Cyber incidents linked to third-party systems used by the NSW government have more than quadrupled over the past two years, figures obtained by iTnews reveal.
In financial year 2023-24, there were 17 cyber incidents involving third-party systems across the state government and agencies, more than double the eight recorded the previous year and over four times the number of incidents reported in FY2021-22.
The figures, obtained under NSW’s Government Information Public Access Act (GIPA), follow the release of Cyber Security NSW’s third annual cyber threat report in November 2024.
According to the GIPA notification, Cyber Security NSW only began collecting and reporting incident data in 2021, after adopting a “structured framework” that enabled more consistent identification of incident types, including those involving third-party systems.
Since then, the agency has compiled this data into an annual threat report, which remains accessible only to state government agencies.
A public blog post summarising the November 2024 report claimed that “the number of incidents from systems owned or managed by a third party almost tripled” in FY2024, although this figure also includes incidents involving local councils.
When asked for a breakdown of the numbers, the Department of Customer Service (DCS), which oversees Cyber Security NSW, directed iTnews to lodge a GIPA request.
In response to the newly released figures, a spokesperson for DCS said: “The NSW Cyber Security Policy and its associated guidance require NSW government agencies to effectively manage cyber security risks related to third-party service providers.
“This includes implementing key measures such as embedding cyber security requirements into contractual agreements and conducting vendor risk assessments to evaluate and mitigate potential threats.”
In total, according to the blog post, Cyber Security NSW responded to over 200 cyber incidents in FY24.
Meanwhile, in its latest budget, the state government pledged $87.7 million in Cyber Security NSW over four years [pdf], building on the $20.3 million invested last year [pdf].
The last budget also included $15 million from the Digital Restart fund to "reduce extreme cyber security risk" over the next four years.
.png&h=140&w=231&c=1&s=0)
.png&h=140&w=231&c=1&s=0)
_(5).jpg&h=140&w=231&c=1&s=0)
.png&w=100&c=1&s=0)
Digital As Usual Cybersecurity Roadshow: Brisbane edition
iTnews Benchmark Security Awards 2025
Digital Leadership Day Federal
Government Cyber Security Showcase Federal
Government Innovation Showcase Federal
.jpg&h=140&w=231&c=1&s=0)
.jpg&h=140&w=231&c=1&s=0)
