The frequency and magnitude of recent cybersecurity breaches in Australia is putting increased pressure on company directors to ensure IT systems and policies are watertight.

Cyber resilience has emerged as the dominant issue facing boards and risk committees, and directors need to ensure a company’s technology framework is secure.

As well as the operational and reputational risk of cyber breaches, there are also significant penalties for those who fail to meet their obligations. Directors need to ensure an appropriate data response plan is in place in the event of a data breach.

In Australia, a broad regulatory framework places obligations on business, and the people who run them, to properly manage cyber risk. Obligations are administered by various government agencies and departments.

In addition, Section 180 of the Corporations Act 2001 stipulates a director must act with reasonable care and diligence, and this could extend to cyber security. A director who fails to do so may be ordered by a court to pay significant financial penalties.

The Australian Securities and Investments Commission (ASIC) has released a number of resources aimed at increasing cyber resilience, and expects regulated entities to adequately assess and address cyber risk.

While cyber security training for directors is yet to be made mandatory, the skills matrix of a board should be continuously reviewed. A board needs to include the right level of knowledge and skills in identifying and managing any potential cyber breaches, and plays a key role in ensuring third-party recommendations are appropriately assessed and implemented.

This article was first published in the Winter 2023 issue of Financial Times.