ASX 200 Cybersecurity Report

The introduction of Australia's Cyber Security Act 2024 marks a fundamental shift in how the ASX 200 must manage risk. Under new mandates, "having tools" is no longer equivalent to "being protected," and security ratings alone do not provide a complete picture.

Our 2026 analysis, derived from billions of data points, reveals hidden gaps between aggregate ratings and true operational resilience. We examined three critical dimensions to identify where the Australian threat landscape is most volatile:

• The Attacker's View (Volatility): While aggregate scores improved by a modest 1.58%, the "Attack Surface" category experienced 60-point volatility gaps that attackers actively exploit.
• The Supply Chain View (Inherited Risk): Security posture is often undermined by risks that "cascade" from third parties, where a single vulnerability can exploit hundreds of integrated companies simultaneously.
• The Dark Web View (Identity Risk): Identity has become the new perimeter, with 10% of the ASX 200 ending 2025 with verified infostealer infections circulating on illicit marketplaces.

The data demonstrates that real security requires a transition from static ratings to an automated, end-to-end management of your true security posture. Understanding these granular findings is vital for leaders who need to bridge the "Response Gap" and meet the new Australian standards for systemic resilience.

‍