EY refers to the global organisation, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.
How EY can help
-
Learn more about how organisations are accelerating transformation and strengthening cybersecurity at the same time.
Read more
The Australian Securities and Investments Commission (ASIC) has issued an unambiguous message to the market: “Do not wait for perfect clarity to address the threat posed by new AI models. Instead, act now, and act with discipline, to strengthen the cyber resilience fundamentals that underpin your business.”
Regulators are now looking for demonstrable, sustained capability – not isolated tools, platforms or dashboards, but systems and end-to-end processes that work together.
While there are ‘only’ four enhanced cyber requirements (and none of them are small), meeting them demands a step change in control maturity, and a fundamental rethink of how IT and operational technology environments are separated.
At the centre of this sits the Critical Infrastructure Risk Management Program (CIRMP). In plain terms, a CIRMP is a board-approved plan that sets out how an organisation identifies and manages its most material risks, including cyber. It must be reviewed at least annually, signed off by the CEO and submitted to government.
Cybersecurity, operational resilience and executive oversight are now bound together in a single, accountable framework.
Here’s what’s striking to me: The Department of Home Affairs has consulted with cyber and risk teams, but responsibility now sits with CEOs and CFOs. Investment decisions, governance trade-offs and annual attestations land at the top.
This means cyber specialists can no longer optimise controls in isolation; they must work with their colleagues to assess, communicate and agree to the trade-offs between protection, usability and business impact.