Insights

Insight What the Australian Clinical Labs privacy case means for cyber governance and M&A risk

The Federal Court’s $5.8M ACL decision signals a new era for privacy, cybersecurity, and governance in Australia. It reinforces that privacy and cyber obligations start Day 1 of any acquisition, governance failures will be scrutinised, and accountability cannot be outsourced. Boards must ensure robust oversight, deep cyber due diligence, and forensic incident response. With OAIC escalating regulatory enforcement, organisations face heightened legal, financial, and reputational risks.

| 5 min read | 10 Nov 2025

Client Alert Learnings from CPS 234 as you adopt CPS 230

As the CPS 234 Information Security tripartite review program nears its end in June 2024, APRA-regulated entities face a critical moment. The upcoming CPS 230 Operational Risk Management implementation is closely linked to CPS 234, requiring preparation from regulated entities and service providers.

| 5 min read | 16 May 2024

Insight Updates to Australia's Essential Eight Maturity Model: What Organisations Need to Know

The Australian Cyber Security Centre (ACSC) released an update to the E8MM in November 2023 with several changes to the framework of controls previously recommended. These changes will require organisations who benchmark themselves against the E8 to reassess their existing cybersecurity strategies and control practices to determine if they remain in alignment with the new requirements.

| 5 min read | 27 Feb 2024

Client Alert APRA releases learnings from Data Risk Management pilot study

In a complex operating environment, the Australian Prudential Regulation Authority (APRA) is encouraging regulated entities to prioritise quality data as a valuable asset. APRA's growing emphasis on data risk management, evident in regulatory guidance such as CPG 235, CPS 234, and CPS 230, underscores the vital role of quality data for entities under its regulation. Despite progress revealed in APRA's 100 Critical Risk Data Elements Pilot study, a significant gap persists between current and optimal data risk management practices, with potential consequences including reputational damage and financial loss.

| 4 min read | 08 Dec 2023

Insight Three potential scams to be aware of as we head into tax time

June 30 is fast approaching, and with it comes tax scammers, the escalating cost of living means their activity is on the rise, we outline some scams for you to be aware of.

| 4 min read | 19 Jun 2023

Insight Privacy Act Review: What you need to know

You may not know it, but your privacy related risk exposure changed overnight. Now more than ever, businesses cannot afford to be complacent about privacy compliance.

| 5 min read | 24 May 2023

Client Alert Critical Infrastructure Risk Management Program Rules now apply

The Security of Critical Infrastructure Risk Management Program Rules (CIRMP) commenced on 17 February 2023 and was signed off by The Minister for Home Affairs the Hon Clare O’Neil MP (the Minister). This marks the beginning of the six-month transition period for responsible entities to adopt a written CIRMP.

| 5 min read | 29 Mar 2023

Client Alert New privacy laws - tougher penalties and more enforcement

The Australian Federal Government has passed major changes to the Privacy Act 1988 (Cth) in the form of the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022. These changes signal a call to action for organisations to review their privacy, security, and information handling practices.

| 4 min read | 08 Dec 2022

Insight Three simple questions every board should ask about cyber security

With recent news of significant data breaches at major corporations, there are a number of questions being asked from Boardrooms to kitchen tables all across Australia. Some common questions include, what went wrong? Are we at risk? And how can we protect ourselves from similar events in the future?

| 5 min read | 30 Nov 2022

Insight Operational Risk Management: APRA’s CPS 230 key areas of focus

One of the most common ways of managing operational risk is through a system of effective internal controls. Control failures however can lead to events as varied as mis-selling, data breaches and underpayments – as such in APRA's Prudential Standard CPS 230 they have strengthened the focus on operational risk management. In this second series of our CPS 230 technical guides we provide an overview of some necessary elements to achieve strong operational risk management and why it is the foundation of operational resilience.

| 8 min read | 10 Nov 2022

Insight Operational resilience and data breaches

As we watch the ramifications of the recent widespread data breach continue to play out in the media and on the floor of Federal Parliament, I keep reflecting on the requirements of APRA Prudential Standards CPS 234: Information Security and the draft Prudential Standard CPS 230: Operational Risk Management. If ever there was any doubt in the minds of Boards or Management as to why the focus on cyber security and operational resilience, then the current situation brings this into stark focus.

| 5 min read | 12 Oct 2022

Insight Operational Resilience: APRA’s CPS 230 key areas of focus

APRA has released draft Prudential Standard CPS 230 Operational Risk Management for comment. CPS 230 will replace CPS 231: Outsourcing and CPS 232: Business Continuity, and the sector specific standards HPS 231, SPS 231 and SPS 232. What is operational resilience? Operational risk management analyses and defines risks associated with people, processes, and systems. Operational resilience defines the approach to managing operational risks.

| 6 min read | 27 Sep 2022

Services

Audit & Assurance

Tax

Risk

Forensics

Deals

Finance and funding

Insolvency

Restructuring and turnaround

Business services

Environmental, Social and Governance (ESG) and Sustainability

Consulting

Market services

Industries

Careers

Working at Grant Thornton

Early careers

Experienced careers

Alumni

Current opportunities

About us

Connect

About

Legal

Market services

Our latest insights