Policy Insight

$87.7M for Cyber Security NSW

Funding to prevent, detect, and recover from cyber incidents highlights the hidden risks in third-party supply chains.

Home · Customers · $87.7M for Cyber Security NSW
Overview

NSW cyber resilience funding exposes a deeper third-party visibility problem

Cyber Security NSW received $87.7 million to strengthen prevention, detection, and recovery. At the same time, the NSW Audit Office's Cyber Security Insights 2025 report shows third-party cyber incidents nearly tripled in 2024, with agencies still struggling to report supplier compliance, Essential Eight maturity, and residual risk with enough confidence.

Funding$87.7M for Cyber Security NSW
TrendThird-party incidents nearly tripled
GapProtect-domain compliance visibility
NeedIndependent continuous assurance
Audit signals

The widest gaps sit in the controls designed to prevent incidents

Third-party reporting gaps

Supplier compliance with minimum cyber requirements may be known by an agency but not reported to Cyber Security NSW.

Protect-domain weakness

Only 31 percent of NSW agencies were fully meeting the Protect-domain mandatory requirements.

Residual risk backlog

Twenty-seven agencies reported 152 significant, high, and extreme residual cyber security risks.

Independent assurance gap

Fifty-nine percent of reporting agencies advised they did not have independent assurance over reported compliance.

Ikara response

Ikara turns cyber uplift into monitored control performance

Monitor supplier posture

Continuously assess third-party services, obligations, security posture, and compliance evidence.

Track Protect controls

Expose gaps across Essential Eight, access, data, email, and network security controls.

Report reliable compliance

Replace self-reporting uncertainty with current evidence that can support agency and regulator visibility.

Prioritise residual risk

Connect risk ratings, control effectiveness, treatment actions, and owners in one operating view.

Escalate weak controls

Notify accountable teams when supplier controls are missing, ineffective, or drifting from requirements.

Evidence resilience uplift

Show how prevention, detection, and recovery capability improves across services and suppliers.

Implications

Funding helps, but resilience depends on sustained visibility and assurance

The NSW experience shows that budget, policy, and frameworks do not automatically create control effectiveness. Organisations need independent, continuous visibility across third-party services so prevention, detection, recovery, and reporting can keep pace with supply-chain complexity.

Third-party risk becomes visible

Supplier controls and compliance obligations can be monitored before gaps become incidents.

Essential Eight maturity gets evidence

Control uplift can be tracked against actual operating posture rather than point-in-time declarations.

Residual risks become actionable

Owners, treatment timelines, and control effectiveness can be managed as part of daily operations.

Conclusion

Cyber resilience needs more than investment; it needs continuous proof

As third-party incidents rise, organisations need to know which controls are working, which suppliers are exposed, and where residual risks remain untreated. Ikara helps turn cyber uplift into measurable, accountable, and resilient operations.

Resilience uplift
Independent assurance
Supplier visibility

Make cyber uplift measurable.

See how Ikara can provide continuous assurance across third-party services, controls, and resilience obligations.

Book a demo