Cyber incidents in New South Wales government related to third parties have increased fourfold over the past two years

Cyber incidents linked to third-party systems used by the New South Wales (NSW) government have more than quadrupled over the past two years, according to figures obtained by iTnews. In the financial year 2023-24, there were 17 cyber incidents involving third-party systems across state government agencies, which is more than double the eight incidents recorded the previous year and over four times the number reported in FY2021-22. These figures, obtained under NSW’s Government Information Public Access Act (GIPA), follow the release of Cyber Security NSW’s third annual cyber threat report in November 2024. Cyber Security NSW began collecting and reporting incident data in 2021, adopting a structured framework for consistent identification of incident types, including those involving third-party systems. A public blog post summarising the November 2024 report indicated that the number of incidents from systems owned or managed by third parties almost tripled in FY2024, although this figure also includes incidents involving local councils.

In response to the rising number of incidents, a spokesperson for the Department of Customer Service (DCS), which oversees Cyber Security NSW, stated that the NSW Cyber Security Policy requires government agencies to effectively manage cyber security risks related to third-party service providers. This includes embedding cyber security requirements into contractual agreements and conducting vendor risk assessments to mitigate potential threats. Cyber Security NSW responded to over 200 cyber incidents in FY24. To address these challenges, the NSW government pledged $87.7 million to Cyber Security NSW over four years in its latest budget, building on the $20.3 million invested the previous year. Additionally, the budget included $15 million from the Digital Restart Fund to reduce extreme cyber security risks over the next four years.