Frequency is qualitative rather than search-volume data. It reflects recurring concerns in verified Australian forum discussions and the issues repeatedly addressed in ASD, ASIC and AICD governance guidance. The hero statistics describe reported cybercrime and ASIC survey findings; they are not direct measures of how attentive every Australian management team or board is.
Why does cyber security keep dropping off the leadership agenda, and why does that matter?
Cyber security often loses attention because its benefits are preventative, its language can be technical, ownership is unclear and immediate sales, staffing and operational problems feel more urgent. A quiet month can be mistaken for evidence that the risk is under control. Reporting can also work against attention when leaders receive long lists of tools, alerts and technical activity without a clear statement of the business exposure or decision required. The remedy is not permanent crisis mode. Treat cyber as an ordinary business risk with a named owner, a short recurring agenda item, clear escalation triggers and a small number of unresolved decisions. This matters because cyber incidents can interrupt trading, expose customer information, compromise payments and damage supplier or customer trust even when the organisation is not large.
- owner-run or microbusiness — The owner is effectively the governance body and should review the most important systems, incidents and unfinished actions at a practical recurring interval.
- management team — Put cyber risk into the existing operational or risk meeting instead of creating a separate governance bureaucracy.
- attention triggers — Escalate immediately after a material incident, major system change, acquisition, sensitive-data project, critical supplier change or significant control failure.
Cyber risk: what changed, what failed, what remains unresolved, and what decision does leadership need to make?
As an owner or director, what am I actually responsible for?
An owner or director is not expected to configure firewalls, interpret every alert or personally run an investigation. Governance means ensuring that material cyber risk is understood, assigned, resourced and reviewed. Leadership should know which services and information are critical, decide how much disruption or exposure the organisation can accept, approve priorities, appoint operational owners and require evidence that important controls work. Management, internal IT and external providers carry out the day-to-day work within those directions. Delegation is necessary, but it should include a reporting line, limits of authority, escalation rules and a way for leadership to challenge unsupported assurances. In a small owner-run business, the owner often performs both governance and operational roles, but should still separate the two decisions: what risk will the business accept, and who will perform the work?
- sole director or owner-manager — Record important risk decisions even when the same person makes the decision and performs the work.
- management team — Assign an accountable executive while keeping operational responsibilities with IT, operations and providers.
- governance versus operation — Leadership sets direction, appetite, resources and oversight; specialists implement, monitor, respond and provide evidence.
Leadership owns the risk decision. IT and providers operate the controls and report whether they are working.
Do directors have legal duties that touch cyber security?
Yes, but the position should not be overstated. The Corporations Act contains general duties rather than a rule making directors automatically personally liable whenever a cyber incident occurs. Directors and officers must exercise care and diligence and comply with other applicable duties. Cyber risk can become relevant to those duties when it is a foreseeable and material business risk, particularly where sensitive information, critical services, regulatory obligations or known control failures are involved. ASIC has said that inadequate cyber oversight may expose directors to potential enforcement action, but liability depends on the legislation, facts, role, knowledge, available options and reasonableness of the response. Good governance does not require eliminating all risk. It requires informed attention, proportionate measures, appropriate resources, reasonable challenge and evidence that known gaps are being addressed or consciously accepted.
- company director or officer — General statutory duties may be relevant to the oversight of foreseeable and material cyber risks.
- sole trader or partnership without a company board — Corporations Act director duties may not apply in the same way, but privacy, contractual, employment, industry and other obligations may still apply.
- reasonable oversight — Know the material risk, ask informed questions, obtain competent advice where needed and follow up significant gaps.
Are we giving this foreseeable risk the care, information, resources and follow-up that a reasonable leader would give it?
What does "good oversight" look like for a small business vs a board?
The substance is similar at every size: know what matters, assign responsibility, receive useful information, question significant gaps, approve priorities and prepare for incidents. The form should scale. An owner-run business might use a 15-minute quarterly review covering critical accounts, backups, incidents, supplier changes and overdue actions, with immediate escalation when something material changes. A management team can add cyber to its existing risk or operations meeting and nominate an executive owner. A board should receive concise risk-based reporting, challenge management's assumptions, review material exceptions and supplier exposures, and periodically examine incident readiness. An annual scenario exercise is a useful better-practice benchmark, but it is not a universal statutory cadence for every business. More frequent review may be appropriate after an incident, major transformation or sustained control failure.
