Digital Risk for Professional Services: Cyber Threats, Data Breaches and AI – 5 program recorded webinar series

Session 1: Cyber Risks in 2026: Rethinking Your Defence in the Age of Deepfakes and Social Engineering

Cybercrime has evolved far beyond traditional hacking. Today’s most successful attacks exploit human behaviour rather than technical weaknesses, using increasingly sophisticated phishing campaigns, deepfake technology and social engineering tactics to trick staff into giving away access, credentials or funds. Professional practices are particularly attractive targets because they hold sensitive client information and regularly handle financial transactions. This session examines the latest cyber threats facing professional services, how these attacks succeed in practice, and where firms are most exposed. It covers:

• The latest cybercrime trends affecting professional services, including credential compromise, voice phishing and multi-factor authentication attacks
• How recent breaches have occurred in practice and the human and system failures that allowed them to succeed
• Why professional practices are being targeted and where common exposure points arise across people, processes and technology
• The growing role of deepfakes and AI-driven attacks, and how they are changing the nature of fraud and deception
   

Session 2: Building a Defensible Cybersecurity Framework for Your Firm

Cybersecurity is no longer just an IT issue — it is a core governance and professional risk responsibility. As cyber threats become more sophisticated and insurers, regulators and clients increase their expectations, firms must be able to demonstrate that they have taken reasonable steps to protect client information and manage digital risk. This session examines what a defensible cybersecurity framework looks like in practice and what firms need to have in place to reduce their exposure and meet evolving professional standards. It covers:

• What a defensible cybersecurity framework looks like for professional practices, including governance structures, accountability and oversight
• The key policies, systems and controls firms are expected to have in place, including email security, multi-factor authentication, data storage, backups and access controls
• How to design and implement practical cybersecurity policies and incident response plans that can be followed under pressure
• The role of cyber insurance, including common coverage limitations and the controls insurers increasingly expect firms to demonstrate
   

Session 3: Data and Privacy Law Update: New Rights, New Risks and Growing Exposure for Professional Practices

Australia’s data and privacy regime is undergoing its most significant overhaul in more than a decade. Recent reforms have expanded regulatory powers, introduced new offences and created additional avenues for individuals to pursue privacy claims. At the same time, further reforms are expected to come into effect in 2026, reshaping how organisations collect, store and manage personal information. For professional practices that hold sensitive client data, understanding these developments is essential. This session provides a practical update on the latest privacy law reforms and what firms should be doing now to prepare for the next phase of change. It covers: 

• Key recent reforms, including the new criminal offence for doxxing, the statutory tort for serious invasions of privacy, expanded powers of the OAIC and the recognition of designated overseas jurisdictions
• Emerging data governance trends, including the growing influence of “right to be forgotten” principles and the implications for data retention and classification policies
• Further reforms expected in 2026, including the proposed Children’s Online Privacy Code and new transparency requirements for automated decision-making
• The privacy implications of expanded client identification and verification obligations under AML reforms, including how firms should manage the collection, storage, retention and security of sensitive client information
• Practical implications for professional practices managing large volumes of sensitive client information
   

Session 4: When a Data Breach Hits: Managing the First 72 Hours

When a data breach occurs, the greatest failures often arise not from a lack of legal knowledge but from poor coordination, slow decision-making and unclear responsibilities. Many firms have policies and incident response plans, yet struggle to implement them effectively when a real incident occurs. For lawyers and accountants handling sensitive client information, the first hours of a breach can determine the regulatory, reputational and financial consequences that follow. This session examines how firms should respond when a cyber incident occurs, focusing on the critical decisions and actions in the immediate aftermath. It covers:

• The immediate priorities following a suspected breach, including containment, escalation and preserving evidence
• The key decision points firms face in the first 72 hours, including speed vs certainty, internal investigation vs external engagement, and managing privilege
• How to assess whether an “eligible data breach” has occurred and when notification obligations are triggered
• Managing regulators, clients, insurers and reputational fallout in real time
• Common mistakes firms make during breach response and how these decisions impact liability and outcomes
   

Session 5: Responsible AI in Practice: A Practical Guide to AI Governance

Much of the discussion around AI in professional practice focuses on what advisers should be thinking about — the ethical obligations, regulatory risks and governance principles that AI raises. Far less attention is given to the practical question of how firms should actually govern AI use in day-to-day practice. Effective AI governance is about controlled enablement: allowing lawyers and accountants to benefit from AI tools while ensuring appropriate safeguards are in place. This session provides a practical guide to designing and implementing an AI governance framework for small and medium professional practices. It covers:

• What a clear and effective AI use policy looks like in practice, including key provisions to include, avoiding vague principles and implementing meaningful human-in-the-loop controls
• How to adopt a risk-based classification of AI tools within a firm, including mandatory assessments for new tools and practical approaches to technology vendor due diligence
• The professional liability risks advisers often underestimate when using AI, including privacy breaches, negligence risks, misleading or deceptive conduct and potential loss of legal professional privilege
• How clients are using AI to interpret advice, draft documents and prepare communications, and the risks this creates across legal and advisory engagements
• The consequences of client misuse of AI, including waiver of privilege, reliance on inaccurate outputs, evidentiary issues and compromised decision-making
• Practical documents and tools firms can use to implement AI governance, including checklists