If you sit on a board or lead an organisation in Australia, I have hard news, cyber risk is no longer something you can delegate and forget.
Over the past two years, regulatory reform has shifted cyber security from an IT issue to a governance obligation. Directors are now personally accountable for cybersecurity governance. Regulatory expectations have intensified, and passive oversight is no longer defensible.
Before you reach for the remote, this isn’t about alarmism. It’s about maturity.
Cyber resilience now sits beside financial oversight and workplace safety as a core board duty. Regulators including the Australian Securities and Investments Commission (ASIC) and the Office of the Australian Information Commissioner (OAIC) have made it clear: directors must be able to demonstrate they have taken reasonable steps to manage cyber risk.
The expectation is no longer passive oversight. It is informed leadership.
What Has Changed — and Why It Matters
Australia’s regulatory environment has evolved quickly. Several developments now directly connect cyber resilience to personal director accountability.
1. The “Stepping Stone” Doctrine
Under Section 180 of the Corporations Act 2001, directors must exercise reasonable care and diligence.
ASIC has increasingly used what’s known as the “Stepping Stone” doctrine to pursue directors where a company’s operational failures, including cyber failure, indicate broader governance shortcomings.
This was reinforced in ASIC’s case against RI Advice Group (see ASIC Media Release 22-104MR), where the Federal Court found the organisation failed to adequately manage cybersecurity risks. The ruling made something very clear: cyber resilience forms part of a director’s statutory duty.
Courts will assess whether directors:
- Understood foreseeable cyber risks
- Appreciated the potential harm
- Took proportionate and reasonable steps to mitigate those risks
Simply relying on IT management without informed oversight is no longer considered sufficient.
2. Mandatory Ransomware Reporting
Under the Cyber Security Act 2024, businesses with annual turnover exceeding $3 million must report ransomware or cyber extortion payments to the Australian Signals Directorate (ASD) within 72 hours of making the payment.
This requirement reinforces that cyber incidents are not just technical events, they are regulated events.
Boards should be confident that:
- Reporting pathways are clearly documented
- Responsibilities are assigned
- Incident response plans are rehearsed
- Timelines can be met under pressure
Failure to comply can attract civil penalties (currently around $20,000 per breach for the entity). More importantly, it reflects on governance maturity.
3. A New Statutory Tort for Privacy
The Privacy and Other Legislation Amendment Act 2024 significantly strengthened privacy enforcement.
Individuals can now pursue direct legal action for serious invasions of privacy arising from intentional or reckless conduct. Courts may award damages for emotional distress, something that was previously difficult to secure.
Combined with the Notifiable Data Breaches Scheme overseen by the OAIC, this expands litigation exposure. Directors must ensure:
- Strong data governance frameworks
- Clear policies and documented procedures
- Ongoing staff training
- Oversight of third-party and contractor risk
Organisations are increasingly exposed to vicarious liability for employee conduct. Governance cannot be theoretical, it must be embedded.
4. Personal Penalties Are Real
The penalties are not symbolic. Directors may face civil penalties of up to 5,000 penalty units (currently approximately $1.56 million) for breaches of Section 180. ASIC can seek disqualification orders preventing individuals from managing corporations. Serious privacy interferences may attract penalties exceeding $50 million for corporations, with significant exposure for individuals.
The regulatory environment is now active, not passive.
What Good Governance Looks Like in Practice
So, before you start writing your resignation to the Board, hear me out. The answer is not panic. It is structure, visibility, and deliberate investment. Cyber resilience is built through clarity, understanding risk, prioritising controls, and maintaining transparency at board level. Instead of hitting the panic button, here are practical steps directors can take.
1. Review D&O and Cyber Insurance
Policies often reveal their weaknesses after an incident. Directors should:
- Confirm coverage aligns with the organisation’s risk profile
- Understand exclusions
- Confirm ransomware coverage
- Ensure insurer requirements are embedded in operational processes
I know you know this, but...insurance should support governance, not replace it.
2. Commission a Cyber Audit
A formal assessment aligned to recognised frameworks such as the Essential Eight (ASD), NIST CSF, or ISO 27001 provides:
- A clear view of current maturity
- Identified control gaps
- A prioritised remediation roadmap
- Evidence of proactive oversight
Once upon a time you could have been forgiven for thinking a Security Alignment Framework was just a nerd-powered-flex but an audit is no longer just a technical exercise, it is a governance statement.
3. Demand Transparency from IT Partners
This is one of my personal favourites. Nothing gets your IT Team more excited about working with someone who “gets it” like when the Board starts asking for evidence of Cyberhealth! Boards should have visibility over cyber health. That means:
- Clear, plain-English reporting
- Meaningful dashboards
- Risk-based metrics
- Open communication when issues arise
No more smoke and mirrors from your technical team. If your IT partner cannot translate cyber posture into board-level clarity, that is a governance gap (and I know a great MSP you can talk to).
4. Strengthen Governance and Culture
Cyber resilience is cultural as much as technical. Directors should ensure:
- Regular cyber briefings
- A tested and documented incident response plan
- Ongoing staff awareness training
- Supply chain risk assessments
- Defined data classification and retention processes
Culture protects organisations long before technology does and if you don’t value security, they never will.
5. Align Budget to Risk
Underinvestment in cyber security can now constitute a governance failure.
Boards should ensure budgets reflect identified risk and prioritise controls such as:
- Multi-factor authentication
- Vulnerability management
- Backup resilience
- Endpoint detection and response
- Advanced email security
Never get bullied into spending cyber-funds on pie-in-the-sky security. Invest with purpose and measure the impact. Investment should be proportionate, not reactive.
6. Build a Trusted Partnership
Directors do not need to become cyber experts. They do, however, need trusted advisors.
The right partner translates technical exposure into commercial risk, ensures regulatory alignment, and supports leadership teams during high-pressure incidents. Cyber risk cannot sit in isolation from strategy, it must be integrated into how the organisation operates and grows.
Closing Thoughts
Cyber risk is now a permanent feature of modern business in Australia. Regulatory expectations are clearer. Enforcement is increasing. Personal accountability is real.
But this is not a moment for fear, but rather, it is a moment for maturity. With structured governance, transparent reporting, informed oversight, and deliberate investment, directors can meet their obligations confidently while strengthening organisational resilience.
If you’re unsure how aligned your organisation is with these requirements, consider starting with a cyber maturity assessment or a governance review. Even a quick board-level cyber health check can reveal whether your current posture meets today’s expectations.
