$87.7M for Cyber Security NSW to Prevent, Detect and Recover from Cyber Incidents
NSW Audit Office reveals alarming third-party cybersecurity gaps as government invests in cyber resilience. Here’s what organisations need to know about the hidden risks in their supply chains.
In the NSW Audit Office’s latest ‘Cyber Security Insights 2025′ report lies a troubling revelation, one that should concern every organisation relying on third-party services.
Third-party cyber incidents nearly tripled in 2024, with data breaches rising significantly across NSW Government agencies. This isn’t just a government problem; it’s a preview of what’s coming for organisations across every sector as supply chain complexity continues to grow.
The Third-Party Time Bomb
The numbers from NSW paint a stark picture of modern cybersecurity reality. According to the NSW Audit Office report, “Third-party cyber risk management is a significant challenge given the prevalence of cases of cybersecurity incidents involving third parties.”
What makes this particularly concerning is the visibility gap. The Audit Office found that third-party compliance with minimum CSP requirements may be known to the agency but is not reported to Cyber Security NSW.
An absence of clear reporting risks agencies and Cyber Security NSW not knowing about non-compliance against the CSP, where the cybersecurity control practice is provided by third parties.
In simpler terms, organisations believe they understand what their third-party providers are doing. Still, they lack the systems or processes to verify this, and regulators are beginning to take notice.
Where the Gaps Are Widest
The NSW audit reveals that the highest level of third-party reliance that goes unreported or unassessed is in the ‘Protect’ domain, which covers all ACSC Essential Eight controls and controls for access, data, email, and network security.
This is particularly alarming because “when in place and effective, these technical controls provide preventative protection against cyber attacks.” Essentially, the very controls designed to prevent breaches are the ones with the least oversight when managed by third parties.
The scope of the compliance failure is staggering:
- Only 31% of NSW agencies are fully meeting the ‘Protect’ domain Mandatory Requirements
- 152 significant, high, and extreme residual cybersecurity risks were reported by just 27 agencies
- 28 agencies had treatment controls that were either largely or completely ineffective
- 60 risks lacked specified timelines to reduce them to an acceptable level
The Essential Eight Reality Check
Perhaps most concerning is the state of Essential Eight maturity across NSW agencies. The report found that “many agencies have not met level one Essential Eight cyber protection measures,” with some agencies reporting “zero maturity for critical controls such as application control, patching and administrative privilege restrictions.”
If government agencies, with dedicated cybersecurity policies, frameworks, and now $87.7 million in additional funding, are struggling with basic cybersecurity controls, what does this mean for private sector organisations with fewer resources and less regulatory oversight?
The Independent Assurance Gap
One of the most revealing findings in the NSW report is the lack of independent verification. 59% of reporting agencies advised they did not have independent assurance over their reported compliance against the Cyber Security Policy.
“The absence of independent assurance increases the risk of inaccurate data being reported to Cyber Security NSW,” the audit office noted. This creates a dangerous cycle where organisations believe they’re compliant based on self-reporting, while the actual security posture remains unknown.
What This Means for Your Organisation
The NSW experience offers critical lessons for organisations across all sectors:
1. Self-Assessment Is Not Enough
The fact that government agencies with mandatory reporting requirements still lack accurate visibility into their cybersecurity posture demonstrates that traditional compliance approaches are failing. Organisations need continuous, automated monitoring systems that provide real-time visibility into security controls and compliance status.
2. Third-Party Risk Is Your Risk
The tripling of third-party incidents in NSW mirrors broader industry trends. As organisations increasingly rely on complex supply chains for critical services, the attack surface expands exponentially. Each third-party relationship introduces new vulnerabilities that must be actively managed, not just contracted away.
3. Budget Constraints Are Not an Excuse
The report notes that “planned or ongoing cybersecurity uplift programs and budget constraints were the most common reasons agencies provided for not meeting the minimum cybersecurity requirements.” However, the cost of non-compliance, both financial and reputational, far exceeds the investment required for proper cybersecurity controls.
4. Governance Must Match Complexity
As supply chains become more complex, governance frameworks must evolve accordingly. The traditional approach of annual assessments and contractual requirements is insufficient when dealing with dynamic, interconnected digital ecosystems.
Building Resilient Third-Party Risk Management
The $87.7 million investment in Cyber Security NSW represents more than funding; it’s recognition that cybersecurity requires systematic, ongoing attention rather than point-in-time fixes.
The Path Forward
The NSW experience demonstrates that reactive approaches to cybersecurity, waiting for incidents to drive improvements, are no longer viable. The complexity of modern digital ecosystems means that security is only as strong as the weakest link in your supply chain.
With cyber incidents involving third parties tripling in just one year, and with regulatory attention increasing across all sectors, the time for action is now.
The $87.7 million investment in NSW cybersecurity represents recognition that security is a critical infrastructure requiring sustained investment and systematic management. Organisations that apply these same principles to their own cybersecurity programs will be the ones that emerge stronger and more resilient in an increasingly complex threat landscape.