- owner-run small business — Use a short recurring review with a named action owner and immediate escalation for material events.
- executive or management team — Include cyber in normal risk governance and require operational evidence from internal teams and providers.
- board or board committee — Use regular risk-based reporting, periodic deep dives, tracked decisions and exercised incident governance.
- event-driven oversight — Do not wait for the next scheduled meeting after a material incident, critical supplier failure or serious control exception.
Cyber risk is a standing quarterly item; material incidents and control failures are escalated immediately; our incident exercise date is recorded.
What should leadership actually see and review?
Leadership needs a short risk view, not a catalogue of every alert or software product. A useful report shows the most important business services and information, the top current risks, material incidents and near misses, whether critical controls are working, significant supplier exposure, overdue remediation, accepted exceptions and decisions required. Evidence might include MFA coverage for critical accounts, successful backup restores, patching of exposed systems, privileged-access reviews, incident exercise results and confirmation that former users were removed. Include cyber-insurance conditions and reporting contacts where insurance is relied upon. Use trends and plain language. A red status should identify the consequence, owner, target date and decision needed rather than merely announcing that a technical metric missed its target.
- risk view — Show critical services, top risks, possible consequences, owners, treatment and residual exposure.
- control evidence — Report a small number of tested controls rather than relying only on policy statements or product deployment.
- supplier and insurance view — Show critical providers, shared responsibilities, incidents, unresolved assurance issues and relevant insurance conditions.
- decision queue — Highlight overdue actions, risk acceptances, funding choices and matters requiring leadership authority.
Cyber dashboard: top five risks, material incidents, tested control evidence, critical supplier exposure, overdue actions and decisions required.
Who owns cyber risk in the leadership structure, and how do we avoid it being "no one"?
Give cyber risk one accountable business owner and name a deputy. In a microbusiness, that may be the proprietor. In a larger organisation, it may be the chief executive, chief operating officer, chief risk officer or another executive with authority over priorities and resources. The IT manager, security lead, MSP or MSSP can be the operational lead, but should not be left to accept business risk by default. Document who approves privileged access, who accepts unresolved risk, who receives incident escalation, who can authorise service shutdowns and who speaks for the organisation. Shared responsibilities with providers should be written down. The board retains oversight where a board exists; appointing an executive or provider does not make the subject disappear from the board's risk responsibilities.
- microbusiness — Name the proprietor or senior manager as accountable owner and nominate another person or adviser who can act if they are unavailable.
- management team — Assign an executive sponsor with authority over funding, priorities, risk acceptance and incident decisions.
- board — Retain oversight while management and specialists operate the program and report evidence.
- responsibility map — Separate accountability, operational delivery, access approval, assurance, risk acceptance and incident authority.
Accountable owner: [name]. Deputy: [name]. Operational lead: [name or provider]. Unresolved risk and material incidents escalate to: [owner or board].
How much should we spend, and how do we make a proportionate investment decision?
There is no universal percentage of revenue that proves a business is spending enough. Start with the possible business harm: inability to trade, payment fraud, loss of sensitive data, safety impact, contractual failure, recovery cost and loss of a critical supplier. Then assess exposure, existing controls and the cost and effectiveness of realistic treatments. Protect the most critical accounts, systems and recovery capabilities first. Compare proposed spending with the risk it reduces, the evidence it will produce and the residual risk left behind. Include people, process, testing and recovery rather than treating the security budget as a software shopping allowance. Where a control is deferred, record the reason, owner, interim measure and review date. Proportionality permits different solutions for different organisations; it does not mean ignoring a serious known risk because the business is small.
- small owner-run business — Prioritise identity protection, updates, backups, payment verification, access removal and incident contacts before complex tooling.
- growing SME — Add supplier assurance, monitoring, recovery testing, independent review and documented risk acceptance as complexity grows.
- investment test — Link each material investment to a risk, expected reduction, operating owner, evidence and remaining exposure.
Approve cyber spending against the loss or disruption it reduces, the evidence it will produce and the residual risk we knowingly accept.
What does leadership need to do BEFORE and DURING an incident?
