Australian Federal Budget 2026-27: Cyber investment rises – expectations rise faster

What the Budget signals

The Federal Budget continues sustained investment in national cyber resilience, including a $160.4 million Cyber Security Uplift for Services Australia and $654.3 million over four years to maintain the security of the Australian Government Digital ID System.^[1]

Cyber risk is increasingly positioned as a threat to economic stability and service delivery — not merely a technical vulnerability. Treasurer Jim Chalmers’ framing of the Budget around “resilience and reform” — against a backdrop of geopolitical volatility and what he described as the fifth major economic shock in under 20 years, situates cyber resilience squarely within the national economic security agenda.^[2]

Protiviti perspective

Cyber security has firmly moved beyond the IT function. It is now a core enterprise risk that boards and executives are expected to actively govern and oversee. Organisations should consider the following questions:

• Do boards have clear visibility of cyber risk exposure and tolerance?
• Are accountabilities for cyber decision-making clearly defined across the executive suite?
• Is cyber risk embedded within enterprise risk frameworks — or operating in isolation?

What the Budget signals

Government investment in cyber capability is accompanied by rising expectations that agencies and organisations can demonstrate cyber resilience, not simply assert compliance.¹ The Budget commits $89.3 million over four years to sustain and enhance cyber security initiatives across the Commonwealth, alongside the $160.4 million Services Australia uplift, recurring investments that signal ongoing scrutiny rather than a one-off injection.^[3]

Protiviti perspective

Increased funding does not reduce scrutiny, it intensifies it. Stakeholders, regulators and audit bodies will expect evidence that cyber controls are effective, operating as intended and delivering outcomes. Organisations should consider the following questions:

• Can leadership rely on reported cyber risk metrics?
• Are controls independently validated or self assessed?
• Is cyber maturity being measured meaningfully, beyond checklist compliance?

What the Budget signals

The Cyber Security Act 2024 introduced mandatory ransomware payment reporting, which commenced on 30 May 2025. Entities with annual turnover of $3 million or more, and responsible entities for critical infrastructure assets to which Part 2B of the SOCI Act applies, must report any ransomware or cyber extortion payment — whether made by the entity or on its behalf — to the Department of Home Affairs and the Australian Signals Directorate within 72 hours of the payment being made (or of becoming aware that a payment has been made). The Act also established the Cyber Incident Review Board. 

The 2024 SOCI Act amendments clarified that risk management obligations extend to data storage systems holding businesscritical data. Continued Budget investment in regulatory capability reinforces that these obligations will be actively enforced.^[4]

Protiviti perspective

The direction of travel is clear: Organisations will need to explain not just what occurred in a cyber incident, but whether their controls were reasonable, proportionate and defensible. Organisations should consider the following questions:

• Are incident response frameworks structured for regulatory scrutiny?
• Is there clear governance over cyber incident decision making?
• Can the organisation evidence the effectiveness of its control environment post-incident?

What the Budget signals

Ongoing funding for scam prevention, fraud detection and cross-agency coordination reinforces the convergence of cyber, fraud and integrity risks.^[2],^[3]

Protiviti perspective

Cyber incidents are no longer discrete security events, they are often entry points to fraud, financial loss and reputational damage. Organisations should consider the following questions:

• Are cyber and fraud risk functions integrated or siloed?
• Are cyber controls aligned to fraud prevention outcomes?
• Is there visibility across the full lifecycle, from breach to financial impact?

What the Budget signals

The Budget commits $643.6 million over four years to maintain the security of the Australian Government Digital ID System, spanning the ATO ($357.4m), Services Australia ($135.2m), the ACCC ($98.0m), the Department of Finance ($30.8m) and the OAIC ($22.2m). This aligns with the broader headline investment in Digital ID security and reinforces the system’s role as critical public infrastructure, supported by statutory privacy safeguards under the Digital ID Act 2024.^[5]

Protiviti perspective

Identity is emerging as the cornerstone of cyber resilience and a focal point for regulatory, privacy and trust expectations. Organisations should consider the following questions:

• Is identity governance clearly owned and managed at an executive level?
• Are privacy-by-design principles embedded into digital initiatives?
• Can identity and access controls be independently assured?

What the Budget signals

Cyber and technology investments are increasingly targeted and disciplined, with greater emphasis on prioritisation and measurable outcomes.^[3]

Protiviti perspective

In a constrained fiscal environment, the key question is not how much is being spent on cyber — but whether that spend is reducing enterprise risk in a demonstrable way. Organisations should consider the following questions:

• Are cyber investments aligned to enterprise risk priorities?
• Can organisations demonstrate return on cyber investment?
• Is the cyber portfolio optimised or expanding without clear outcomes?

What the Budget signals

Government investment in AI capability, scam disruption and Digital ID assumes a threat environment in which AI strengthens defenders and accelerates attackers in equal measure. This includes “agentic AI” — AI systems that can plan, make decisions and take actions autonomously across multiple tools and environments with limited human intervention. Guidance from ASD’s ACSC on the cyber security implications of these technologies reframes AI as part of the control environment, not an adjacent issue.^[6]

Protiviti perspective

AI is rapidly compressing the gap between cyber risk and fraud risk — deepfake-enabled social engineering, AI-generated scams and autonomous agent misuse are converging on the same control failures. Boards should expect to be asked how AI is governed within the cyber control environment, not only how cyber is governed within AI. Organisations should consider the following questions:

• Is AI use across the enterprise inventoried, classified and risk-rated?

  Do existing cyber controls address emerging AI risks, including:

  • Agentic AI misuse (autonomous systems making unintended or harmful
    decisions),
  • Prompt injection (manipulating AI inputs to produce unsafe or misleading
    outputs), and
  • Model supply chain risks (vulnerabilities introduced via third-party AI
    models or training data)?
   

  Is the workforce equipped to detect AI-enabled threats such as:

  • Phishing attacks enhanced by AI-generated content,
  • Deepfakes (realistic but fake audio, video or images used for deception), and
  • Synthetic identity fraud (fabricated identities created using real and fake data
    to bypass controls)?