When the Dust Settles: What Inquiries Reveal About Cyber Readiness
Incident preparation is often framed as a technical exercise: build playbooks, buy tooling, run a tabletop, hope for the best. But when you read the output of an inquiry or the reasoning in a prosecution, a different picture emerges. The question is rarely “did you have a plan”. It is “was your organisation governing cyber risk in a way that made the incident less likely, less severe, and handled in a way that limited harm once things went wrong”.
That is why inquiries like the review into the Manage My Health (MMH) incident, and prosecutions such as the Australian Clinical Labs (ACL) matter as preparation inputs. They show what gets attention when scrutiny is applied. Not in the abstract, but in the lived reality of a breach: competing priorities, imperfect information, and decisions made under pressure.
A consistent lesson is that post-incident scrutiny does not stop at the point of compromise. Reviewers and regulators look backward and forward. Backward, to understand whether risk was being actively identified and reduced. Forward, to assess whether response decisions were made quickly, coordinated properly, and communicated in a way that supported those affected. The MMH inquiry framing reinforces that the scope is bigger than the vulnerability itself. It includes whether protections were adequate, whether known issues were acted on, how well response processes worked, and what that means for similar services across the sector. The ACL case, in turn, underscores that “reasonable steps” is assessed objectively and that response obligations can be viewed separately from the underlying security failure.
For governance teams, that shift in emphasis is important. It means your preparation cannot be limited to incident response mechanics. You need to be able to demonstrate that governance was functioning before the incident, and that it supported timely, defensible decisions during it.
In practice, this comes down to evidence. After a serious incident, it is common for organisations to talk about what they “intended” to do, what they “normally” do, or what they were “about to” implement. That rarely lands well. The more persuasive story is the one you can prove: how risks were assessed, how controls were selected, how assurance was performed, and how findings were tracked through to completion or formally accepted. Inquiries like MMH draw attention to whether audit or security warnings were acted upon. Courts and regulators, as in ACL, look for tangible indicators that security steps were appropriate for the sensitivity of the information and the threat environment.
The second theme is speed and structure once suspicion arises. A lot of organisations invest heavily in detection and containment, but underinvest in the governance mechanics that follow. Who decides whether an event is likely to create serious harm. What triggers external notification. How legal, privacy and communications functions are brought in without slowing down the technical response. Which decisions must be documented and by whom. ACL is a useful reminder that delays or confusion around assessment and notification can become part of the core issue, not a side note. The message for preparation is simple: treat the “assessment to notification” pathway as a governed process, not an improvised meeting.
There is also a sector-wide angle that comes through strongly in inquiries. When services are integrated, when data moves between systems, and when platforms are shared, a single incident quickly becomes a question about wider exposure. That kind of review lens makes organisations ask a better preparation question: “If this happened to us, would we know where else the same weakness might exist, and could we check quickly”. That requires more than good intentions. It requires up-to-date system visibility, clear ownership across integrated environments, and a repeatable method for validating controls across similar assets.
Perhaps the most useful way to think about all this is to treat incident preparation as governance readiness. Could you confidently brief your board with a clear account of what you knew, when you knew it, what you decided, and why. Could you show how cyber risk is reported and managed, how exceptions are approved, how assurance is performed, and how you confirm that security improvements actually stick. Could you demonstrate that your organisation’s “reasonable steps” are aligned to the nature of your data, your operating context, and the reality of modern threats.
If you can, you are not just prepared to respond to an incident. You are prepared for what follows it. And that is increasingly the standard that matters.
If you want to harden that governance posture after an incident (or a major exercise), our Cyber Post-Incident Review service is designed to turn response activity into measurable resilience. We help reconstruct a defensible timeline, identify root causes (not just symptoms), assess what worked and what failed across technical and business response, and translate findings into actionable recommendations that leadership can track through to completion.
About the Bulletin:
The NZ Incident Response Bulletin is a monthly high-level executive summary containing some of the most important news articles that have been published on Forensic and Cyber Security matters during the last month. Also included are articles written by Incident Response Solutions, covering topical matters. Each article contains a brief summary and if possible, includes a linked reference on the web for detailed information. The purpose of this resource is to assist Executives in keeping up to date from a high-level perspective with a sample of the latest Forensic and Cyber Security news.
To subscribe or to submit a contribution for an upcoming Bulletin, please either visit https://incidentresponse.co.nz/bulletin or send an email to bulletin@incidentresponse.co.nz with the subject line either “Subscribe”, “Unsubscribe”, or if you think there is something worth reporting, “Contribution”, along with the Webpage or URL in the contents. Access our Privacy Policy.
This Bulletin is prepared for general guidance and does not constitute formal advice. This information should not be relied on without obtaining specific formal advice. We do not make any representation as to the accuracy or completeness of the information contained within this Bulletin. Incident Response Solutions Limited does not accept any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, when relying on the information contained in this Bulletin or for any decision based on it.
Incident Response Solutions 