Cyber risk report 2025
View the full report
22 Apr. 2026
Insight
Australia
In this podcast series, we explore all things cyber, including the legal, regulatory and policy developments that impact corporate Australia. We will do this by speaking to those people who are shaping the Australian legal and regulatory environment. Those who are on the front line, protecting Australian companies from cyber incidents.
Cross Examining David Moffatt
The Director Series
Welcome to Cross Examining Cyber, a podcast brought to you by Herbert Smith Freehills Kramer. In this podcast series, we speak to our business leaders about all things cyber, including the legal, governance, technical, regulatory and policy developments that impact corporates around the world.
I'm really excited to announce that this is the first of our Cross-Examining Cyber Director Series. For the next six months, we will speak to some of our leading directors, including David Gonski, Anne Templeman-Jones, John Mullen, Catherine Brenner, just to name a few.
Today's the first in our series, and today we cross-examine David Moffatt.
David has over 40 years' experience in executive leadership positions. He's worked and lived almost everywhere, Australia, the US, Europe and Asia. He's currently the chair of Ventia Services Group, Environmental Remediation and Social Services and Apollo Global Management. David is also the chair of the American Chamber of Commerce here in Australia. David has first-hand experience dealing with a cyber incident as part of his role at Ventia. His insights are not only considered but come from direct experience. Thanks again for listening.
This is Cross Examining David Moffatt, the first in our Director Series. Here we go.
Cross Examining Professor Ciaran Martin
Part 2
What makes a great lawyer in a cyber incident response?
This is a key question that I explored during part 2 of our podcast with Professor Ciaran Martin, a world leading cyber thought leader.
The questions challenged Ciaran but he answered it succinctly as “one do and one don’t”. The best incident leaders loosen control (the “do”), rather than tighten it (the “don't”). A damaging instinct in a crisis (often driven by impractical lawyering) is locking everything down and keeping help out for fear of liability. In practice, faster recovery usually comes from working openly with the broader cyber response community. Most people genuinely want to help.
Here were my other favourite pieces of wisdom shared by Ciaran coming out of the discussion.
- The “pyramid of liability” has inverted. When something goes wrong, we still reach for the easiest explanation – i.e. “someone clicked the link”. That’s comforting, but it misses the point. Most incidents are really about upstream failures — poor software design, weak procurement choices, and a lack of accountability for vendors and platforms. Blaming frontline users (including our corporates) just ignores the real source.
- Transparency after an incident doesn’t destroy trust, but builds it. There’s a strong instinct (again, I'm sorry, but often driven by legal) to say as little as possible. But if you actually look at major incidents over time, the organisations that were sensibly open about what happened and what failed didn’t suffer lasting reputational or commercial damage. If anything, they earned goodwill — from regulators, peers and the broader ecosystem. The "what" are questions of fact and are often not protected by privilege anyway.
- Cyber planning breaks down when it obsesses over data and ignores continuity. There are numerous examples in the healthcare space. Legal duties pushed decision‑makers to prioritise protecting data over keeping life‑saving services running. That’s a structural flaw. In some crises, loss of service is far more harmful than loss of data — yet our frameworks don’t always reflect that.
- Along this line, operational outages are more dangerous than data breaches — and we’re not ready for them. When ports, airlines or hospitals go down, the economic and social impact is immediate and severe. These aren’t just “bigger data breaches”; they’re a different category of risk altogether. Australia hasn’t yet experienced one at scale, but when it does, the shock will be national. It's certainly my biggest fear.
- Ransomware only works if we treat threats as credible. Data extortion relies on panic and amplification. Australia’s experience shows that when institutions, media and law enforcement refuse to play along — and don’t amplify stolen data — attackers lose leverage, even if data technically leaks. The economics of the cyber criminal model collapse surprisingly quickly.
There’s loads more in the full podcast (~20 minutes). Definitely worth a save and watching or listening on your commute to/from work. This is cross examining Professor Ciaran Martin – Part 2. Here we go…
Part 1
In this episode, we are joined by Professor Ciaran Martin, one of the globe's leading cyber thought leaders. He is often called upon by Governments, Government agencies and the private sector alike. He is also currently taking a leading educational role, demystifying the cyber space. Ciaran was the former head of the National Cyber Security Centre in the UK and played a critical role supporting the Australian Government in the creation of the Cyber Security Strategy.
