Cyber contracts not meeting boards' needs: Kaine Mathrick Tech CEO

Cybersecurity contracts are not keeping pace with boards' needs, according to Bradley Kaine, CEO of Australian managed service provider Kaine Mathrick Tech.

Bradley Kaine, Kaine Mathrick Tech

Kaine was responding to an invitation from iTnews' sister publication, techpartner.news, to selected firms in its MSP Index directory to share their opinions about what organisations should prioritise when assessing or renewing cybersecurity services.

He pointed to the Cyber Security Act 2024 and the new 72-hour ransomware payment reporting obligation as catalysts for revisiting incident response terms, but cautioned against treating it as a compliance tick-box exercise.

Q. Are you seeing a need for many organisations in Australia to update how they assess cybersecurity contracts – if so, why, and what is one thing they should focus on now?

Bradley Kaine, Kaine Mathrick Tech: Absolutely, we’re seeing a clear and growing need for organisations across Australia to rethink how they assess cybersecurity within their contracts. The landscape has shifted dramatically, and the stakes are higher than ever.

The Commonwealth’s release of cyber risk model clauses earlier this year is a strong signal. These clauses developed by the Digital Transformation Agency and supported by AGS [Australian Government Solicitor], are designed to help government buyers manage cyber risks in ICT procurements. They include detailed provisions around cyber insurance, digital security, and data protection, and align with frameworks like the Protective Security Policy Framework (PSPF), Essential Eight, and IRAP assessments.

From a business leadership perspective, the one thing organisations should focus on right now is embedding cyber resilience into every layer of their procurement and vendor management processes. That means:

• Conducting risk-based assessments of suppliers’ cybersecurity maturity.
• Ensuring contracts include clear obligations around incident response, data protection, and compliance with Australian standards.
• Reviewing cyber insurance coverage and exclusions with a critical eye.

The 2023–2030 Australian Cyber Security Strategy reinforces this urgency. It’s not just about compliance anymore, it’s about building trust and resilience in a digital-first economy. With over 94,000 cybercrime incidents reported in the last financial year and increasing regulatory scrutiny, organisations must treat cybersecurity as a boardroom issue, not just an IT one.

Q. Incident response and recovery can make-or-break a cybersecurity partnership. What’s one contract clause organisations should insist on – particularly with ransomware reporting now in focus?

Bradley Kaine, Kaine Mathrick Tech: Yes, we’re absolutely seeing a shift. The way Australian organisations assess cybersecurity contracts is evolving fast and it needs to. With the Cyber Security Act 2024 now in force and the Ransomware Payment Reporting Rules 2025 active, incident response and recovery aren’t just operational concerns - they’re legal and reputational imperatives.

One clause I believe every organisation should insist on is a “Mandatory Incident Disclosure and Cooperation” clause. This clause should require vendors to:

• Notify the client within hours of any suspected or confirmed ransomware incident.
• Disclose all communications with the extorting entity.
• Provide full cooperation in forensic investigations and government reporting, including compliance with the 72-hour ransomware payment reporting obligation under section 27 of the Act.

This isn’t just about ticking a compliance box. It’s about ensuring your partners are aligned with your values - transparency, accountability, and resilience. Because when a breach happens, the speed and clarity of your response can define your brand’s future.

Q. Are cybersecurity contracts keeping pace with the reporting and assurance needs of boards and business leaders – or are they still too IT-focused?

Bradley Kaine, Kaine Mathrick Tech: There’s no question, cybersecurity contracts are overdue for a rethink. Too many still speak the language of IT, when they should be speaking the language of risk, resilience, and governance.

Boards today are under increasing pressure - not just from regulators like ASIC, but from shareholders, insurers, and the public to demonstrate cyber literacy and active oversight. Under the Corporations Act 2001, directors have a duty to act with care and diligence, and that now includes ensuring the organisation is cyber resilient. If a breach occurs and the board hasn’t asked the right questions or demanded the right assurances, they could be personally liable.

So, are contracts keeping pace? In many cases, no.

They’re still too focused on technical controls and not enough on reporting, accountability, and strategic alignment. That’s a gap we need to close.

One clause I believe every board should insist on is a “Board-Level Cyber Risk Reporting and Assurance” clause. This clause should:

• Require vendors to provide regular, board-ready reports on cyber posture, incidents, and risk mitigation.
• Mandate alignment with frameworks like the ACSC’s Essential Eight and the Security of Critical Infrastructure Act (SOCI).
• Include provisions for third-party audits and incident simulations to validate resilience.

Cybersecurity is no longer just a technical issue - it’s a strategic enabler. It’s about protecting trust, reputation, and shareholder value.

Bradely Kaine is responsible for the strategic direction, profitability, growth and development of the leadership team at Kaine Mathrick Tech, an Australian managed service provider.

See the directory of managed service providers (MSP) at techpartner.news.

Disclaimer: The views expressed in this Q&A are those of the individual contributors and do not necessarily reflect the views of iTnews or techpartner.news. The content is provided for general informational purposes only and does not constitute legal, financial or professional advice.