At 2:17am on a Tuesday, a file server begins behaving strangely. By 3am, it is clear that something significant has happened. By 6am, when the first senior manager is reached by phone, the organisation is already three hours into the most consequential event of its operational history — and it is making every decision for the first time.
The 72 hours that follow a significant cyber incident are not primarily a technical challenge. They are a governance, legal, and communications challenge — one that organisations without preparation consistently fail in ways that multiply the original damage by a factor of two, three, or more. The breach is the beginning. What happens next is determined almost entirely by whether the organisation knew what to do before it had to do it.
Most Australian organisations do not. They have a cyber insurance policy. They may have a vague understanding of who to call first. They do not have a documented, tested, authority-assigned incident response plan that tells every relevant person exactly what their role is in the first 72 hours and what decisions they are authorised to make.
Key Points
- The first 72 hours of a cyber incident account for a disproportionate share of the total cost — decisions made under pressure without preparation compound damage that was already done
- Australia's Notifiable Data Breaches scheme imposes a 30-day notification deadline that begins from the moment an organisation becomes aware of an eligible breach — not from when they are certain
- Organisations without a tested incident response plan routinely delay containment, destroy forensic evidence, and make public statements that increase regulatory and legal exposure
- The insurer must be notified promptly — late notification is itself grounds for claim complications, separate from any other condition
- Most Australian SMEs have never tested their incident response plan, and a significant proportion have never documented one
What the First 72 Hours Actually Require
An incident response in the first 72 hours is not a single activity. It is a simultaneous series of activities that must be conducted in parallel, by different people with different expertise, under conditions of maximum uncertainty and time pressure. The organisations that manage this well are the ones that have thought through the problem before the problem occurred.
Containment must happen immediately — before full understanding of the scope, because waiting for certainty allows the attacker to continue operating. Evidence must be preserved for forensic investigation — while operations teams are simultaneously trying to restore services. Legal counsel must be engaged to assess regulatory obligations before public statements are made. The insurer must be notified within the timeframe specified in the policy. Regulatory notification obligations must be assessed against the 30-day NDB scheme deadline, which begins accumulating from the moment the organisation becomes aware of a potential eligible breach.
The Notification Trap
Australia’s Notifiable Data Breaches scheme requires notification to the OAIC and affected individuals when an eligible data breach has occurred — one that is likely to result in serious harm to any individual whose information was involved. The notification must occur as soon as practicable and within 30 days of the organisation becoming aware that a breach has occurred or is likely to have occurred.
The 30-day clock does not start when the organisation is certain a breach has occurred. It starts when the organisation becomes aware that a breach has occurred or is likely. An organisation that discovers anomalous activity at 2am on Tuesday and spends the next three weeks trying to determine whether a breach actually happened is almost certainly already inside its notification window — and may be approaching or past the 30-day deadline before it has made any formal assessment of its obligations.
The consequences of late notification are not merely a fine. They include a finding of non-compliance with the Privacy Act, public reporting by the OAIC, and the reputational damage of being identified not just as an organisation that was breached, but as one that failed to notify affected individuals within the legally required timeframe.
What Preparation Actually Looks Like
Incident response preparation is not a document that is written and filed. It is a set of decisions that are made before pressure requires them, tested before reality demands them, and assigned before confusion makes them impossible.
Who has authority to take systems offline without waiting for management approval? Who calls the insurer, and what information does that call require? Who engages legal counsel, and is there a pre-approved firm with cyber incident experience on retainer? Who communicates with staff, and what are they authorised to say? Who communicates with affected clients or the public, and through what channel? What is the pre-approved holding statement that can be issued in the first hours before any details are confirmed?
These are not IT questions. They are governance questions. They belong in a document that is reviewed by the Board, approved by the CEO, and tested against a simulated incident scenario before the real one occurs. The organisations that have done this work spend the first 72 hours executing a plan. The organisations that have not spend those hours creating one — under the worst possible conditions, with the highest possible stakes, and with full visibility to regulators, insurers, and clients who are watching how the organisation responds.