensibility afterwards.
What good looks like (at a glance)
- Evidence‑based assurance: test results, audits, exercises and lessons tracked to closure.
- Tested readiness: incident response + continuity rehearsed; roles understood.
- Third‑party realism: critical dependencies mapped; assurance and fallbacks credible and tested.
- Privacy discipline: OAIC‑aligned response plan operationalised; assessment and communications timely and consistent.
The practical aim is governance that is evidence‑based, rehearsed and decision‑ready – before the incident arrives.
Conclusion: cyber and privacy resilience is a compounding advantage
Cyber security and data privacy are where boards most visibly balance courage with prudence: enabling growth and innovation while ensuring governance remains defensible under scrutiny. The broader regulatory direction is consistent: expectations have moved beyond policy existence to evidence of resilience, accountability and operating discipline in practice.15 Organisations that do this well don’t simply avoid harm – they increase organisational capacity: better decision quality under pressure, faster recovery, stronger stakeholder trust, and clearer accountability across cyber, privacy, data governance, AI usage risks, operational resilience and conduct risk.
Author bio + disclaimer
![]() |
Samantha Haeusler, GAICD, is a General Counsel and governance leader with experience advising boards and executives in highly regulated environments on cyber, privacy, data, technology and operational resilience. Her work has focused on governance, regulatory change and executive decision-making in complex organisations across Australia, Singapore and Europe. |
This article reflects the author’s personal views and is intended as general governance commentary, not legal advice.
ENDNOTES:
- Australian Securities and Investments Commission (ASIC), ‘ASIC calls for urgent cyber uplift as AI accelerates cyber threats’ (26-092MR, 8 May 2026); Australian Prudential Regulation Authority (APRA), ‘APRA Letter to Industry on Artificial Intelligence (AI)’ (30 April 2026); APRA, ‘For action: Information Security Obligations and Critical Authentication Controls’ (10 June 2025); Privacy and Other Legislation Amendment Act 2024 (Cth); Office of the Australian Information Commissioner (OAIC), ‘Chapter 11: APP 11 Security of personal information’ (Updated 3 October 2025); OAIC, ‘Privacy regulatory action policy’ (Updated 23 June 2025); OAIC, ‘Statutory tort for serious invasions of privacy’ (19 June 2025).
- OAIC, ‘Chapter 11: APP 11 Security of personal information’ (Updated 3 October 2025).
- OAIC, ‘Australian Information Commissioner takes civil penalty action against Optus’ (Media Release, 8 August 2025).
- OAIC, ‘Chapter 11: APP 11 Security of personal information’ (Updated 3 October 2025); OAIC, ‘Guide to securing personal information’ (5 June 2018, updated to reflect amendments made by the Privacy and Other Legislation Amendment Act 2024).
- See endnote 4.
- ASIC, ‘ASIC calls for urgent cyber uplift as AI accelerates cyber threats’ (26-092MR, 8 May 2026), referring to cyber controls needing to be demonstrably effective and proportionate.
- Australian Securities and Investments Commission v RI Advice Group Pty Ltd (No 3) [2022] FCA 496; ASIC, ‘Cyber risk: Be prepared’ (15 July 2022).
- Australian Securities and Investments Commission v FIIG Securities Limited [2026] FCA 92; see also ASIC, ‘ASIC action sees FIIG Securities ordered to pay $2.5 million over cyber security failures’ (26-021MR, 9 February 2026); ASIC, ‘ASIC calls for urgent cyber uplift as AI accelerates cyber threats’ (26-092MR, 8 May 2026).
- ASIC, ‘ASIC calls for urgent cyber uplift as AI accelerates cyber threats’ (26-092MR, 8 May 2026).
- OAIC, ‘Australian Information Commissioner takes civil penalty action against Optus’ (Media Release, 8 August 2025) (noting risks associated with external-facing systems and third-party providers); OAIC, ‘OAIC launches new dashboard for data breaches’ (4 November 2025, referring to a case study on outsourcing personal information handling to third-party providers).
- OAIC, ‘Chapter 8: APP 8 Cross-border disclosure of personal information’ (Updated 3 October 2025); OAIC, ‘Australian Information Commissioner takes civil penalty action against Optus’ (Media Release, 8 August 2025) (noting risks associated with third-party providers).
- ASIC, ‘ASIC calls for urgent cyber uplift as AI accelerates cyber threats’ (26-092MR, 8 May 2026); APRA, ‘APRA Letter to Industry on Artificial Intelligence (AI)’ (30 April 2026).
- APRA, ‘APRA Letter to Industry on Artificial Intelligence (AI)’ (30 April 2026); Governance Institute of Australia, ‘Governance in the age of agentic AI’ (White Paper, May 2026).
- OAIC, ‘De-identification and the Privacy Act’ (21 March 2018, updated to reflect changes made by the Privacy and Other Legislation Amendment Act 2024).
- See endnote 1.
