Cyber Risk, Governance, and Personal Accountability: What Australian Business Leaders Need to Show

In October 2025, the Federal Court ordered Australian Clinical Labs to pay $5.8 million for failing to take reasonable steps to protect personal information. It was the first civil penalty handed down under the Privacy Act. Four months later, the court ordered FIIG Securities to pay $2.5 million for cybersecurity failings under its Australian Financial Services Licence (AFSL). Neither order fell on the IT team. Both fell on the business.

That pattern is now the rule, not the exception. This is the first article in our Australian Signals Directorate (ASD) Essential Eight series. We start with the business and personal stakes before getting into the controls, because what regulators, courts, and insurers want to see from leaders has shifted faster than most boards realise.

Why is Cyber Now a Director’s Problem?

If you run a business in Australia, you already know cyber has stopped being someone else’s problem. What you might not know is how fast the rules of personal responsibility have moved.

Under the Corporations Act 2001 (Cth), directors and officers have a duty to exercise care and diligence, measured against what a reasonable person would do in the same circumstances. That duty is technology-neutral, but cyber risk is now treated as a foreseeable business risk, and you are expected to govern it the same way you would govern financial, legal, or operational risk.

Three regulatory bodies have been clear about where accountability sits:

• The Australian Securities and Investments Commission (ASIC) expects directors to ensure their risk management frameworks address cybersecurity.
• Prudential Standard CPS 234, issued by the Australian Prudential Regulation Authority (APRA), places “ultimate responsibility” for information security with the board.
• The Privacy Act requires organisations to take “reasonable steps” to protect personal information. That obligation covers both technical controls and how you govern them.

The direction is consistent: this is a leadership responsibility.

If Something Goes Wrong, What Will Regulators Ask For?

Nobody expects you to prevent every cyber incident. What regulators and courts want to see is that you governed cyber risk with care, made informed decisions, and kept records that prove it. The Corporations Act’s “business judgment rule” offers protection to directors who can show they acted in good faith and informed themselves appropriately. But that protection depends on evidence: board packs, minutes, expert advice, and a clear record of follow-up.

Four Cases Worth Knowing

RI Advice (2022). A financial advice business admitted, and the Federal Court declared, that it had contravened its AFSL obligations through inadequate cybersecurity controls. The court ordered RI Advice to engage an external cybersecurity expert at its own expense. First time in Australia a financial services firm was held to a cybersecurity standard under its licence.

Australian Clinical Labs ($5.8 million, 2025). Australia’s first civil penalty under the Privacy Act, for a 2022 ransomware incident affecting 223,000 people. The penalty was split into failure to protect personal information ($4.2 million), failure to assess the breach quickly ($800,000), and failure to notify the regulator properly ($800,000).

FIIG Securities ($2.5 million, 2026). ASIC’s first cybersecurity penalty case to reach final orders. $2.5 million penalty plus $500,000 in costs, for cybersecurity failings between 2019 and 2023 that ended in 385GB of client data being stolen and around 18,000 clients exposed.

Medibank ($46.4 million, FY23). Not a fine. The internal cost of one breach in one financial year, made up of admin, employee, technology, and marketing expenses. The $30 million-plus they expected the year after illustrates the long tail.

How Do I Reduce My Personal Exposure?

Personal exposure for business leaders typically arises through four paths: breach of director duties, “reasonable steps” tests under the Privacy Act, regulator action where governance evidence is examined, and mandatory incident reporting regimes with tight deadlines.

If you can show that your board set a clear risk appetite, funded proportionate controls, tracked progress, and made conscious risk decisions when trade-offs were needed, you are in a far stronger position than someone trying to reconstruct an explanation after the fact.

In practical terms, that means maintaining risk appetite statements, board minutes showing cyber oversight, Essential Eight Maturity assessments, remediation roadmaps with owners and dates, and tested incident response plans.

How Do Regulators Tell Good Security from Negligence?

A defensible security position is not perfect security. It is the ability to show that leadership understood the material cyber risks, funded proportionate controls, tested them, addressed known gaps, and documented decisions when trade-offs were necessary.

When something goes wrong, the question regulators and courts ask is whether your organisation took reasonable steps, maintained adequate risk management systems, and met its duty of care. Those tests are measured against what a reasonable person or organisation would do given the circumstances, the sensitivity of data involved, and the known threat environment. The Australian Clinical Labs judgment confirmed this, assessing “reasonable steps” against what data the organisation held, how harmful a breach could be, and what threats it already knew about.

