Cyber security responsibilities and accountabilities for Australian directors

Compliance Governance Privacy Resilience

Regulatory bodies, including ASIC, APRA, and the AICD, emphasise the need for directors to actively oversee cyber resilience. Failure to do so can result in legal, financial, and reputational consequences.

This article outlines the responsibilities of Australian directors in cyber security, key regulations, potential penalties, and best practices recommended by ASIC and the AICD.

 

Directors’ responsibilities in cyber security

 

Australian directors have a duty to act in good faith and with due care and diligence under the Corporations Act 2001 (Cth). This extends to cyber security governance. Directors must:

  • Understand cyber risks – Boards must have a clear view of the organisation’s cyber risk exposure and ensure it aligns with business strategy.
  • Establish oversight and accountability – Cyber security should be integrated into corporate governance, with clear reporting lines and accountability structures.
  • Ensure adequate resources – Investment in cyber resilience, including skilled personnel, technology, and incident response plans, is essential.
  • Review risk management frameworks – Regularly assess cyber security policies, incident response plans, and recovery capabilities.
  • Monitor compliance and reporting – Adhere to legal and regulatory obligations, including mandatory breach reporting requirements.

 

Regulatory obligations and penalties

 

Directors are accountable for ensuring compliance with various cyber security regulations, including:

  • ASIC’s cyber resilience expectations – ASIC expects boards to implement cyber resilience frameworks and ensure risk management processes align with financial and operational risks.
  • Privacy Act 1988 (Cth) & Notifiable Data Breaches (NDB) scheme – Companies must report data breaches that are likely to result in serious harm, or risk penalties of up to $50 million for serious breaches.
  • APRA Prudential Standard CPS 234 – APRA-regulated entities must maintain information security capability, conduct regular assessments, and notify APRA of significant incidents.
  • Security of Critical Infrastructure Act 2018 (Cth) – Critical infrastructure providers must meet specific cyber security obligations, including mandatory incident reporting.

Potential penalties:

  • For organisations – Significant financial penalties, regulatory sanctions, and reputational damage.
  • For individuals – Directors may be held personally liable for failing to meet their duty of care, leading to civil penalties, disqualification, or legal action.

 

Best practices from AICD and ASIC

 

We’ve summarised the best practice guidance from the Australian Institute of Company Directors and the Australian Security and Investments Commission.

1. Cyber security is a board-level issue
  • Directors must ensure cyber security is prioritised at the highest governance level.
  • The board should receive regular cyber security briefings from executives or external experts.
2. Understand the cyber threat landscape
  • Directors should ensure the board is informed about evolving cyber threats.
  • Organisations should conduct regular cyber risk assessments aligned with business strategy.
3. Implement robust risk management frameworks
  • Cyber security risk must be integrated into overall corporate risk management.
  • Directors should oversee internal audits and external cyber security assessments.
4. Ensure incident preparedness and response
  • Companies should have documented and tested incident response plans.
  • Boards must ensure regular cyber incident simulations to improve response capabilities.
5. Promote a strong cyber security culture
  • Directors must drive cyber awareness across all levels of the organisation.
  • Boards should oversee cyber security training for employees, executives, and suppliers.

 

Strengthening cyber security governance

 

Directors should take proactive steps to enhance their organisation’s cyber resilience:

  • Conduct regular cyber security training for the board.
  • Establish a cyber security committee or appoint a board member responsible for oversight.
  • Ensure external audits and independent assessments of cyber security controls.
  • Require detailed cyber security reporting from executives and IT teams.
  • Invest in cyber insurance to mitigate financial risks.

Failure to prioritise cyber security governance exposes companies and directors to legal, financial, and reputational risks. Australian directors must integrate cyber security into board discussions, risk management frameworks, and strategic decision-making.

Flame Tree Cyber can help you understand how regulations apply to you and your organisation.

Kat McCrabb

Kat McCrabb

18 Mar 2025

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Get in Touch

Please email us on info@flametreecyber.com.au or send a message using our contact form