Our discussion with Ciaran was so interesting that we have broken it into two. In this part 1, we talk about Ciaran's various roles and how he has become such an important voice in the cybersphere. We also talk about the impact of geopolitics on the cyber threat.
We know you are going to enjoy this discussion. Here we go...
Cross Examining Lieutenant General Michelle McGuinness CSC
In true Christmas spirit, we decided to deliver what many have been asking for….in this episode we cross examine Lieutenant General Michelle McGuinness, Australia’s National Cyber Security Coordinator.
As the Coordinator, she leads national cyber security policy, the coordination of responses to major cyber incidents, whole of government cyber incident preparedness efforts, and the strengthening of Commonwealth cyber security capability.
If you experience a major cyber incident, you will invariably meet Michelle.
She has served in the Australian Defence Force for 30 years and has a deep passion for learning and educating. This comes through in spades throughout the podcast.
I am also joined by Magda Blanch-de Wilt, our cyber risk advisory lead. Together we tackle a broad set of issues without interruption. This is a single episode…your bumper Christmas special.
I hope you enjoy the discussion. Cross examining Lieutenant General Michelle McGuinness. Thanks for listening. Here we go….
Cross Examining Privacy Commissioner Carly Kind
Part 1
In this episode, Cam is joined by Kaman Tsoi, one of the country’s most experienced and respected privacy lawyers. Together they cross-examine Privacy Commissioner Carly Kind.
Commissioner Kind takes on her first role in the public sector (at the OAIC). She had a successful career working in human rights law with the UN (spending time in Geneva, New York and London) and then moved into privacy (and the intersection of human rights with technology). She has worked on strategic litigation and privacy policy advice. She is the founding director of the Ada Lovelace Foundation.
In today’s podcast we talk about the privacy reform agenda, the role of the regulator in strategic enforcement and the efficacy of the notifiable data breach regime.
Commissioner Kind is an impressive individual, who brings a very practical approach to the role.
Part 2
In this episode, Cam is again joined by Kaman Tsoi and, together, they continue the cross-examination of Privacy Commissioner Carly Kind.
In this podcast, we talk about the role of the board, the OAIC’s enforcement approach and the Cyber Security Strategy, including the Commissioner’s view on the extortion demand ‘conundrum’. Commissioner Kind also offers some wise words on what it takes to be a good lawyer in the cyber space…courageous!
Commissioner Kind is a very impressive individual. She brings a very pragmatic perspective to the role and her personality is coming through in the OAIC’s approach and engagement.
Cross Examining David Thodey
Part 1
In this episode, we talk to David Thodey, one of our most respected company directors and currently Chair at Xero and Ramsay Healthcare.
Carolyn Pugsley (part of our market leading Head Office Advisory Team) and I talk to David about his career journey and provides some incredibly valuable insights into the role of a director and board in a cyber incident. Our discussion was so rich, we decided to break the podcast in two (we actually toyed with a series of podcasts with David alone).
Part 2
In this episode, Cam is joined by Carolyn Pugsley, an advisor to boards and a leader in corporate governance advice. Together we continue our discussion with David Thodey.
Today, we shift focus to some of the more challenging themes. We talk about the Cyber Strategy and payment of extortion demands. We also ask for David’s guidance for directors when dealing with the cyber challenge and ask him whether we are winning the cyber battle.
We start this podcast by asking for his observations on the responsibility that educational institutions play in helping with cyber education uplift.
Again, David’s thoughts are both considered, insightful and practical.
Special edition: The Business Of Cyber Security with Laura Newton
Cyber Security: How to keep data safe in the digital age
Bigger is not always better, especially when it comes to data.
In a digitised world, it is possible to collect reams of data on customers, but at what cost? Many companies don’t even realise they’re suffering an extreme case of ‘bad data hygiene’ which in the face of a cyber incident, could be critical.
Laura Newton, a regulatory lawyer and cyber incident response lead at Herbert Smith Freehills, explains best practices for managing customer data, how to prepare for a cyber incident, and what to do if an incident breaks out.
Cross Examining Ms Abigail Bradshaw
Part 1
In this episode, we talk to Ms Abigail Bradshaw, the Head of the Australian Cyber Security Centre (ACSC). Throughout her career, Abi has held a number of critical security related positions, including within the Department of Prime Minister and Cabinet and various senior roles in the Department of Home Affairs.
