Directors will soon be responsible for their company’s cyber risk security – here’s what it means for you

According to the Morrison Government’s latest cybersecurity strategy, directors, boards and managers of the ASX top 200 companies will need to prepare for additional duties.
Directors will soon be responsible for their company’s cyber risk security – here’s what it means for you

Under the Corporation Act, directors will need to improve their company’s cyber security risk in order to protect customer and client credentials. It is not yet known what their new duties will be, but the Treasury is also set to implement duties similar to those in banks, insurers and superannuation funds.

However, this isn’t new information.

Additional cyber risk security was referenced in paragraph 36 of Australia’s Cyber Security Strategy 2020 which was released by Home Affairs Minister Peter Dutton last year.

The reference was vague and various reforms were suggested, but it said that business owners will need to consider “the role of privacy, consumer and data protection laws; duties for company directors and other business entities; and obligations on manufacturers of internet-connected devices”.

Director duties will change in the second half of this year. But what does it mean for you?


What are cyber risks?

Cyber risk is defined as the exposure to harm or loss from a breach of information systems. It is also related to technical infrastructure and the use of technology within the business.

Cyber attacks can occur in a number of ways, and it’s not always intentional:

  • Internal Malicious: Deliberate acts of sabotage or theft committed by an employee or an insider. For example, a disgruntled employee might delete key information before leaving the business.
  • Internal Unintentional: Acts leading to damage or loss stemming from human error by an employee or an insider. For some perspective, around 95% of cybersecurity breaches are caused by human error.
  • External Malicious: Premeditated attacks from outside parties like criminal syndicates, hacktivists, and nation-states. Examples include network infiltration, extraction of intellectual property, and denial-of-service attacks that cause system availability issues, business interruptions, or interference with the proper performance of connected devices like medical devices or industrial systems.
  • External Unintentional: Similar to the internal unintentional, these can cause loss or damage to your business but are not deliberate. For example, a third party partner experiencing technical issues can impact system availability, or there might be a natural disaster.

Recent statistics have shown a huge increase in cyber attacks since COVID-19 started. With many businesses moving online to help prevent the spread of the virus, hackers have more opportunities to attack and employees have more technology to contend with.

Now, remote workers are a target for cybercriminals and the worst part is only 5% of businesses are protected against cybersecurity risks.

That’s why the new reforms are so important.

What does this mean for you?

The Morrison Government will boost Australia’s cyber risk security over the next 10 years with a budget of $1.67 billion – but who will it impact?

APRA-regulated entities will undergo systematic testing and will need to provide assurance regarding the effectiveness of their information security controls. Right now, only 15% of ASX 200 companies are regulated by APRA, meaning 170 companies will need to make a lot of changes and take on new responsibilities in a short amount of time.

The Australian Signals Directorate (under ministerial approval) will be able to step in if they believe a company or organisation is “unwilling or unable” to respond to a cyber attack. However, this will only occur under extreme circumstances.


“There are sensors and capabilities that governments will always have as a sovereign capability that allow us to see what’s going on in a way that even the most well-resourced and the most well-credentialled cyber security firm could never see because we can, through various means, see the attacker come from the other side,” Secretary of the Department of Home Affairs Mike Pezzullo said on the matter.


In light of the upcoming changes and the ASD’s ability to step in only under “extreme” circumstances, it is imperative to protect your business with ISO 27001 certification.

ISO 27001 standards help organisations keep information assets secure. A sturdy information security management system (ISMS) can help protect financial information, intellectual property, employee details, and third-party information, ensuring you are not exposed to risk or liability.

How we can help improve your cyber risk management

Our role at Citation Certification is to assess existing ISMS and identify areas requiring improvement, from IT systems to training team members through accredited certification.

Once your ISMS has been completed and implemented, we can assess your ISMS against ISO 27001 and provide fully accredited certification.

Learn more about the value and benefits of ISO 27001, or contact us to book an assessment.

Take your business to the next level

What are you interested in?
Your data will be processed inline with our Privacy Policy.
This field is for validation purposes and should be left unchanged.