With recent changes to Australian cybersecurity regulations, iTnews' sister publication techpartner.news invited cybersecurity firms to put forward spokespeople to share their opinions about what organisations in Australia should prioritise when assessing or renewing cybersecurity services.
Steve MacDonald, director, cyber security practice at Slipstream Cyber Security, provided the following views. Among the concerns he flagged was the failure by organisations to prioritise clarity about shared accountability with cybersecurity partners.
Q: Are you seeing a need for many organisations in Australia to update how they assess cybersecurity contracts – if so, why, and what is one thing they should focus on now?
Steve MacDonald, Slipstream Cyber Security: Yes, we’re seeing a growing need for organisations to reassess how they approach cybersecurity contracts. As broader IT services are delivered secured by design, where cyber security is embedded deeply, organisations need to be vigilant in identification of cyber components to ensure they can meet the business expectations around contracting. This should include a clear shared accountability model, so both parties have clear understanding about what is expected of them, and each other. This is a step that is often de-prioritised and is a common pain point.
Q: Are you currently seeing a common cybersecurity contract blind spot or red flag you think is being missed too often?
Steve MacDonald: Ensuring clarity of where and how AI is used to help deliver managed cyber outcomes is critical. The key focus needs to be around ensuring sensitive customer information is protected, not just from unauthorised access when at rest or in motion, but from intentional or non-intentional use in AI model training.
This needs to be considered throughout the service lifecycle, where use of AI may not be present at signing, but introduced as part of service improvement or optimisation.
Q: With CPS 230 and other regulatory pressure on third-party risk, are you seeing any knock-on effects for cybersecurity agreements?
Steve MacDonald, Slipstream Cyber Security: While the underlying focus on overall operational risk management hasn't changed specifically, we have seen additional clarity and call outs to and around CPS 230, which is helping to align contract intent and required outcomes. This results in a stronger contracting position on topics covered in CPS 230, as a result of better mutual understanding from the start, with a very welcome result of acceleration of the contracting process.
Q: Incident response and recovery can make-or-break a cybersecurity partnership. What’s one contract clause organisations should insist on – particularly with ransomware reporting now in focus?
Steve MacDonald, Slipstream Cyber Security: Critical to any partnership around incident preparation, response and recovery, is to ensure that the terms of such a contact ensure that you have enough time and insight to meet your mandatory reporting obligations. Key to this is a known and well rehearsed plan, where key milestone timings, required artefacts and quality targets are agreed and included within the contracted terms.
Q: Are cyber insurance requirements reshaping what goes into contracts – and if so, what should clients be watching for?
Steve MacDonald, Slipstream Cyber Security: Yes, we are finding that cyber insurance requirements are re-shaping what goes into contracts. One area that is often misunderstood is where the insurer will mandate a specific cyber incident response partner to assist with incident response and recovery, rather than an organisation working with vetted, onboarded and trusted suppliers.
If not accounted for from a cyber security incident response preparedness and contractual point of view, the need to rapidly integrate new services providers can dramatically limit the velocity of initial analysis, containment and eradication phases.
Careful consideration must also be made within your third party partnership and supply chain, to understand where other insurance companies and incident response partners may need to be involved should a cyber security incident arise outside of your organisation.
In both first party and third party situations, contracted terms must make allowance for this so as to ensure that in the event of an incident, valuable time is not lost working through amendments or new agreements.
Slipstream Cyber Security operates a sovereign, 24×7 Security Operations Centre, delivering cyber threat detection and response services to customers across Australia and internationally. Its Incident Response practice is trusted by global leaders in cyber insurance and delivers dozens of cyber-attack investigations every month – for insurance claims and its own clients. Supporting its Active Defence and Incident Response practices is a team of cyber risk consultants and a technical assurance team. They provide support across detection, response, recovery and risk mitigation.
Disclaimer: The views expressed in this Q&A are those of the individual contributors and do not necessarily reflect the views of iTnews or techpartner.news. The content is provided for general informational purposes only and does not constitute legal, financial or professional advice.
See the directory of managed service providers (MSPs) at techpartner.news.
.png&h=140&w=231&c=1&s=0)
_page-0001.jpg&w=100&c=1&s=0)
Forrester's Technology & Innovation Summit APAC 2025
Digital Leadership Day Western Australia
Government Cyber Security Showcase Western Australia
Government Innovation Showcase Western Australia
.png&w=120&c=1&s=0)
Security Exhibition & Conference 2025
_(5).png&h=271&w=480&c=1&s=1)
.jpg&h=140&w=231&c=1&s=0)
.jpg&h=140&w=231&c=1&s=0)
