3-MINUTE READ
In Brief
For too long, cybersecurity has been treated as a technical issue which is something to check in with the IT team about once a quarter. That era is over. Cyber risk is now a direct corporate responsibility, and failure to act isn’t just dangerous, it’s unlawful.
ASIC has made it clear: Cybersecurity negligence will have real consequences for directors. If your board isn’t actively managing cyber risk, you could be personally liable.
The Stakes Are Higher Than Ever
🔸 ASIC has named cybersecurity enforcement a top priority for 2025
🔸 The Australian Signals Directorate (ASD) responded to over 76,000 cyber incidents last year
🔸 Individual directors could face fines up to $2.5 million
🔸 The RI Advice case has already set a precedent: Boards are officially on notice
The Risk: Ignorance Won’t Protect You Anymore
In FY2023-24 alone, the numbers speak for themselves:
📈 Cybercrime reports jumped by 13%
📞 ASD received over 36,700 emergency cybersecurity calls
💸 Average cyber incident cost businesses $276,000
🔓 57% of attacks involved stolen credentials or compromised systems
Think a monthly IT report is enough? Think again.
The RI Advice Wake-Up Call
The Federal Court ruled that RI Advice failed to manage cybersecurity risks adequately and while no individual directors were penalized this time, the warning was loud and clear. If boards don’t take reasonable steps to protect their organizations, the consequences could be devastating:
✔ Company fines up to $50 million
✔ Directors facing personal penalties of $2.5 million
✔ Loss of director rights
✔ Even prison time for gross negligence
Why Boards Keep Getting It Wrong
Boards keep making the same mistakes and regulators are losing patience. These three dangerous assumptions are still everywhere:
❌ “Cybersecurity is IT’s job.”
❌ “We’ve installed the latest security tools.”
❌ “We’ve never had a breach, so we must be fine.”
But cybercriminals don’t wait for your next quarterly meeting and neither will ASIC when enforcement kicks in.
What Directors Must Do Immediately
🔹 Make cybersecurity a standing item on board agendas
🔹 Demand regular, board-level risk assessments then act on them
🔹 Assign clear cyber risk ownership at the director level
🔹 Develop response protocols that go beyond basic compliance
🔹 Request cyber audits that evaluate both IT security and executive leadership preparedness
Bottom Line: You Are Personally Accountable
Cyber threats are escalating, and regulators are watching. This isn’t just about IT anymore, this is about your financial and legal future.
Is Your Board Prepared?
Want cyber leadership insights like this in your inbox?
Subscribe to CyberBytes because it’s your no-fluff brief on risks, regulations, and the steps directors need to take next.
Know You’re Secure.
