The number of cyber incidents linked to third-party systems used by the New South Wales (NSW) government has more than quadrupled over the past two years, according to figures obtained under the state’s Government Information Public Access (GIPA) Act. In the 2023-24 financial year, there were 17 such incidents, more than double the eight recorded the previous year and over four times the number reported in 2021-22.
The sharp increase has prompted the NSW government to take additional measures to address the growing threats. Cyber Security NSW, the agency responsible for the annual cyber threat report, has adopted a “structured framework” to enable more consistent identification and reporting of incident types involving third-party systems. The Department of Customer Service, which oversees Cyber Security NSW, emphasised the importance of effective third-party risk management, including embedding cybersecurity requirements into contractual agreements and conducting vendor risk assessments.
In response to the escalating third-party-linked cyber incidents, the NSW government has pledged significant investments in Cyber Security NSW, with $87.7 million allocated over the next four years in the latest budget. Additionally, the government has earmarked $15 million from the Digital Restart fund to “reduce extreme cyber security risk” over the same period, underscoring the state’s commitment to bolstering its cybersecurity capabilities.