For most Australian organisations, the fastest path to defensibility is aligning to the ASD’s Essential Eight as a baseline, adopting a target maturity level that fits your risk profile, and keeping credible evidence of implementation and exceptions.

What Does Cyber Risk Look Like on a P&L?

Cyber risk is not a single category. It shows up as operational, financial, legal, and reputational risk, often all at once. DP World Australia disconnected its network after detecting unauthorised access in 2023, disrupting port operations nationally. Latitude Financial shut down operations for weeks. Medibank disclosed $46.4 million in non-recurring cybercrime costs for FY23.

For mid-market businesses, the impact often hurts more relative to your size. A few days of downtime or a six-figure fraud can threaten a business. Add the legal costs, regulatory scrutiny, and customer trust damage, and a single incident becomes a defining event.

Are We Too Small To Be A Target? (No, And Here Is Why.)

Most cybercrime in Australia hits small and medium businesses, not the household names. The ASD’s Annual Cyber Threat Report for FY2024–25 logged over 84,700 cybercrime reports, roughly one every six minutes. Small and medium businesses are heavily represented in those numbers, and most cybercrime still goes unreported.

The “we are too small to be targeted” belief is one of the most common assumptions in Australian business, and the data does not support it.

The reason is straightforward. Most attackers are not targeting your brand. They are scanning for common weaknesses across thousands of organisations: unpatched systems, stolen credentials, and missing multi-factor authentication (MFA). The ASD’s Essential Eight Maturity Model describes this pattern directly: attackers are often looking for any victim, not a specific one. If you have a gap, you are in their sights regardless of your size.

What Do Boards, Insurers, And Regulators Actually Want To See?

Despite coming from different angles, these three groups want to see the same things.

Boards are expected to set direction and test reality. The Cyber Security Priorities for Boards of Directors 2025–26, jointly published by the ASD and the Australian Institute of Company Directors (AICD), names four areas directors should be asking about this year: event logging, legacy IT risk, supply chain risk, and post-quantum readiness. The same document reinforces protecting your most critical assets and choosing technology that is secure by design.

Insurers want proof that controls actually work. Underwriting commonly tests for MFA, patching, backup practices, incident response plans, and executive-level ownership. Proposal forms often require sign-off by the board chair or CEO, meaning representations need to be backed by evidence.

Regulators care about “reasonable steps”, risk management, and harm. The Office of the Australian Information Commissioner (OAIC) is using civil penalty proceedings to test what “reasonable steps” means in practice. ASIC has court-backed precedent that cybersecurity failures can breach licence obligations. Under the Cyber Security Act 2024, businesses with more than $3 million in annual turnover, and operators of critical infrastructure, must report any ransom or cyber extortion payment within 72 hours. If you are inside that scope, leadership needs a tested decision process before the moment of pressure, not after. Organisations that operate critical infrastructure also face additional incident reporting obligations under the Security of Critical Infrastructure Act 2018.

A 60-Second Self-Test

If you cannot answer “yes, with evidence” to the questions below, the rest of this article is for you.

• Has cyber risk been on a board or leadership meeting agenda in the last six months?
• Do you have a current Essential Eight maturity assessment, dated within the last twelve months?
• Do you have a written, tested incident response plan with named owners?
• If your insurer asked for evidence of MFA coverage tomorrow, could you produce it within a day?

If any of those are a “no” or a “not sure”, that is where most mid-market businesses start. The rest of this series (coming soon) walks through what good looks like at each step, and how to build the evidence to back it up.

Where To From Here

The direction regulators, courts, and insurers are heading is clear. The question for most business leaders is not whether to take this seriously. It is where to start.

For most Australian mid-market organisations, the right starting point is aligning to the ASD Essential Eight as a baseline, setting a target maturity level that can be defended, and building a consistent evidence trail. That is what this series is designed to help you do.

One thing you can do at your next leadership meeting. Ask for a one-page status of your Essential Eight maturity, with a date, an owner, and the top three gaps. If nobody can produce it, that is your answer.

Not sure where your organisation sits? Talk to First Focus about a 30-minute Essential Eight maturity discussion. We will walk through where you are now, what a defensible target looks like for your industry, and what an evidence trail needs to cover.

In the next article, we look at how security frameworks connect to real risk reduction, and why passing an assessment is not the same as being protected.

You will not be judged on whether something went wrong. You will be judged on whether you saw it coming and what you did about it.

Disclaimer: This article is general information only. It is not legal, regulatory, or compliance advice and does not take into account your organisation’s specific circumstances, obligations, or risk profile. Laws and regulations change. You should seek independent professional advice before making decisions based on this content.