Cyber Incident Response Plans: What Australian Startups Are Expected to Have Under OAIC Guidance in 2026

Cyber Incident Response Plans: What Australian Startups Are Expected to Have Under OAIC Guidance in 2026

A Brisbane fintech startup — 22 people, Series A closed nine months ago — takes a call at 4:47am on a Sunday from a customer whose CFO has spotted a mailbox rule redirecting invoices to an external address. By 6:00am the founder-CEO’s laptop is confirmed compromised, the incident response team is her (in her kitchen, on a personal phone), and the only “plan” is a Slack channel spun up an hour earlier. The startup has $412,000 in AWS credits, a SOC 2 auditor mid-engagement, one third-party MSSP on a 9-to-5 SLA, and a Master Services Agreement stack promising customers “commercially reasonable” notification of security incidents. By midday Monday, three statutory clocks are running in parallel: the section 26WK thirty-day assessment window under Part IIIC of the Privacy Act 1988 (Cth), a seventy-two-hour ransomware payment reporting obligation under the Cyber Security Act 2024 (Cth), and the Australian Privacy Principle 11.3 “reasonable steps” obligation that on the founder’s own facts she is already in breach of because the organisational measure the ACT expected her to have — a written cyber incident response plan — does not exist.

That fact pattern is the ordinary shape of a startup cyber incident in 2026. Founders think of a cyber incident response plan (CIRP) as an IT deliverable — something the head of engineering builds out around Q3 once SOC 2 pressure builds. Since 11 December 2024 it has been a legal deliverable, and the Office of the Australian Information Commissioner has published guidance that sets out with unusual specificity what the plan needs to contain.

APP 11.3 — Why the Plan Is Now a Mandatory Organisational Measure

The Privacy and Other Legislation Amendment Act 2024 (Cth) inserted APP 11.3 into Schedule 1 of the Privacy Act, effective 11 December 2024. It sharpens what “reasonable steps” under APP 11 means:

“Without limiting subclauses 11.1 and 11.2, the reasonable steps that an entity must take include both technical and organisational measures.”

The phrase is imported from Article 32 of the GDPR and does the same work here that it does there. Encryption, access controls, MFA and endpoint monitoring are the technical side. Written policies, training, vendor contracts and — critically — a documented, tested cyber incident response plan sit on the organisational side. The OAIC’s Guide to Securing Personal Information and its Guidance for Entities in Preparing for and Responding to Cyber Incidents now sit inside that word “organisational.” A startup that holds personal information and does not have a written CIRP is in breach of APP 11 before any breach has occurred — and the reforms upgraded interference with privacy to a tiered civil penalty regime with a top-tier maximum of the greater of $50 million, three times the benefit, or 30% of adjusted turnover.

The OAIC’s Prescribed Plan Content

The OAIC’s cyber incident guidance identifies the plan components an entity should have in place before an incident occurs. On the OAIC’s own framing, a compliant CIRP:

  • Maps the data. An up-to-date information asset register — what personal information the entity holds, where it lives, who has access, and which third parties can reach it. Founders skip this and cannot answer the NDB threshold question (“what was exposed”) when the clock is running.
  • Sets clear lines of authority. Named individuals with decision-making authority for containment, external communications, notification and legal engagement. A “the CTO handles it” plan is not a plan.
  • Sets timeframes. Internal escalation windows shorter than the statutory windows, so the s26WK 30-day assessment isn’t the first deadline the team meets.
  • Prescribes containment steps. Isolation playbooks, credential rotation, log preservation, forensic imaging. Log preservation matters twice — once for the NDB assessment, once for the forensic evidence a subsequent regulator or class action will demand.
  • Prescribes the assessment framework. How the team will determine whether the incident is an “eligible data breach” under section 26WE (unauthorised access, disclosure or loss of personal information that is likely to result in serious harm).
  • Prescribes notification workflows. Draft notification templates for the OAIC, affected individuals, customers under MSA notification clauses, and — where applicable — the Australian Signals Directorate.
  • Prescribes the post-incident review. The contain, assess, notify, review framework the OAIC publishes as its four-step model, with a documented review loop that the OAIC will look for in any subsequent investigation.