Before an incident, leadership should approve the response structure, nominate decision-makers and deputies, identify critical services, confirm external contacts and understand which reporting clocks may apply. Decide who can isolate systems, engage specialists, notify an insurer, obtain legal advice, approve customer communications and make any decision concerning extortion. Exercise the plan with a realistic scenario and record improvements. During an incident, leadership should establish a decision rhythm, confirm facts and uncertainties, authorise priorities, preserve evidence, track deadlines and keep a written decision log. Technical responders should manage containment and recovery; leaders should manage business consequences, regulatory and contractual obligations, stakeholder communications, resources and risk acceptance. Avoid speculative statements and avoid delaying escalation while waiting for perfect information.
- before an incident — Confirm roles, deputies, external contacts, insurance requirements, reporting triggers, communication authority and exercise results.
- during an incident — Set decision authority, meeting cadence, priorities, evidence preservation, deadlines, communications and a decision log.
- owner-run business — Keep an offline contact sheet and identify who can act when the owner or normal systems are unavailable.
- board — Oversee material decisions and consequences without displacing the incident commander or technical response team.
Before an incident: confirm authority, contacts, reporting clocks and the exercise date. During an incident: record decisions, owners, deadlines, evidence and communications.
Common failure modes — set-and-forget, treating it as purely IT, no reporting line, no incident authority, box-ticking.
The most common governance failure is not the absence of a large framework. It is the absence of a working management loop. A policy is approved and forgotten; an MSP is assumed to own everything; technical activity is reported without business meaning; unresolved risks have no accepting authority; incident decisions have no named owner; or compliance training becomes a completion statistic. Correct this with a small cycle: assign accountability, identify the critical risks, fund proportionate controls, test evidence, escalate exceptions, exercise incidents and track improvements. Review whether reports change decisions. Retire metrics that nobody uses. Require an owner and due date for every material gap. Treat policies, certifications and insurance as inputs to governance rather than proof that the organisation is secure.
- set-and-forget — Use recurring review, change triggers, control testing and tracked improvement actions.
- IT-only governance — Separate technical delivery from business accountability, risk acceptance and incident authority.
- box-ticking — Test whether policies, training, backups, access controls and response plans work in realistic conditions.
- provider assumption — Document shared responsibilities and require evidence rather than treating outsourcing as risk transfer.
Review exceptions, overdue actions, untested plans, unsupported systems and single-person dependencies—not just policy and training completion.
What's my next step?
Common misconceptions
- “Cyber security is an IT department responsibility.” Technical work can be delegated, but ASD and ASIC treat cyber risk oversight as a leadership and business-risk responsibility. VERIFIED
- “A director is automatically personally liable whenever the company has a breach.” Liability is not automatic; general duties and any specific statutory obligations must be applied to the facts, conduct, knowledge and reasonableness of the response. INFERRED
- “Directors need to be technical cyber experts.” Directors need sufficient understanding to assess material risk, ask informed questions, obtain suitable advice and challenge management; they do not need to operate the controls themselves. INFERRED
- “A small business does not need governance because it has no board.” The governance process still exists; in an owner-run business the owner commonly makes the equivalent risk, resource and incident-authority decisions. INFERRED
- “Outsourcing IT transfers cyber accountability to the provider.” ASD says shared responsibilities should be documented and customers retain responsibilities and risk. VERIFIED
- “Good governance means reducing cyber risk to zero.” ASIC has recognised that zero cyber risk is not possible, while adequate documentation and controls can materially reduce it. VERIFIED
- “There is a standard percentage of revenue every business should spend on cyber security.” The reviewed Australian guidance uses proportionality based on size, complexity, risk profile and asset sensitivity rather than one universal percentage. INFERRED
- “A board needs every technical metric to exercise oversight.” ASD distinguishes threshold governance questions from supplementary technical questions, supporting concise risk-based reporting with deeper detail where needed. VERIFIED
- “Approving a policy once is sufficient governance.” ASIC and ASD emphasise ongoing reassessment, monitoring, assurance, exercises and improvement. VERIFIED
- “Cyber insurance replaces oversight and incident preparation.” Insurance can support financial recovery, but leadership still needs controls, accurate representations, reporting processes and decision authority. INFERRED
- “Leadership should wait for complete technical certainty before escalating or communicating an incident.” Reporting clocks and harm-reduction decisions can begin before every fact is known, so plans need authority, triage and escalation rules. INFERRED
- “Compliance completion proves the organisation is secure.” Compliance can establish a useful baseline, but control operation, testing, incident readiness and continuous improvement determine whether the organisation is becoming more resilient. INFERRED
Obligations at a glance
The obligations most relevant to this guide, with the regulator, the trigger and the timeframe. Follow the source links in the appendix for the authoritative wording.
