Australian and New Zealand companies are bouncing back from cyberattacks nearly three weeks faster than they did a year ago, according to a new survey commissioned by U.S. data-protection vendor Commvault and published by Reuters. The poll of 408 IT leaders found the typical recovery window has shrunk to 28 days, down from 45 days in 2024. The improvement follows a cascade of regulatory crackdowns after the 2022 Optus and Medibank breaches, which exposed the records of millions and put board directors on notice. For context, top US healthcare orgs recover in approximately 14 days. (IBM DBIR 2024)
The region still lags the global average of 24 days, and the study suggests speed alone is not the same as resilience:
- Only 30 % of respondents believe their organisation can “respond effectively” to a major incident.
- 12 % have no formal response plan.
Over 50 % lack full visibility into where data is stored or how critical systems connect.
“Faster recovery shows awareness is up, but the visibility gap means many firms are still flying blind,” said Martin Creighan, Asia-Pacific vice-president at Commvault. “Regulators are driving urgency, yet true readiness demands deeper operational insight.”
The Regulatory Catalyst
The Cybersecurity Act 2024, passed in December, codifies 72-hour ransomware payment reporting and heftier penalties for lax controls. The law complements 2023 amendments that made breach disclosure mandatory and empowered the Australian Securities and Investments Commission (ASIC) to probe board-level cyber oversight.
Those reforms appear to be nudging key metrics in the right direction. Australia’s national cybercrime agency says the self-reported average cost of an incident fell 8 % year-on-year, with a double-digit drop among large enterprises.
Boards Step into the War Room
Governance experts say tougher rules have shifted the conversation from IT backrooms to the board table. “Directors are now personally liable for inadequate cyber controls, so they’re demanding clearer metrics,” noted Fiona Maher, a fellow at the Australian Institute of Company Directors, pointing to new guidance urging boards to treat cyber resilience like financial risk.
Centraleyes, an AI-powered risk-management platform with customers in the Asia-Pacific region, reports a similar trend. “Our Australian clients want near-real-time dashboards that translate technical ‘mean-time-to-recover’ into plain-English business impact,” said the company’s regional advisor, adding that board-friendly scoring accelerates funding for tabletop exercises and immutable backups. (Centraleyes is not affiliated with the Commvault study.)
Why the Visibility Gap Persists
Analysts point to three sticking points:
- Shadow IT and SaaS sprawl make it hard to map data flows.
- Supply-chain complexity—a lesson from Medibank’s 2022 breach—introduces new blind spots regulators now expect boards to audit.
- Talent shortages hamper sustained incident-response readiness despite growing budgets.
The Road Ahead
With Canberra’s 2023-2030 Cyber Security Strategy promising “world-leading” resilience by the end of the decade, observers expect more reporting rules and possible cyber-insurance mandates. Platforms that can surface asset maps, scenario test results, and regulatory gaps in one place are likely to gain favour, though, as Maher warns, “no dashboard replaces disciplined practice.”
For now, the 17-day improvement offers a rare bright spot in an otherwise bruising threat landscape. Whether Australia can close the final four-day gap with the rest of the world may hinge on its ability to turn heightened awareness into full-spectrum visibility before the next headline breach prompts the board to return to the war room.
