ASIC has been explicit: cyber security is a governance matter, not just a technical one. Directors who cannot demonstrate that they sought appropriate advice, understood material cyber risks, and ensured those risks were managed face potential liability. The question for boards is not whether to engage with cyber security — it is how to do so substantively.
What Boards Are Responsible For
Boards are not expected to be technical experts. They are expected to: ensure the organisation has a cyber security strategy proportionate to its risk profile, receive regular and meaningful reporting on cyber risk, ensure an incident response capability exists and is tested, and confirm that management is held accountable for implementing approved controls.
The Reporting Framework
Effective cyber risk reporting to a board should include: current status against agreed maturity targets (Essential Eight or similar framework), material incidents and near misses in the period, changes to the threat environment relevant to the business, and planned security investments with their expected risk reduction outcomes. Dashboards of patch counts and firewall statistics are not board-level reporting.
The ASIC Enforcement Context
ASIC's Cyber Resilience: Good Practices publication and its enforcement actions against companies with inadequate cyber governance have established clear expectations. In 2023, ASIC commenced proceedings against a financial services licensee for allegedly failing to have adequate cyber risk management systems — making this a live regulatory enforcement risk, not a theoretical one.
How often should the board receive cyber security briefings?
At minimum, quarterly. More frequently if there has been a significant incident, a material change in the threat environment affecting the business's sector, or a significant change to the technology environment. An annual in-depth review of the cyber security strategy — separate from quarterly operational reporting — is also good practice.
