Importance of Notification of Significant Risk Events

Over the past few weeks, many of you would have heard about the cyber incident affecting ReadyTech’s hosted VETtrak platform. This incident caused service outages and disrupted access to essential student management system functions. ReadyTech acted quickly by isolating the platform, engaging external cyber experts, and notifying both the Australian National Office of Cyber Security (NOCS) and the Australian Cyber Security Centre (ACSC). At the time of writing, the full impact on data security is still being assessed.

Under Outcome Standard 4.3 (Risk Management) of the Standards for RTOs 2025, registered training organisations must identify and manage risks to their students and operations. Where an event occurs that could significantly affect the RTO’s ability to comply with the Standards, the organisation is required to notify the regulator within 10 business days.

The ReadyTech cyber incident is a clear example of when this requirement applies.

Notifying regulators, and where applicable government funding bodies, of significant events demonstrates strong governance and transparency. It ensures regulators are aware of issues that may impact your RTOs delivery capability, data integrity and student safety.

Reporting these events reflects leadership and governance oversight, clear accountability, and effective risk management. It demonstrates transparency and integrity and meeting the key expectations under the Standards.

Failing to report, however, can highlight weaknesses in governance systems and can lead to regulatory action, non-compliance findings, or even legal implications if staff or students are adversely affected.

If your RTO is affected by the ReadyTech cyber incident and has not yet lodged a report to the regulatory, you must do so immediately. In addition, you need to:

• Review and document your risk management processes and cyber response procedures.

• Communicate transparently with affected staff and students.

• Implement contingency measures to minimise ongoing disruption and prevent recurrence.

Events like this reinforce the importance of embedding self-assurance practices into everyday operations: identifying risks early, acting quickly, and demonstrating accountability at every level of the organisation.