3-MINUTE READ
When boards fail to address cybersecurity and cyber resilience as core parts of their governance responsibilities, they leave their organizations exposed to unacceptable risk. It’s not just an IT problem because it’s about protecting the business’s future.
Ignoring cybersecurity leaves your company exposed. Don’t make that mistake.
In Brief
Cybersecurity is about more than just technology. Directors have a duty to protect the business by making informed decisions that minimize risk and ensure growth.
Delegating cybersecurity isn’t enough because real leadership requires oversight.
The Risk
When boards overlook cybersecurity, they risk financial loss, legal trouble, and damage to their reputation.
Would you risk your entire business on an unchecked vulnerability?
Why It Happens
- Over-reliance on IT teams
- No clear oversight framework
- Underestimating cyber threats
Cybersecurity Governance Principles and Responsibilities (Based on ACID Guidelines)
The following principles are inspired by guidelines from ACID (Australian Cybersecurity Industry Development), outlining key duties and obligations for directors to ensure effective cybersecurity governance:
- Duty to Act with Care and Diligence: Directors must actively ensure that proper systems are in place to prevent and respond to cyber incidents and to strengthen overall cyber resilience.
- Duty to Act in Good Faith and in the Best Interests of the Company: Decisions around cybersecurity should consider the impact on all stakeholders, including shareholders, employees, customers, suppliers, and the broader community.
- Reliance on Expert Advice: Directors can rely on external advice but must remember that delegation does not absolve them of accountability. The ultimate responsibility still rests with the board.
- Compliance with Regulatory Obligations: Entities with special licenses, such as those regulated by APRA or holding an Australian Financial Services License (AFSL), have additional legal requirements. These include having effective risk management systems to address cybersecurity threats.
- Continuous Disclosure (For ASX-Listed Companies): Directors must promptly disclose any cyber incidents that could materially affect the company’s share price. Failure to do so may expose the company to legal action.
Why This Matters (Statement from Mr. Longo)
Mr. Longo, Chair of the Australian Securities and Investments Commission (ASIC), emphasized that “cybersecurity and cyber resilience are not merely technical matters on the fringes of directors’ duties but must be adequately addressed as part of an organisation’s risk management framework.”
He further stated:
“For all boards, cybersecurity and cyber resilience have got to be top priorities. If boards do not give cybersecurity and cyber resilience sufficient priority, this creates a foreseeable risk of harm to the company and thereby exposes the directors to potential enforcement action by ASIC based on the directors not acting with reasonable care and diligence.”
Final Thoughts
Learn from real-world examples where boards faced consequences for neglecting cybersecurity. They thought IT had it covered not until it was too late.
Learn from others’ mistakes before they become your own.
Final CTA
👉 Subscribe to our newsletter to get regular insights on protecting your business from cybersecurity risks.
Stay informed, stay protected. Knowledge is your best defense.
KNOW YOU’RE SECURE.
