As cyberattacks grow more frequent and devastating, regulators are cracking down on inadequate corporate defenses. A recent Australian Financial Review article by Tess Bennett highlighted how the Australian Securities and Investments Commission (ASIC) investigates board directors for their preparedness and responses to cyber breaches. With cyberattacks now occurring every six minutes in Australia, ASIC is signaling a shift in accountability: companies will no longer be able to pay lip service to cybersecurity. Directors who fail to take adequate measures may face legal consequences.

ASIC chairman Joe Longo and commissioner Simone Constant have emphasised that organisations must provide clear evidence of their efforts to defend against cyberattacks. This new level of scrutiny comes in response to high-profile breaches, such as those at Optus and Medibank, where legal and reputational damage has dragged on for years. In the case of Medibank, hackers accessed the personal health data of 9.7 million Australians, leading to threats of massive fines.

The financial cost of such breaches is staggering. According to IBM’s 2024 Cost of a Data Breach report, the global average cost of a data breach is US$4.88 million, with the technology sector seeing an even higher average of US$5.5 million per breach—the fourth-highest across industries. These costs encompass direct financial losses, legal fees, and reputation damage, all of which can cripple a business if boards fail to implement adequate cybersecurity measures.

ASIC’s investigation into board responsibility is not without precedent. In 2022, ASIC fined RI Advice $750,000 after the company suffered repeated cyber attacks between 2014 and 2020. This set a clear example of its intent to hold companies accountable for failing to protect sensitive data. This trend is likely to continue as the regulator seeks “the right case” to push for further legal action, as Longo noted. Companies that don't invest proportionally to the risks they face are prime targets for regulatory scrutiny.

The takeaway is clear: board members must move beyond a checkbox mentality regarding cybersecurity. As Ms Constant told directors directly, “This is your responsibility.” Comprehensive, regularly updated business continuity strategies, cybersecurity simulations, and oversight from the highest levels are now essential. ASIC’s warning to stockbrokers and futures dealers further stresses this point, advising that robust plans for cyber disruptions and IT outages must be in place.

Ultimately, the responsibility for cybersecurity no longer lies solely with IT departments. Boards are now on the hook to ensure that their organisations are resilient against cyber threats—failure to do so could result in costly legal battles and irreparable damage to reputation and bottom lines.

Knightcorp Insurance Brokers have a proven track record of helping businesses strengthen their cybersecurity posture and mitigate risks. From conducting thorough cyber risk assessments to developing incident response plans and providing employee training, we work with you to ensure your business is equipped to handle evolving threats. Our insurance solutions are designed to protect not just your data and operations, but also the leadership responsible for overseeing these critical areas.

In the current regulatory environment, protecting board members from personal liability in the event of a cyber breach is more important than ever. Knightcorp provides expert guidance on implementing key insurance policies such as Directors and Officers (D&O) Insurance, which shields executives from legal claims tied to perceived mishandling of cyber risks. Our tailored Cyber Liability Insurance policies address the financial fallout from breaches, including legal costs and regulatory fines. For Information Technology professionals and contractors, combined Professional Liability and Public & Products Liability policies have been created to help avoid gaps in coverage when these policies are placed separately. With our expertise, your company’s leadership can confidently navigate the complex landscape of cyber risk and regulatory scrutiny.

For more information, please contact Knightcorp

DISCLAIMER: This information is provided to assist you in understanding the risks, implications, and common considerations for your industry.  It does not constitute advice and is not complete. Please contact Knightcorp Insurance Brokers for further information.