Regulatory bodies, including ASIC, APRA, and the AICD, emphasise the need for directors to actively oversee cybersecurity incident resilience. Failure to do so can result in legal, financial, and reputational consequences.
This article outlines the responsibilities of Australian directors in cybersecurity, key regulations, potential penalties, and best practices recommended by ASIC and the AICD.
Directors’ responsibilities in cybersecurity
Australian directors have a duty to act in good faith and with due care and diligence under the Corporations Act 2001 (Cth). This extends to cybersecurity governance. Directors must:
- Understand cybersecurity risks – Boards must have a clear view of the organisation’s risk exposure and ensure it aligns with business strategy.
- Establish oversight and accountability – Cybersecurity should be integrated into corporate governance, with clear reporting lines and accountability structures.
- Ensure adequate resources – Investment in cybersecurity resilience, including skilled personnel, technology, and incident response plans, is essential.
- Review risk management frameworks – Regularly assess cybersecurity policies, incident response plans, and recovery capabilities.
- Monitor compliance and reporting – Adhere to legal and regulatory obligations, including mandatory breach reporting requirements.
Regulatory obligations and penalties
Directors are accountable for ensuring compliance with various cybersecurity regulations, including:
- ASIC’s cybersecurity resilience expectations – ASIC expects boards to implement cybersecurity resilience frameworks and ensure risk management processes align with financial and operational risks.
- Privacy Act 1988 (Cth) & Notifiable Data Breaches (NDB) scheme – Companies must report data breaches that are likely to result in serious harm, or risk penalties of up to $50 million for serious breaches.
- APRA Prudential Standard CPS 234 – APRA-regulated entities must maintain information security capability, conduct regular assessments, and notify APRA of significant incidents.
- Security of Critical Infrastructure Act 2018 (Cth) – Critical infrastructure providers must meet specific cybersecurity obligations, including mandatory incident reporting.
Potential penalties:
- For organisations – Significant financial penalties, regulatory sanctions, and reputational damage.
- For individuals – Directors may be held personally liable for failing to meet their duty of care, leading to civil penalties, disqualification, or legal action.
Best practices from AICD and ASIC
We’ve summarised the best practice guidance from the Australian Institute of Company Directors and the Australian Security and Investments Commission.
1. Cybersecurity is a board-level issue
- Directors must ensure cybersecurity is prioritised at the highest governance level.
- The board should receive regular cybersecurity briefings from executives or external experts.
2. Understand the cybersecurity threat landscape
- Directors should ensure the board is informed about evolving cyberthreats.
- Organisations should conduct regular cybersecurity risk assessments aligned with business strategy.
3. Implement robust risk management frameworks
- Cybersecurity risk must be integrated into overall corporate risk management.
- Directors should oversee internal audits and external cybersecurity assessments.
4. Ensure incident preparedness and response
- Companies should have documented and tested incident response plans.
- Boards must ensure regular cybersecurity incident simulations to improve response capabilities.
5. Promote a strong cybersecurity culture
- Directors must drive cybersecurity awareness across all levels of the organisation.
- Boards should oversee cybersecurity training for employees, executives, and suppliers.
Strengthening cybersecurity governance
Directors should take proactive steps to enhance their organisation’s incident resilience:
- Conduct regular cybersecurity training for the board.
- Establish a cybersecurity committee or appoint a board member responsible for oversight.
- Ensure external audits and independent assessments of cybersecurity controls.
- Require detailed cybersecurity reporting from executives and IT teams.
- Buy in cybersecurity insurance to mitigate financial risks.
Failure to prioritise cybersecurity governance exposes companies and directors to legal, financial, and reputational risks. Australian directors must integrate cybersecurity into board discussions, risk management frameworks, and strategic decision-making.
Flame Tree can help you understand how regulations apply to you and your organisation.