Budget boosts AI, but cyber gaps remain, industry warns

The 2026–27 federal budget delivered what Treasurer Jim Chalmers called Australia’s largest single investment in artificial intelligence, committing roughly $20 billion to AI, digital infrastructure, and cybersecurity over the forward estimates. The word “cyber” did not appear in the budget speech. For an industry tracking a year in which 85 per cent of Australian enterprises suffered a material attack — well above the global average of 54 per cent — the omission landed as a signal in itself.

Budget papers tell a more nuanced story. Buried in the departmental allocations are three cybersecurity line items that, together, represent a genuine funding lift. $89 million goes to sustaining Horizon 2 of the Australian Cyber Security Strategy, the implementation phase launched in late 2024 after the Medibank and Optus breaches forced Canberra to rewrite its posture. A larger slice — $206 million over four years — is directed at the Australian Prudential Regulation Authority and the Australian Securities and Investments Commission, specifically to build data and cybersecurity capability inside the two financial regulators. And $70 million in AI Accelerator grants sits in a parallel portfolio, part of a broader push to position Australia inside the AI economy before the window narrows.

“Cyber security didn’t get mention in the Treasurer’s speech, and that is a concern,” said Jeremy Pell, Country Manager ANZ at Elastic. “We are in a permanent AI arms race. Foreign hackers are now using AI to attack us at a speed no human analyst can stop, and the era of manual defence is over.”

In the lead-up to budget night, Cohesity published survey data that framed the stakes in dollars. James Eagleton, the data-management firm’s Managing Director for ANZ, told SecurityBrief Australia that 85 per cent of Australian enterprise businesses suffered a materially impactful cyberattack in 2025. Of those, 91 per cent reported revenue losses, and nearly a third lost up to 10 per cent of annual revenue — damage that, applied across the ASX 200, would run into the tens of billions.

Australia is now an outlier among developed economies on those numbers.

$206 million, handed to APRA and ASIC, is the government’s primary lever for pulling that figure down. That follows a pattern established after the Medibank and Optus breaches: Canberra strengthened the obligations on critical infrastructure operators and gave the regulators sharper teeth. Both agencies can now hire specialist threat-intel staff and upgrade monitoring platforms capable of spotting systemic risk before an incident cascades across the financial system. Institutional-strengthening money — rational, targeted, and late.

But the top-down approach opens a gap the industry is already pointing to. David Hayes, ANZ Regional Director at Arctic Wolf, said the budget’s decision to make the $20,000 instant asset write-off permanent would give small and medium businesses some operational relief. It would not, however, address the problem that keeps chief information security officers awake.

“The Federal Budget has introduced some practical measures for SMEs, including making the $20,000 instant asset write-off permanent,” Hayes told SecurityBrief. “But while the conversation around AI adoption is accelerating, SMEs still appear to have been largely left out of the broader discussion around how Australian businesses will safely and sustainably adopt these technologies.”

It is a structural gap. Large enterprises can afford managed detection and response contracts, in-house security teams, and the compliance staff to meet APRA’s CPS 234 standard. Small businesses — the roughly 2.5 million firms that employ fewer than 20 people and account for more than half of private-sector employment — rarely have any of the three. A typical suburban accounting practice or regional manufacturer runs a single IT contractor, no incident response plan, and a firewall that was last updated when it was installed.

Budget measures on cyber tilt toward institutional resilience, not the last-mile problem those firms represent.

Canberra’s budget has already drawn divergent reactions across the tech sector. Earlier analysis of the R&D tax incentive and capital gains changes found the government investing in innovation with one hand while taxing its exits with the other — a tension that has startup founders and venture firms watching the consultation period closely. A $2.4 billion digital services package that sustains Digital ID and My Health Record, by contrast, landed as straightforward infrastructure spending with broad political support.

Cybersecurity sits between those two poles. There is new money — real money that will harden the financial system’s perimeter. But the budget’s silence on the matter in the Treasurer’s speech, combined with the absence of SME-specific cyber support, leaves the industry with a package that funds the moat without securing what sits inside it. Industry groups are expected to use Senate estimates through June to press for SME-targeted cyber grants and a clearer articulation of what the $89 million in strategy funding will deliver on the ground.