Ms Bradshaw began her career in the Royal Australian Navy, was awarded the Conspicuous Service Cross in 2005 and holds a Bachelor of Laws and a Bachelor of Asian Studies. A fascinating start to a remarkable career in the public service.
In this episode (part 1 of 2), Abi talks about her career and the increasing relevance of the ACSC. She provides a unique perspective to the cyber challenge, one that is based on resilience uplift across the economy.
Part 2
This is part two of our ‘cross examination’ of Ms Abigail Bradshaw, head of the Australian Cyber Security Centre.
In this episode, Abi notes that “a cyber criminal will attack the networks you have, not the network you think you have”. Such an important perspective! We also look at the role of the ACSC, the benefit of threat intelligence sharing and the way in which the ACSC can assist an entity (both with advice, technical assistance or disruptive actions). Abi also calls out her top 6 non-negotiables for building cyber resilience. Fantastic content.
Cross Examining Andrew Penn
Part 1
In this episode we cross examine Andy Penn, previously CEO of Telstra and more recently the Chair of the Government’s Expert Advisory Board (leading the development of strategic advice to the Government in relation to the Cyber Security Strategy). We caught up with Andy from his home in Mexico (a town called San Miguel de Allende). Andy brings a level of industry and policy expertise that is unrivalled. Again, we have split the discussion in two. In this episode, we talk about the formation of the Cyber Security Strategy, the dynamics of cybercrime, what success looks like and offensive / defensive security strategies. There is more to come in our conversation, but let’s kick things off with part 1 of our cross examination of Andy Penn. Here we go…!
Part 2
In this episode, we finish our cross examination of Andy Penn, previously CEO of Telstra and more recently the Chair of the Government’s Expert Advisory Board . The conversation just gets better...
Andy makes some insightful comments about the similarities between our physical world and our digital world, and how this should guide our measure of success. We also take a closer look at the Cyber Strategy, the value in placing responsibility on those best placed to take responsibility, what does "good" look like, the value in managing data holdings, threat sharing / locking, the benefit of transparency and reporting (rather than banning extortion).
Andy also makes some incredibly relevant (and sobering) observations on the impact that compute power and quantum computing will have on our security settings (“…a Y2K event when don’t know the date…”).
Finally, I ask Andy “what makes a great lawyer”? Luckily, we come out of that question relatively unscathed.
Cross Examining Bill Siegel
Part 1
This is Episode 3 of Cross Examining Cyber, where we cross examine Bill Siegel, CEO & Co-Founder of Coveware. We could have talked to Bill for hours, so we have broken this podcast in two.
Part 1 covers a range of issues including the establishment of Coveware, the value of good data, cyber extortion payment trends, cyber extortion “business models” and the challenging geopolitics we all face. Here we go…
Part 2
In this episode, we return with Part 2 of our discussion with Bill Siegel, the CEO of Coveware. We look closely at Coveware itself (and its history), the scope of Coveware’s services, how threat actor negotiations unfold, banning ransom payments, the role of the cyber simulation and what makes a good simulation. We also discussed the role of the board during an incident and managed to squeeze some cyber predictions out of Bill, including the impacts of AI on the cyber landscape. This is a “must listen” episode!
Cross Examining: Hamish Hansford
Part 1
In our inaugural podcast, we are joined by Hamish Hansford, Deputy Secretary Cyber & Infrastructure Security, Home Affairs.
Part 2
Hot-on-the-heels of our inaugural podcast, we now bring you Cross Examining Cyber, Episode 2, the cross examination of Hamish Hansford (Part 2). We take the time to speak to Hamish about the SOCI Act, whether we are winning the war on cyber and the role of lawyers in the crisis room..
Subscribe to receive the latest updates
Cross examining cyber podcast
Subscribe
Key contacts
Cameron Whittfield
Partner, Melbourne
Peter Jones
Partner, Head of TMT, Asia, Singapore
Christine Wong
Partner, Sydney
Merryn Quayle
Managing Partner, Melbourne Office, Melbourne
Emily Coghlan
Partner, Melbourne
Magdalena Blanch-de Wilt
Executive Counsel, Melbourne
Kaman Tsoi
Special Counsel, Melbourne
Heather Kelly
Senior Associate, Melbourne
Legal Notice
The contents of this publication are for reference purposes only and may not be current as at the date of accessing this publication. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action based on this publication.
© Herbert Smith Freehills Kramer 2026
Stay in the know
We’ll send you the latest insights and briefings tailored to your needs
Subscribe now