When did you last test your incident response plan? BlackFlag Advisory identifies breach readiness gaps before an incident forces the question.

Request an Assessment →
Home / Intelligence / Have You Tested Your Breach Response?
Incident Response & Preparedness

Have You Tested Your Breach Response?
Most Australian Organisations Haven't.

Cluny Archibald
Founder, BlackFlag Advisory
April 2026
10 min read

Most Australian organisations have an incident response plan. Fewer have tested it. Almost none have tested it under conditions that remotely resemble an actual breach. The gap between having a plan and having a plan that works is not a minor administrative distinction. It is the difference between an organisation that manages an incident and an organisation that is managed by one.

The IBM Cost of a Data Breach Report 2024 found that organisations with tested incident response plans reduced their breach costs by an average of $1.49 million compared to those without. The OAIC's Notifiable Data Breaches Report 2024 recorded 1,113 breaches reported in Australia during the year — a record high. At current trajectory, most Australian organisations of any size will manage a significant cyber incident within the next five years. Whether that incident becomes a controlled event or a reputational and financial catastrophe depends substantially on whether the response was practised before the incident occurred.

What You Need to Understand

  • The Notifiable Data Breaches scheme requires notification to the OAIC and affected individuals within 30 days of becoming aware of an eligible breach — a timeline most untested organisations cannot meet
  • Cyber insurers are increasingly declining claims where organisations cannot demonstrate that documented incident response procedures were followed
  • The 2024 Privacy Act amendments introduced significantly higher penalties for delayed or inadequate breach notification
  • IBM research consistently finds that organisations with a tested incident response plan contain breaches faster and at significantly lower cost
  • The first 72 hours of an incident determine most of the total breach cost — and untested organisations spend those hours making decisions for the first time under maximum pressure

What the Notifiable Data Breaches Scheme Actually Requires

The Notifiable Data Breaches (NDB) scheme, established under Part IIIC of the Privacy Act 1988 (Cth), requires APP entities to notify the OAIC and affected individuals when an eligible data breach is likely to result in serious harm. The assessment of whether a breach is eligible must be completed within 30 days of becoming aware of the breach. Notification to affected individuals must occur as soon as practicable.

These timelines are not aspirational. They are legal obligations, and the penalties for failing to meet them have increased substantially under the 2024 amendments. An organisation that takes 45 days to notify because its internal processes were unclear, because it could not determine who was responsible for notification, or because it did not know how to assess whether the breach met the threshold, is not in a sympathetic position with the regulator. The OAIC has made clear that organisations are expected to have processes in place that make timely notification achievable. Source: OAIC, Guide to the Notifiable Data Breaches scheme, updated 2024.

The Anatomy of an Untested Response

The pattern of failure in untested incident response is consistent across organisations of every size. It does not begin with a catastrophic decision. It begins with a delay. Someone identifies a possible incident but is uncertain whether it is serious enough to escalate. By the time it reaches a person with authority to act, hours have passed. By the time external advisors are engaged, a day has passed. By the time the Board is informed, the breach has been propagating for 48 hours and the 30-day notification clock has been running for two of them.

0h
Detection
Incident detected — escalation path unclear
A staff member notices an anomaly. They are unsure who to contact. The incident response plan, if it exists, is not accessible or not known to them. Informal escalation begins.
6h
Escalation
IT notified — scope unknown, containment delayed
IT is informed but lacks the tools or authority to determine scope. External forensic support is considered but not yet engaged. Containment actions are inconsistent.
24h
Assessment
Senior management informed — legal and regulatory obligations not yet assessed
Leadership is now involved but no one has assessed whether the NDB threshold is met. Legal counsel has not been briefed. The 30-day clock is running.
72h
Crisis
Board informed — media, clients and regulators now driving the timeline
External pressure has overtaken internal process. Every decision from here is reactive. The cost of the incident is being determined by the hours lost, not by the breach itself.

What a Tested Response Looks Like

An organisation with a tested incident response plan does not eliminate breaches. It eliminates the delay and confusion that turns a manageable incident into an unmanageable one. The specific differences are structural. Detection triggers a known escalation path, not an informal one. Containment actions are pre-approved and can begin within hours. The NDB assessment is completed by someone who has done it before, not for the first time under pressure. Legal counsel, external forensic support, and Board notification happen in the right order, at the right time, because that order has been rehearsed.

The ASD recommends that incident response plans be tested at least annually through tabletop exercises — structured simulations in which key personnel work through a realistic breach scenario and identify gaps in the plan before those gaps become consequential. The ACSC's Cyber Incident Response Plan guidance, updated 2024, provides a framework for these exercises. Most Australian organisations have never conducted one.

The Insurance Dimension

Cyber insurers are paying increasing attention to incident response readiness as a coverage condition. Claims are being declined or reduced where organisations cannot demonstrate that documented response procedures were followed in the event of a breach. An organisation that has a cyber insurance policy but no tested incident response plan is in a precarious position: the policy exists to cover a scenario for which the organisation is structurally unprepared, and the insurer knows it. Source: Australian Prudential Regulation Authority (APRA), Cyber Insurance Market Review, 2024.

The 30-Day Clock Under the NDB scheme, once an organisation becomes aware of a possible eligible data breach, it has 30 days to complete its assessment and notify. "Becomes aware" is interpreted broadly — it includes the point at which a reasonable person in the organisation's position would have become aware, not just when formal acknowledgement occurred. An organisation that delays internal escalation by 48 hours has lost 48 hours of its 30-day window before a single external action has been taken. Tested incident response plans are designed to compress that window dramatically.

The Practical Test: Three Questions Your Board Should Answer

The readiness of an organisation's incident response can be assessed quickly by asking three questions of its leadership. First: who is the first person contacted when a possible breach is identified, and does every staff member know that? Second: within what timeframe does the organisation commit to completing its NDB eligibility assessment, and has that timeframe ever been tested? Third: who has authority to notify the OAIC on the organisation's behalf, and does that person know they have that authority?

Organisations that cannot answer all three questions without uncertainty have an incident response gap. The answer to closing that gap is not a longer document. It is a tested plan — with named individuals, clear timelines, and a record of having been rehearsed. That record is also what demonstrates due diligence to a regulator or an insurer when the question is asked after an incident has occurred.

External Assessment as Preparedness Evidence A BlackFlag Advisory GRC assessment does not replace an incident response tabletop exercise. What it provides is an externally evidenced picture of your current security posture — the gaps that exist before an incident, the credential exposures already in the public domain, the technology vulnerabilities currently known to threat actors, and the compliance gaps that would become regulatory issues in the event of a breach. That picture is the starting point for meaningful incident response preparation. It is also the kind of documented due diligence that matters when a regulator or insurer is reviewing what an organisation knew and when it knew it.

Know Your Exposure
Before an Incident Does.

A BlackFlag Advisory assessment surfaces the credential exposures, vulnerabilities and compliance gaps that create breach risk — giving your Board the evidence it needs to act before an incident forces the question.

Request an Assessment →
Breach Intelligence Included

Every BlackFlag Advisory GRC assessment includes a credential breach exposure check against public breach databases, CVE cross-referencing of your confirmed technology stack, and a compliance gap analysis mapped to Australian Privacy Act notification obligations. Fixed price. Delivered within five to seven business days. No systems accessed.