By Byron Kaye

SYDNEY, June 25 (Reuters) - Australian companies have sharply reduced the time it takes to recover from cyberattacks, a sign of improved preparedness amid heightened regulatory pressure following high-profile breaches at Optus and Medibank.

Businesses in Australia and New Zealand now take 28 days on average to recover from an incident, down from 45 days a year earlier, according to a survey of 408 IT executives that was shared exclusively with Reuters. That still trails the global average of 24 days.

"I do put that down to the fact that organisations and enterprises are getting more aware," said Martin Creighan, Asia-Pacific vice president at U.S. data protection firm Commvault CVLT.O, which commissioned the survey.

"I also put it down to the fact that the regulators are being more stringent and more strict on what their requirements are," he added in an interview.

Australia introduced mandatory breach disclosures and cybersecurity compliance reporting after 2022 attacks on Optus, owned by Singapore Telecommunications STEL.SI, and Medibank MPL.AX exposed millions of customer records.

The country's cybercrime agency reported the average self-reported cost of cybercrime per business fell 8%, including an 11% drop for large firms, in the year to June 2024.

Despite improved recovery times, fewer than a third of firms could respond effectively to an attack, and 12% had no formal response plan, showed the survey by Commvault which counts some of Australia's biggest banks and government departments as clients.

Over half lacked full visibility of where data was stored or how systems were connected, the survey found.

Creighan said cybersecurity was no longer confined to company tech departments and he had seen a rise in requests to brief boards on cyber resilience "because they're worried about the regulation landscape".

(Reporting by Byron Kaye; Editing by Raju Gopalakrishnan)

((byron.kaye@thomsonreuters.com; +612 9171 7541; Signal: byronkaye.01;))