0%

Australia wants world-class cybersecurity by 2030 But who pays

Insights
Share

Australia wants world-class cybersecurity by 2030.
But who pays?

With thanks to Peter Bardos, Partner at HLB Mann Judd, for his contribution to the tax analysis.

Australia’s 2030 Cyber Security Strategy aims to make us a world leader in cyber security within five years. But as compliance tightens and cyber costs climb, businesses are left to foot the bill – and face fines if they fall short. Is it time for tax and accounting frameworks to catch up?

The government has a plan.
Businesses have the bill.

In 2023, the Australian Government released its Cyber Security Strategy – a serious, 20-point action plan covering everything from threat intelligence sharing to uplifting the security posture of critical infrastructure.

But what it doesn’t include is money – there are no grants, subsidies or financial concessions to help businesses meet the security standards the strategy demands. What it does include is more legislation and penalties. For many businesses, particularly smaller ones already stretched by rising software costs and compliance burdens, that equation is becoming very uncomfortable.

The cost of compliance
keeps climbing

Cybersecurity is no longer a line item that organisations can defer. Platforms, monitoring tools, compliance frameworks and specialists all carry growing price tags. CSO Group observes security technology costs rising up to 15% annually. According to CPA Australia, 38% of businesses identified financial cost and low return on investment as the biggest barrier to technology adoption.1

The World Economic Forum found that 35% of small organisations consider their cyber resilience inadequate – up sevenfold since 2022 – compared to large organisations, where the figure has nearly halved.2 The gap is widening as regulations tighten.

CSO Group’s Horizon 2 Executive Forum found that tax incentives are more effective than grants in encouraging small businesses’ cyber investments, as grants typically come with reporting requirements that smaller organisations struggle to meet. The challenge is that there are currently no targeted tax incentives for cybersecurity.

The law doesn’t wait
for your budget cycle

Under APP 11 of the Privacy Act 1988, organisations must take reasonable steps to protect personal information – including technical measures such as security software and access controls – with serious penalties in play. ASIC v FIIG Securities Limited resulted in a $2.5 million fine and $500,000 in costs after the company failed to maintain adequate cybersecurity.3 

As the national security stakes rise, the government mandates protection and the regulators enforce it, yet there is no corresponding mechanism to help businesses fund it. Invest and absorb the cost. Don’t invest and risk the fine. Either way, it comes out of the business.

Could tax incentives
work harder?

Most cybersecurity investments – software licences, monitoring tools and security platforms – come as annual subscriptions and are immediately deductible in the year they’re incurred. They’re operating expenses, not capital assets, so there’s no unclaimed deduction sitting on the table. The current tax framework is already doing all it can. So what more is there to ask for? One practical option would be boosted deductions, where businesses can claim more than they actually spent. The precedents are there:
  • The Small Business Technology Investment Boost allowed businesses to claim up to 120% of qualifying technology spend (including a 20% bonus deduction)
  • R&D concessions have delivered above-cost deductions in specific contexts for decades4
  • Skills and training boosts have applied similar logic to workforce development

Cybersecurity has a case for
boosted deductions

Businesses are investing under legal obligation, in a threat environment they did not create, to protect customer data and contribute to national security. 

A targeted boost – say, 120% deductibility on qualifying cybersecurity spend for businesses investing with registered providers – would use the existing tax architecture to change behaviour in an area where the government itself has set the agenda. 

The design detail would need work, but that’s a conversation worth having.

Could accounting standards
catch up too?

While tax is a more immediate lever, it is also worth considering how accounting standards should evolve to address the increasing costs of what is becoming an almost-mandated expense of protecting business. 

New technologies, business models and risks constantly test whether accounting standards still reflect economic reality. Most cybersecurity spending is expensed in the year it’s incurred, which makes it look like short-term maintenance rather than long-term infrastructure,  distorting both reporting and investment decisions. I don’t think today’s accounting framework faithfully represents our current reality.

Accounting standards have adapted before when economic substance demanded it; when AASB 16 Leases was introduced in 2019, it did not change the economics of leases, but changed the visibility of commitments by moving lease obligations onto the balance sheet, improving transparency across businesses with very different property footprints. 

Recognising cyber investment as a balance sheet asset would better reflect its long-term value. However, this would directly affect tax treatment, spreading the tax deduction over several years rather than taking it all up front. Those two outcomes pull in opposite directions, which is why any accounting reform would need the Australian Accounting Standards Board (AASB) and the Australian Taxation Office (ATO) to work together – a collaboration without real precedent.

Cybersecurity warrants
the same conversation

As our CTO Matt Fedele-Sirotich noted on AI’s Wild West, regulations rarely keep pace with the technology they govern, and can take decades to catch up. It took the AASB roughly 10 years, from the first discussion paper to the final release, to implement AASB 16 Leases. For Australian businesses, reform can’t come fast enough. The 2030 strategy sets a clear ambition and backs it with legislation and penalties. What it doesn’t provide is any help with the cost. Targeted boosted deductions for qualifying cybersecurity spend – building on mechanisms the ATO has already used – would be a practical starting point that requires no new framework. The government has set the ambition. It’s time to help businesses afford it.

If navigating Australia's cybersecurity obligations is on your agenda, talk to the CSO Group team.

References
1. CPA Australia, Business Technology Report 2025
2. World Economic Forum, Global Cybersecurity Outlook 2025
3. Australian Securities and Investments Commission v FIIG Securities Limited [2024], Federal Court of Australia
4. Australian Taxation Office (ATO), Small Business Technology Investment Boost, 2023; ATO guidance on deductibility of subscription software

Gemma Cann

Financial Controller at CSO Group, Australia’s trusted cybersecurity partner, specialising in integrated security outcomes through orchestrated vendor technologies

Learn more at csogroup.com.au

Related article

AI's Wild West won't last forever.
But it's here now.

Read more

The security integration trap:
When tools talk but don't listen

Read more

Everything and nothing:
What's really changed for directors since privacy law reform

Read more

Horizon 2:
What security leaders really think about Australia's 2028 cyber ambitions

Read more

"We're there now":
What business leaders need to know from ASIO's cyber warnings

Read more

Subscribe
for updates

for expert insights on cybersecurity strategy, trends, and implementation.