Cybersecurity is no longer a purely technical issue. It is now a core governance risk for directors and boards. As organisations become increasingly reliant on digital systems and data, regulators and courts are shifting toward treating cyber resilience as part of directors’ statutory duties.
In this article, Errol Price, Director Legal, Symmetra Pty Ltd examines how Australian law is evolving in response to cyber risk, the growing expectations placed on both executive and non‑executive directors, and the circumstances in which cyber governance failures may give rise to personal liability.
Modern corporations depend fundamentally upon digital systems, cloud infrastructure, third party technology providers and large volumes of sensitive data. Given these realities, cybersecurity plainly constitutes a foreseeable and material enterprise risk.
Cyber breaches are capable of exposing corporations, officers and potentially non executive directors to significant regulatory scrutiny and personal liability. Australian courts and regulators, particularly the Australian Securities and Investments Commission (ASIC), have progressively reframed cyber resilience as a matter of statutory compliance, risk management, and directors’ duties.
No Australian court as yet has imposed liability upon directors specifically for cyber failures. However, the legal principles capable of supporting such liability are already emerging. The critical question in future cases will almost certainly not be whether cybersecurity falls within directors’ responsibilities. That proposition is increasingly accepted. Rather, the question may become whether directors took reasonable steps to understand, supervise and respond to foreseeable cyber risks within their organisations.
This article examines the development of those principles and considers how Australian courts and regulators may extend them to cyber incidents and data breaches in the future.
Under s 180(1) of the Corporations Act 2001 (Cth), Australian courts apply an objective standard of care and diligence when determining whether directors — executive or non-executive — are liable for acts or omissions undertaken on behalf of the corporation.
The statutory test is:
whether the director or officer exercised the degree of care and diligence that a reasonable person would exercise if they:
were a director or officer of a corporation in the corporation’s circumstances; and
occupied the office held by, and had the same responsibilities within the corporation as, the actual director or officer.
In practice, courts ask: What would a reasonable director in that position have done?
The test combines:
1. An objective standard
The benchmark is not the director’s personal skill level or subjective belief alone. Courts assess conduct against the standard expected of a reasonable person in the same role.
2. A contextual standard
The court considers:
the nature and size of the company,
the director’s role,
the risks facing the business,
the director’s expertise,
whether the director was executive or non-executive,
and the circumstances at the time (not merely with hindsight).
A director may avoid liability through the statutory “business judgment rule”defence if they -made the judgment in good faith for a proper purpose, had no material personal interest, informed themselves appropriately, and rationally believed the decision was in the corporation’s best interests.
The defence applies only to genuine “business judgments”[ASIC v Rich( 2009) NSWSC 1229]and not to failures of oversight, inattention, or compliance monitoring [ ASIC v Vocation Limited in Liquidation(2019) FCA 807].
Executive directors are more exposed to personal liability for cyber security and privacy breaches than non-executive directors because they are ordinarily involved not merely in oversight, but in the operational management, implementation, and disclosure processes that give rise to the risk.
Under provisions such as s 180(1) of the Corporations Act 2001 (Cth), executive directors may breach their duty of care and diligence where they fail to implement adequate cyber governance systems, ignore known vulnerabilities or “red flags,” fail to ensure compliance with privacy and data protection obligations, or approve misleading disclosures concerning cyber preparedness or incidents. Their position within management makes it substantially more difficult to rely on ignorance, delegation, or reliance on others.
The trend in both regulatory enforcement and corporate law jurisprudence is toward the personalisation of cyber accountability at senior management level. Regulators increasingly characterise cyber security and privacy compliance as core governance obligations rather than merely technical matters. In Australia, executive directors may therefore face personal exposure not only for failures of oversight, but also for failures of implementation, escalation, remediation, and disclosure, particularly where internal reports, audits, or incident warnings demonstrate actual knowledge of material cyber or privacy deficiencies.
Historically, Australian courts have noted the following of non-executive directors: they are not involved in day-to-day management; they may rely to a degree upon management and experts; and they are not expected to possess the same operational knowledge as executives.
Authorities such as Daniels v Anderson (1995) 37 NSWLR 438 nevertheless make clear that non-executive directors cannot adopt a passive role. Directors are expected to: understand the business; monitor corporate affairs; read and understand financial and risk information; and inquire where concerns arise. These principles are undoubtedly applicable to cyber risks.
Cybersecurity presents unique governance challenges because: the risks are technically complex; the consequences may be catastrophic; attacks are increasingly foreseeable; regulators have repeatedly warned boards; and cyber resilience now forms part of ordinary corporate governance expectations. As cyber incidents become more common and regulatory expectations more explicit, courts may become less sympathetic to arguments that directors lacked technological expertise.
The landmark decision in ASIC v RI Advice Group Pty Ltd [2022] FCA 496 was the first Australian case in which the Federal Court directly considered the adequacy of cybersecurity risk management within the framework of Australian Financial Services Licence (AFSL) obligations.
RI Advice was an AFSL holder with numerous authorised representatives operating financial advisory practices across Australia. Between approximately 2014 and 2020, several authorised representatives experienced serious cybersecurity incidents ASIC alleged that RI Advice failed to implement adequate cybersecurity controls
The Court accepted declarations by the parties that RI Advice had contravened its obligations to do all things necessary to ensure that financial services were provided efficiently, honestly and fairly; and maintain adequate risk management systems. Importantly, the Court recognised cybersecurity risk management as an integral aspect of an AFSL holder’s statutory obligations.
