Notifiable Data Breach Response for Sydney SMBs After a BEC Incident: Get the OAIC Assessment, Notification, and Affected-Individual Letters Right

Your accounts manager calls on a Friday afternoon. A supplier invoice was paid to the wrong bank account, and when she went back through the mailbox she found a forwarding rule she did not create — quietly copying every email from one mailbox to an external Gmail address for the last six weeks. The money is one problem. The bigger problem sitting in front of you is that mailbox contained client contact details, signed engagement letters, ID documents, and tax file numbers. You now have 30 days under the OAIC Notifiable Data Breaches scheme to work out whether this is an eligible data breach, and if it is, to notify the OAIC and the affected individuals. Notifiable Data Breach Response from Cyber by Exegesis is the engagement designed to walk a Sydney SMB through that 30-day window without missing the legal obligation or panicking the customer base.

The problem

Business email compromise is the highest-loss SMB scam category reported to ACCC Scamwatch, but the financial loss is often the visible part of the incident. The hidden part is the data exposure: an attacker with mailbox access for weeks has had sight of everything that landed in that inbox — and under the OAIC NDB scheme, unauthorised access to personal information that is likely to result in serious harm is an eligible data breach that must be notified.

Most Sydney SMBs hit by BEC do not have a privacy officer. They have an owner, a bookkeeper, and an IT provider focused on restoring access. The NDB assessment gets deferred, then forgotten, then surfaces months later when an affected client asks why they were not told. The 30-day assessment clock under Part IIIC of the Privacy Act 1988 does not pause for any of that.

What NDB Response does

Cyber by Exegesis runs a fixed-scope post-incident engagement aligned to the OAIC NDB scheme:

• A scoping interview to establish what mailbox(es) were compromised, for how long, and what personal information was reachable in those mailboxes during the access window.
• An eligible-data-breach determination under the NDB scheme — documented reasoning, not a gut call — covering whether the access is likely to result in serious harm and whether remedial action has reduced that risk.
• A drafted OAIC notification statement covering the entity, the kinds of information involved, the kinds of harm that may result, and the recommended steps for affected individuals.
• Drafted affected-individual notification letters (or email templates), worded plainly, that meet the NDB content requirements without inflaming the customer relationship.
• A short written record of the assessment, the decision, and the supporting evidence — the document you want on file if the OAIC ever asks.

Cyber by Exegesis is the cyber consultancy line of Exegesis — the same company behind the DRMO live product. Our scope on an NDB engagement is the privacy-law response. We are not your incident responder evicting the attacker, and we are not your lawyer; we work alongside both and produce the OAIC-facing artefacts.

How it works

1. We confirm the engagement scope on a same-week call and ask for the basic incident facts: when the BEC was discovered, what mailbox-rule or access evidence you have, and what categories of personal information sat in the affected mailbox.
2. We run the eligible-data-breach assessment against the OAIC NDB criteria and document the reasoning, including any remedial action your IT provider has already taken.
3. We draft the OAIC notification statement and the affected-individual notification in parallel, so you can review both before the 30-day window closes.
4. We sit with you for 30 minutes to walk through the notifications, adjust tone and detail, and agree the send sequence (OAIC submission, then affected individuals, with internal staff briefing in between).
5. We hand over the written assessment record and the sent artefacts. If the incident later requires a supplementary notification, we know your file.

Why this matters in Sydney

Sydney’s SMB base is heavy in professional services — accountants, law firms, brokerages, migration agents, financial advisers — that hold exactly the categories of personal information the NDB scheme is designed to protect: identity documents, financial details, tax file numbers, contact records. When BEC hits a Sydney firm of that shape, the data exposure is almost always notifiable, and the OAIC pays attention to how the notification is worded and how quickly it lands. Getting the NDB response right protects the regulatory position and, just as importantly, protects the client trust that the firm depends on.

Sources

• OAIC Notifiable Data Breaches scheme: https://www.oaic.gov.au/privacy/notifiable-data-breaches
• ACCC Scamwatch (National Anti-Scam Centre): https://www.scamwatch.gov.au/
• ACSC Small Business Cyber Security Guide: https://www.cyber.gov.au/protect-yourself/resources-protect-yourself/personal-cyber-security-guides
• Cyber by Exegesis — Notifiable Data Breach Response (waitlist)

Join the waitlist

Join the waitlist — first access when Cyber by Exegesis opens NDB Response for Sydney SMBs

We are sequencing engagements by incident urgency and by sector. Join the waitlist with your sector, your email tenant, and a one-line summary of the incident — we will tell you when we can take a brief from your business and start the 30-day clock with you.