Home / Checklists / Cyber incident — first 24 hours checklist (AU)
AU · Regulatory

Cyber incident — first 24 hours checklist (AU)

The first 24 hours of a cyber incident shape every legal, regulatory, and commercial outcome that follows. This checklist covers the 12 steps to protect the organisation's privilege, preserve evidence, and meet early notification obligations.

In short

This is a 12-step checklist for the first 24 hours of a cyber incident in Australia. It covers triage, legal privilege scaffolding, forensic engagement, regulator notifications (OAIC, ASIC, ACSC), continuous disclosure, and evidence preservation. Use it from the moment an incident is confirmed.

Run this checklist with Quillio — free trial
12-step checklist

The checklist

1

Confirm the incident and convene crisis team

Confirm a genuine incident (not a false positive). Convene the crisis team within the first hour.

2

Scaffold legal privilege

Engage external counsel immediately and direct forensics under counsel's instruction to preserve privilege over investigation materials.

3

Engage forensic provider

Engage a pre-MSA'd forensic provider to preserve volatile evidence and begin containment.

4

Containment without destruction of evidence

Segment networks, revoke credentials, reset privileged accounts — but preserve evidence for forensics and any future criminal prosecution.

5

Preserve logs and system images

Preserve SIEM logs, endpoint telemetry, email/Teams logs, and full system images of affected hosts.

6

ASD/ACSC notification

For eligible incidents, notify the Australian Signals Directorate/ACSC. For critical infrastructure, apply the 12-hour critical cyber incident notification.

Security of Critical Infrastructure Act 2018 (Cth) s 30BC
7

Continuous disclosure assessment (listed entities)

For ASX-listed entities, assess whether the incident is market-sensitive and whether a trading halt is required.

Corporations Act 2001 (Cth) s 674
8

Prepare for NDB assessment clock

Start the 30-day NDB assessment clock; document the assessment process from the outset.

Privacy Act 1988 (Cth) s 26WH
9

Ransom / threat actor communications

Do not engage directly with a threat actor without counsel. Consider sanctions screening (no payment to sanctioned entities).

10

Internal communications discipline

Limit internal communications about the incident; mark legally privileged. Avoid speculation that will appear in discovery.

11

Customer / counterparty notifications

Assess contractual cyber notification obligations (B2B customers, processors, government contracts).

12

Board and insurer notification

Notify the board and cyber insurer. Early insurer notification usually unlocks panel providers and may be a policy condition.

When to use

When this checklist applies

Use this checklist from the moment an incident is confirmed — not when the crisis team first meets. Cyber incidents routinely have a 48–72 hour window before major decisions must be made.

Common pitfalls

  • Forensics engaged directly by IT — privilege not protected
  • Internal emails speculating on root cause — discoverable later
  • Critical infrastructure entities missing the 12-hour notification
  • Listed entity not running continuous disclosure analysis early
  • Ransom payment without sanctions screening
Use with Quillio

Run this checklist on a real matter

Quillio runs the first-24-hour playbook under privilege, drafts regulator notifications, and generates a privileged evidence log. See /practice-areas/commercial-lawyers or start a free trial.

Cyber incidents are high-risk. This checklist supports early decision-making — engage external counsel, forensics, and insurers immediately.

Use this checklist on your matter.

Quillio can run this checklist on a specific NSW conveyancing matter — confirm each item, calculate adjustments, and generate the supporting documents. The free trial requires no credit card.

Start your free trial