| OBLIGATION | REGULATOR | TRIGGER | TIMEFRAME | PENALTY |
|---|---|---|---|---|
| Corporations Act 2001 — general duties of directors and officers | Australian Securities and Investments Commission | A person is a director or officer of a company or other corporation covered by the relevant provisions. Cyber risk may be relevant where it forms part of the foreseeable and material risks facing the organisation. | Ongoing. Duties including care and diligence and good faith apply to the performance of the role, not only after an incident. | |
| Privacy Act 1988 — Notifiable Data Breaches scheme | Office of the Australian Information Commissioner | An entity covered by the NDB scheme suspects or has reasonable grounds to believe that an eligible data breach has occurred: unauthorised access, disclosure or loss likely to cause serious harm where remedial action has not removed that likelihood. | Take reasonable steps to complete a suspected-breach assessment within 30 calendar days. If there are reasonable grounds to believe an eligible breach occurred, notify affected individuals and the OAIC as soon as practicable unless an exception applies. | |
| Cyber Security Act 2024 — ransomware and cyber-extortion payment reporting | Department of Home Affairs through the Australian Signals Directorate reporting portal | A reporting business entity carrying on business in Australia with previous-financial-year turnover of at least $3 million, or a responsible entity for a covered critical infrastructure asset, makes or becomes aware of a ransomware or cyber-extortion payment made on its behalf. | Report within 72 hours of making, or becoming aware of, the payment. | |
| Security of Critical Infrastructure Act 2018 — mandatory cyber incident reporting | Cyber and Infrastructure Security Centre and Australian Signals Directorate's Australian Cyber Security Centre | The organisation is a responsible entity for a covered critical infrastructure asset and becomes aware of a cyber security incident having a significant or relevant impact on the asset. | Report a critical incident with significant impact within 12 hours and another reportable incident with relevant impact within 72 hours of becoming aware of it. Additional written follow-up periods apply where the initial report is oral. | A civil penalty may apply for failure to report as required. |
| Corporations Act 2001 — AFS licensee risk-management obligations | Australian Securities and Investments Commission | The business holds an Australian financial services licence and is subject to the applicable general licence obligations. | Ongoing. Maintain adequate risk-management systems and suitable technological, financial and human resources as required by the licence obligations. |
Sources
- Cyber security priorities for boards of directors 2025–26 primary
- Cyber Security Governance Principles Version 2 primary
- Governing Through a Cyber Crisis primary
- Cyber risk: Be prepared primary
- Marconi's illusion: What a 120-year-old magician's trick can teach us about cyber preparedness primary
- The times they are a-changin'– but directors' duties aren't primary
- It's tough being a director (but that doesn't mean you shouldn't do it) primary
- ASIC action sees FIIG Securities ordered to pay $2.5 million over cyber security failures primary
- What a Federal Court ruling on cybersecurity means for AFS licensees primary
- AFS licensee obligations primary
- Corporations Act 2001 primary
- ASD cyber security principles primary
- Guidelines for cyber security incidents primary
- Annual Cyber Threat Report 2024–25 primary
- Cloud shared responsibility model: Guidance for individuals and small and medium businesses primary
- Quick reference guide for responding to data breaches primary
- Ransomware payment and cyber extortion payment reporting primary
- SOCI Act regulatory obligations primary
- Late Cyber Incident Reports and Insider Threats primary
- Reddit r/auscorp discussion: cyber role without continuing management support forum
- Reddit r/sysadmin discussion: Australian sysadmin asked to decide cyber insurance forum
- Whirlpool discussion: board decisions, risk and cyber investment forum
- Whirlpool discussion: approval and third-party administrator access forum
- Reddit r/auscorp discussion: management visibility after a sysadmin departure forum
- Whirlpool discussion: informal technical ownership and concentrated knowledge forum
- Whirlpool discussion: security budgets at smaller institutions forum
- Whirlpool discussion: incident response and determining scope forum
- Reddit r/auscorp discussion: compliance training as box-ticking forum
This guide and its templates are a professionally drafted starting point, not legal advice. Your obligations depend on your industry, your contracts and your data. Have a qualified adviser review anything high stakes before you rely on it.