Porter Novelli has partnered with Hall & Wilcox and Quantum Market Research on a new national study, 'Beyond the Breach - Aligning Consumer and Business Expectations in Cyber Incident Response'. The study revealed a widening disconnect between the way Australian consumers expect organisations to respond to a data breach, and what business leaders believe is enough.

Cyber incidents have been a growing issue for Australian business leaders and consumers, with over 1100 reported breaches in 2024 alone, the highest annual total, since the notifiable data breaches (NDB) scheme began in 2018, representing a 25 per cent increase from 893 notifications in 2023.

The research aims to provide insights into two key areas to help business leaders understand what consumers expect during a cyber incident, and how to more effectively support individuals impacted by a cyber incident:

• How consumer expectations have evolved over the past two years regarding the way organisations behave when they have suffered a cyber incident.
• The disconnects between consumer expectations and business leaders' views on what their obligations and priorities should be during a cyber incident.

Privacy has never been more important to consumers
Australians revealed that privacy trumps convenience, with 75 per cent saying that they care more about the privacy of their data than benefiting from the convenience of online technology.

58 per cent of respondents reported they are more concerned about the security of their personal information online than they were five years ago, which had been fuelled by scandals like Cambridge Analytica, data breaches, and unease over AI's lofty promises.

Consumers are also sceptical that institutions can protect them from hackers, with only 40 per cent agreeing that organisations can securely protect their personal information, and just 20 per cent believing that organisations are actually doing enough to protect that information. This has decreased significantly from two years ago, when 64 per cent of Australians believed organisations could securely protect their information, and 41 per cent thought organisations were doing enough.

Trauma from previous cybersecurity incidents has continued to drive feelings of helplessness, which led to 48 per cent of consumers reporting that they are taking measures to protect their own personal information online.

Financial data tops consumers’ and business leaders’ concerns in cyber incident
The study found that 47 per cent of consumers were more concerned about losing banking details than their ID or health information. Business leaders attested to this, with 62 per cent agreeing that their customers are most concerned about their financial information.

The report suggested that this concern is warranted, as the Office of the Australian Information Commissioner (OAIC), indicated that the financial sector ranked among the top three industries to report the most notifiable breaches in 2024.

Australians remain distressed, even as concern about cybercrime fluctuates
Concern about cybercrime peaked in 2023, with 74 per cent expressing significant concern, before dropping to 51 per cent by June 2025. However, the emotional toll of a cyber incident remains unchanged, with 45 per cent of Australians who experienced a data breach reporting emotional distress in 2025, consistent with 48 per cent in 2023.

The study highlighted that levels of concern vary, and is reactive to high-profile breaches, media coverage and political agendas.

Consumers demand faster speed of information
The report found that 46 per cent of those affected by cyber incidents felt they received information quickly enough. While 31 per cent of consumers prioritise timeliness, 28 per cent of business leaders believe that the speed of resolution is just as important as transparent communication.

However, the report noted that expectations around speed differ across stakeholders and organisations. Larger brands or those operating in critical infrastructure sectors tend to face higher demands for rapid and transparent communication when incidents occur.

Organisations are not doing enough to protect customer trust
Respondents revealed that organisations needed to support their customers, members, employees, or donors more effectively following a cybersecurity incident.

Business leaders surveyed were unanimous in their view that their customers expect their organisation to provide transparent information in a cyber incident, yet only 50 per cent agreed business leaders should go beyond basic legal requirements. Organisations that do the bare minimum following a cyber incident are only trusted by two per cent of Australians.

For organisations that acted quickly to provide clear, transparent information and guidance to help consumers protect themselves, there were improved results in trust and reputation, with 25 per cent saying they would purchase from the organisation again, 23 per cent saying they would recommend the organisation to others, and 23 per cent would trust the organisation. In 2023, a higher percentage of consumers said they would re-engage with the organisation involved, which indicates that organisational response to cybersecurity incidents is eroding customer trust over time.

It was reported that 33 per cent of Australians are frustrated by the lack of timely information that was provided to them when they were impacted by a cyber incident over the past 12 months. This was followed by 27 per cent reporting the organisation didn't provide guidance on how they could protect themselves.

What can business leaders do?
The report suggested some key actions business leaders can take to build customer trust in the event of a cybersecurity incident:

1. Communicate faster and smarter, in line with their stakeholders' expectations.
2. Go beyond legal requirements with transparency.
3. Prioritise empathy.

Read the full report here.