While RI Advice focused on corporate liability rather than personal director liability, the reasoning naturally raises questions concerning the obligations of boards and directors responsible for overseeing enterprise risk.
In 2026, the Federal Court imposed civil penalties of approximately $2.5 million against FIIG Securities Limited following prolonged cybersecurity deficiencies and a significant data breach affecting thousands of clients. The breach resulted in the theft of large volumes of client information.
The Court found that FIIG had breached multiple AFSL obligations under section 912A of the Corporations Act by failing adequately to maintain technological resources; to implement cyber resilience measures; to maintain adequate risk management systems; and to provide financial services efficiently, honestly and fairly.
Unlike RI Advice, which largely involved declaratory and remedial relief, in FIIG the cybersecurity failure resulted in substantial pecuniary penalties. Thus, cyber governance failures are no longer merely compliance deficiencies requiring remediation. They are now capable of attracting significant punitive consequences.
Australian Securities and Investments Commission v Bekier [2026] FCA 196 arose from governance failures at The Star Entertainment Group concerning anti-money laundering (AML), regulatory compliance, and dealings with high-risk junket operators.
ASIC commenced proceedings against former senior executives and non-executive directors, alleging breaches of duties under section 180 of the Corporations Act.
The Federal Court ultimately found that former CEO Matthias Bekier and former Chief Legal Officer Paula Martin breached their duties. However, ASIC did not succeed against the non-executive directors.
Although Bekier was not a cyber case, it is highly significant in understanding how courts may approach cyber oversight failures. The judgment traversed a number of material topics bearing upon the functions of management and executive responsibility in corporations including : the responsibilities of senior management; the role of non-executive directors; board reliance upon management escalation of risk ;governance systems; information flows to boards; and the distinction between passive receipt of information and active understanding, questioning and initiating action where necessary. While recognising that directors are entitled to rely upon management and specialist advisers to a degree., the Court also emphasised that such reliance cannot become blind passivity.
Those principles are directly transferable to cyber governance.
ASIC has increasingly framed cyber resilience as fundamental to an entity’s “licence to operate.” and that entities entrusted with sensitive customer data must proactively identify, manage and respond to cyber risks. In the light of recent rapid technological developments, particularly very powerful AI systems, which multiply the possibilities of cyber breaches ASIC has stated emphatically that it regards the issue as acute and urgent.
On 8 May 2026, ASIC addressed a letter to licensees and directors stating as follows :
“The rapid evolution of frontier artificial intelligence models marks a significant shift in the cyber threat landscape. These models are accelerating both capability and accessibility, lowering the barrier to sophisticated cyber activity, increasing the speed and scale of attacks, and enabling new forms of exploitation that were previously out of reach for most actors. This does not mean entirely new categories of risk, but it does mean existing controls are more likely to be tested, more often, and under greater pressure. This is not a distant or hypothetical risk. It is here now, evolving quickly and requires the attention of boards and executives.”
Consequently, it is clear that ASIC intends to be proactive in monitoring cyber security levels in businesses and taking action where default is found to exist.
The direction of travel in Australia is unmistakable: cyber security is no longer viewed as a purely operational or technical issue, but as a core governance obligation attracting the full weight of directors’ duties. Regulators, courts and policymakers are increasingly framing cyber resilience as an essential component of the statutory duty of care and diligence under the Corporations Act 2001 (Cth), particularly where foreseeable cyber risks threaten shareholder value, customer information, market disclosure obligations or operational continuity.
Executive directors may find themselves personally liable for cyber breaches and losses to shareholders because they are directly involved with operational decisions while for non-executive directors the emerging lesson is that independence from day-to-day management does not equate to insulation from responsibility. Contemporary governance expectations increasingly require directors to demonstrate active and informed engagement with cyber risk: asking difficult questions, testing management assumptions, ensuring adequate resourcing, scrutinising incident response capability and embedding cyber resilience into enterprise-wide risk frameworks.
The modern boardroom is therefore confronting a structural shift: cyber security is becoming as fundamental to directors’ obligations as financial reporting, workplace safety and continuous disclosure, and where boards that fail to adapt both the companies they serve and directors personally may suffer.
Errol Price, Director Legal, Symmetra Pty Ltd Errol Price’s decades of experience in commercial law, and specifically as an advisor to leading companies on equity, discrimination and workplace relations issues add significant value to Symmetra’s understanding of the complexities of the workplace. His track record in formulating human resource and workplace relations policies for many multinational and blue-chip companies as well as advising clients on the impact of equity and anti-discrimination have helped position Symmetra as one of the leading consultancies on diversity and inclusion. More recently he has specialised in the law pertaining to discrimination, harassment and bullying in the Australian workplace. This has provided the legal foundation for Symmetra’s highly successful diversity, EEO and anti-bullying and harassment programs, delivered across Australia for the past 10 years. Errol conducts workshops for public and private sector organisations in Australia on dealing with unlawful and inappropriate behaviour. He advises organisations on managing bullying and designing harassment policies and helped establish the complaints handling processes for a large NSW state department. Errol is regularly invited by leading organisations providing continuing legal education for practitioners, such as Legalwise and ICLE, to deliver presentations on selected legal topics.