Rapid regulatory changes are reshaping how businesses handle data, AI, and cybersecurity
Ransomware reporting From May 30 2025, certain businesses must report ransomware payments under a “no fault, no liability” framework. Payments remain legal but must comply with anti-money laundering laws. NZ privacy framework New Zealand’s Poupou Matatapu framework helps agencies comply with privacy laws, emphasizing data management and cultural awareness. NRIC data and AI regulation in Singapore Singapore’s new ACRA portal raised privacy concerns over NRIC searches, while the AI governance framework sets fairness, accountability, and transparency standards for 2025. Businesses must navigate evolving data and AI regulations. Agent AI growth and quantum cryptography AI will evolve into autonomous multi-agent systems, driving efficiency and industry disruption. Furthermore, quantum computing threatens encryption, pushing businesses toward post-quantum cryptography for future security.
To navigate these rapid regulatory changes, businesses must stay proactive in compliance, risk management, and future-proofing their systems to mitigate emerging data, AI, and cybersecurity risks.
Kieran Doyle Head of Cyber, Privacy and Technology +61 2 8273 9828 kieran.doyle@wottonkearney.com
Nicole Gabryk Partner, Cyber +61 2 9064 1811 nicole.gabryk@wottonkearney.com
Stephen Morrissey Partner, Technology Liability +61 2 8273 9817 stephen.morrissey@wottonkearney.com
Joseph Fitzgerald Partner, Cyber (New Zealand) +64 4 260 4796 joseph.fitzgerald@wottonkearney.com
3 standout insights on AI and insurance
Ransomware regulation: A new era in the fight against cybercrime
Governments are moving to disrupt ransomware through transparency rather than prohibition. From May 30 2025, the Cyber Security Act 2024 will require certain businesses to report ransomware and cyber extortion payments under a “no fault, no liability” framework.
This aligns with the 2023–2030 Australian Cyber Security Strategy’s focus on data-driven disruption. The obligation applies to businesses above a set turnover threshold (excluding Commonwealth and State bodies), with payments still needing to comply with anti-money laundering and sanctions laws.
Policy updates: Use of AI in Singapore moving forward
AI is rapidly becoming the top technology focus for businesses in Singapore, with 67% prioritising AI in 2025 and 75% planning adoption or trials. This surge has raised regulatory concerns around responsible use. In response, regulators have issued voluntary guidelines, such as the Model AI Governance Framework, to promote fairness, ethics, accountability, and transparency.
Further updates and consultations are expected as adoption grows. Businesses will need to review their AI practices, as regulatory scrutiny and potential claims related to AI misuse or mismanagement are likely to increase.
Generative Artificial Intelligence: To err is human, but is AI divine?
As businesses adopt generative AI to reduce human error, new risks tied to AI decision-making are coming into focus.
The July 2024 CrowdStrike outage highlighted the cost of human mistakes, while cases like Zillow’s USD $500 million AI-driven mispricing show how AI faults can trigger major claims.
With vendor contracts often shifting AI risks to users, regulators are responding. The Australian Government’s paper, released in November 2024, signals a growing move towards stronger consumer protections and clearer liability frameworks for Artificial Intelligence.
“Cyber insurance expected to grow from US$14 billion to US$27 billion (2023 – 2027)”
Cyber Insurance Risks and Trends 2024, Munich Re
Data breach class actions
Over the course of 2024, the two data breach class actions (against Medibank and Optus) moved along slowly. Those proceedings were commenced by customers whose data was compromised in the cyber-attacks against each company that took place in 2022.
These actions are interesting for a number of reasons, including the fact that they are the first of their kind but also because both companies are facing a barrage of legal proceedings related to the data breaches.
Our Class Actions 2024 Wrapped report covers this in more detail. Click here to access the report
Wotton Kearney acknowledges the traditional custodians of the lands on which we work, and pay our respects to Elders past and present.
© 2025 WOTTON KEARNEY Legal information | Privacy | Legitimate interest | Contact
