Director duties and cyber security in Australia: a board’s guide

Introduction

When a serious cyber incident lands, one of the first questions a regulator or a court asks is not what the firewall was doing. It is what the board did. In Australia, the oversight of material cyber and data risk has moved from the IT roster onto the board agenda, and that is where director duties and cyber security now intersect. A board that still treats a breach as something the technology team will handle is leaving a governance gap, and the legal exposure for that gap can reach the directors personally, not only the company.

This article explains where directors’ duties meet cyber risk, what the most-cited Australian authority on the point tells us, and the practical steps a board can take this financial year to evidence proper oversight. It is written for company directors, SME and family-business owners across Brisbane, Queensland and the rest of the country, and the boards of regulated entities.

Why cyber is a director-duty issue, not just an IT issue

Directors owe statutory duties of care and diligence under the Corporations Act 2001 (Cth), principally sections 180 and 181. The duty in section 180 requires a director to exercise their powers and discharge their duties with the degree of care and diligence that a reasonable person would exercise in the same position. Section 181 requires directors to act in good faith in the best interests of the company and for a proper purpose.

These are technology-neutral duties, but their reach now extends to overseeing material cyber and data risk. The reasoning is straightforward. A serious cyber incident can interrupt operations, trigger notification obligations, attract regulator attention, expose the company to litigation, and damage relationships with customers and lenders. Where a risk is material to the business, the board’s duty to oversee that risk applies, whether the risk is financial, operational or cyber.

The point is not that a director must become a technologist. It is that a director must satisfy themselves that the company has a reasonable system in place to identify, manage and respond to cyber risk, and must be able to show they applied their mind to it.

What ASIC v RI Advice tells Australian boards

The most cited Australian authority on cyber and governance is ASIC v RI Advice Group Pty Ltd [2022] FCA 496. The Federal Court accepted that managing cyber security risk is part of an Australian financial services licensee’s obligations, and the decision signalled the regulator’s expectations on cyber resilience.

The case concerned a financial services licensee, so its direct findings are most relevant to licensed entities. But the broader signal carries across the economy. It confirmed that cyber risk management is part of how a regulated business meets its obligations, and that the regulator now has clear expectations about cyber resilience. In our experience, the practical takeaway for any board is that documented systems are only part of the answer: regulators and courts will look at whether those systems are actually put into practice and tested, not just whether they exist on paper.

For financial-services clients there are additional reference points. APRA’s prudential standard CPS 234 sets information security requirements for APRA-regulated entities and is a useful benchmark of what a regulator considers reasonable information-security practice. ASIC’s Regulatory Guide 271 (internal dispute resolution) is a separate financial-services reference point relevant to how complaints arising from an incident are handled. Neither binds a board that does not fall under APRA or ASIC, but both indicate regulator expectations.

What good board cyber governance looks like

A board does not need to run the network. It needs to govern the risk. In practice, sound board cyber governance has a recognisable shape.

• A stated cyber risk appetite: The board should articulate how much cyber and data risk the company is prepared to accept, in plain terms, and management should manage to it.
• A reporting cadence: Cyber should be a standing item, with regular, intelligible reporting to the board, not a one-off briefing after something has gone wrong. Directors should receive information they can actually act on.
• A tested incident response plan: A written plan is a starting point. A plan that has been tested through a drill, with defined roles and a legal lead identified in advance, is what stands up under pressure.
• Third-party and vendor risk: Much of an organisation’s data sits with suppliers, software providers and outsourced functions. The board should understand where the company’s key data exposures sit across its vendors.
• Insurance reviewed against real exposure: Cyber and professional indemnity cover should be checked against the company’s actual risk profile, not assumed to respond.
• An annual cyber report: A consolidated annual report to the board gives directors a documented basis for the oversight they are exercising, and a record that they did so.

The common thread is evidence. The duty of care is measured against what a reasonable director would do, and a board that can show a deliberate, recorded process is in a far stronger position than one relying on assurances given in passing.

Directors’ liability after a data breach

Directors’ liability after a data breach starts with one point that is easy to overlook: the duties in sections 180 and 181 are personal. Where a director has failed to exercise reasonable care in overseeing a material risk, the consequences can attach to the director, not only to the company, principally through ASIC enforcement action such as civil penalties, disqualification or compensation orders. This is not a reason for alarm, but it is a reason to govern cyber risk as seriously as financial risk.

The exposure is not limited to a single statute. A serious breach can engage the Notifiable Data Breaches obligations under the Privacy Act 1988 (Cth), which require an eligible breach to be notified to the OAIC and affected individuals as soon as practicable. Since 10 June 2025, individuals have also been able to personally sue for serious invasions of privacy under the new statutory tort, which covers both intrusion upon seclusion and misuse of information. The OAIC now holds strengthened enforcement powers, including a tiered civil penalty regime, and began its first proactive privacy compliance sweep in January 2026, looking at around 60 organisations across six sectors (including real estate agencies), which is one reason boards are paying closer attention to privacy as a governance risk (we cover that shift in detail in our privacy reforms article.

There is also a separate reporting obligation under the Cyber Security Act 2024 (Cth) that boards should understand. It does not apply to data breaches generally. It is triggered when a ransomware or cyber-extortion payment is made, by the entity or on its behalf. A reporting business entity (one carrying on business in Australia with annual turnover of $3 million or more) and responsible entities for critical infrastructure assets must report that payment to the Department of Home Affairs and the Australian Signals Directorate within 72 hours. A board that understands how these obligations connect, and how they differ, is better placed to oversee them.

Practical steps a board can take this financial year

You do not need to solve everything at once. A sensible sequence is:

1. Put cyber risk on the board agenda as a standing item, with an owner and a reporting cadence.
2. Confirm the company has a written incident response plan, and schedule a drill to test it.
3. Map where your most sensitive data sits, including with third parties, and review the contracts that govern it.
4. Review cyber and professional indemnity insurance against your real exposure.
5. Commission an annual cyber report so the board has a documented record of its oversight.

How GRM LAW helps boards evidence oversight

GRM LAW’s Cyber Law & Advisory practice works with boards to put the legal architecture of cyber governance in place through our Cyber Annual Report, a fixed-fee engagement providing a director cyber-duty memo and regulator-readiness statements. The practice is supervised by founding partner Gavin McInnes, an Accredited Specialist in Business Law, and GRM advises on controls it actually runs, maintaining a hardened environment aligned to APRA CPS 234 and Essential Eight Maturity Level 2. This operator depth ensures the advice your directors receive comes from a firm that understands the technical reality of the controls it advises on, allowing boards to evidence oversight at the point it matters most.

Most engagements begin with a no-obligation 30-minute scoping call to discuss your specific governance requirements. If your board needs a clearer line of sight over cyber risk, or you want to evidence your oversight before the next AGM or financial-year-end, book a call with GRM LAW’s specialist cyber and privacy lawyers. You can also request our free Cyber Readiness Checklist as a lower-commitment starting point to begin assessing your current resilience.

Frequently Asked Questions

Disclaimer: This is general information only and is not legal advice. For advice on your circumstances, contact GRM LAW.