The OAIC’s own guidance flags that the plan must be tested — tabletop exercises, at least annually, are the OAIC’s expectation. An untested plan sits in the same “you had a document but did not have a control” bucket that ASIC uses against directors under section 180 of the Corporations Act.

The Three Statutory Clocks

Since May 2025 the founder handling an incident is running three clocks in parallel:

  • Thirty days to assess under section 26WH — the entity must complete a reasonable and expeditious assessment of whether there are reasonable grounds to believe an eligible data breach has occurred. Once satisfied, notify the OAIC “as soon as practicable” under section 26WK.
  • Seventy-two hours to report a ransomware payment under section 27 of the Cyber Security Act 2024 (Cth), commenced 30 May 2025 — every entity carrying on a business in Australia with annual turnover of $3 million or more that makes, or has made on its behalf, a ransomware or cyber-extortion payment must file a report with the Department of Home Affairs (via the ASD’s ReportCyber portal) within 72 hours of payment.
  • Contract-clock obligations to customers — most enterprise SaaS MSAs written after 2023 include express notification windows, typically 24 to 72 hours from becoming aware of a security incident. These run independently of the Privacy Act clocks and are frequently missed by founders focused on the OAIC deadline.

The statutory tort of serious invasion of privacy, commenced 10 June 2025 under the same 2024 reforms, then adds private civil litigation exposure that the pre-2025 regime did not. A startup that misses the 30-day assessment, misses the 72-hour payment report and misses the MSA notification window has stacked three legal breaches on top of the underlying cyber incident.

What Founders Should Do Now

The compliance target for a startup is boring but discrete. First, document the plan — a written CIRP that includes the OAIC-listed components above, approved by the board and reviewed annually. Second, map the data — an information asset register that answers “what personal information, where, who has access, which processors” without a meeting. Third, run a tabletop — at least once a year, simulate an incident against the plan and update it based on what breaks. Fourth, align contracts — MSA notification clauses harmonised with the OAIC timeline, and vendor DPAs that carry the same standards down to processors. Fifth, name a decision-maker — a single individual with authority to declare an incident, brief the board and instruct external counsel. The Series A investor’s diligence checklist has an item labelled “cyber incident response plan”; it is worth being able to send one back rather than build one on the plane.

The Bottom Line

The cyber incident response plan is no longer a nice-to-have. Since APP 11.3 came into effect on 11 December 2024 it is an organisational measure the Privacy Act mandates. The OAIC has published, in unusual detail, the components it expects the plan to contain. The Cyber Security Act 2024 has added a 72-hour ransomware payment reporting clock beside the 30-day NDB assessment clock. Founders who put the plan on the same discipline shelf as ASIC lodgments, ATO reporting and cap-table maintenance make it through the next incident with a defensible position. Founders who don’t discover the regime at 4:47am on a Sunday, with three clocks running and no plan on the wall.


Viridian Lawyers advises Australian startups on Privacy Act compliance, cyber incident response planning, APP 11.3 organisational measures and Cyber Security Act 2024 ransomware payment reporting. If your startup is drafting a CIRP, responding to a security incident, or preparing for Series A privacy diligence, get in touch.

Recent Articles

blog-image
Cyber Incident Response Plans: What Australian Startups Are Expected to Have Under OAIC Guidance in 2026

A Brisbane fintech startup — 22 people, Series A closed nine months ago — takes a call at 4:47am on a Sunday from a customer whose CFO has spotted a mailbox rule redirecting invoices to an external …

blog-image
Australian Consumer Law and Your SaaS: When Business Customers Get Non-Excludable Consumer Guarantees

A Sydney B2B SaaS founder signs a $58,000-a-year enterprise contract with a mid-tier logistics group. The Master Services Agreement is the founder’s standard-form paper — twelve pages, drafted …

blog-image
PPSA Registrations for Startups: When Security Interests Must Be Registered on the Personal Property Securities Register

A Sydney hardware startup ships twenty prototype units to an enterprise customer in November on a “paid pilot” arrangement — the customer pays a $2,500 evaluation fee, keeps the units for …