Most boards receive cyber reports they cannot meaningfully challenge. This gap between technical data and genuine oversight exposes directors to personal liability.
For Australian directors, this is no longer a theoretical risk. The regulatory environment of 2026 demands a fundamental shift in how we govern digital risk. The standard of defensible oversight is now tied directly to our fiduciary duties under the Corporations Act 2001. With the Cyber Security Act 2024 having received Royal Assent in November 2024, with mandatory ransomware reporting obligations now in force and full enforcement from 1 January 2026, regulators expect boards to demonstrate active, informed governance, not passive acceptance of management reports.
Table of Contents
-
The Evolution of Board Cyber Governance Strategy in Australia
-
Building a Defensible Information Technology Strategy for Boards
The Evolution of Board Cyber Governance Strategy in Australia
Board cyber governance is the mechanism through which directors exercise active oversight of digital risk. It is a core component of our fiduciary duty. In the past, governance often meant confirming compliance with a technical standard. Today, it means building a defensible position that proves the board acted with care and diligence before, during, and after an incident.
This marks the transition from a compliance-based approach to a defensibility-based strategy. Compliance asks, "Did we follow the rules?". Defensibility asks, "Did we exercise sound judgement and reasonable care?". The latter is the standard regulators like ASIC will apply. This requires alignment with established principles, such as those published by the Australian Institute of Company Directors (AICD), but extends them into demonstrable board actions.
Fiduciary Duty and the Corporations Act 2001
Our duty of care and diligence is enshrined in Section 180 of the Corporations Act 2001. This duty now unequivocally extends to the oversight of digital and cyber-related risks. Recent enforcement actions from ASIC show a clear trend. Regulators are increasingly willing to scrutinise board-level decisions following a significant breach. The defence of "I did not understand the technical details" is no longer viable. A director cannot delegate their accountability. We must be able to prove we asked the right questions, challenged assumptions, and made informed decisions based on a clear understanding of the organisation's key risks.
The 2026 Digital Risk Landscape
The risk landscape is changing faster than traditional governance models can adapt. AI-driven threats can execute sophisticated attacks at a scale and speed that bypass legacy defences. This reality forces a strategic pivot. We must move from a singular focus on protecting data to a broader commitment to ensuring organisational durability. Durability means the organisation can withstand a significant cyber event, recover key operations, and maintain market trust. This requires a board cyber governance strategy that is fully integrated with the firm's overarching information technology strategy, not treated as a separate technical silo.
Building a Defensible Information Technology Strategy for Boards
A defensible strategy starts with governance, not technology. It prioritises "Secure by Design" principles, ensuring that risk management is embedded into every new project and system from its inception. This is a board-level directive. It requires us to set the organisation’s digital risk appetite with clarity and precision. This is not a task for the IT department; it is a strategic decision for the board that defines what risks we are willing to accept in pursuit of our objectives.
We must also move beyond the dashboard. Technical metrics presented in a sea of green can obscure profound governance gaps. High compliance scores do not equal low risk. The board's role is to interrogate these metrics and understand the business context behind them. Integrating AI risk management into the core cyber strategy is now essential. We must ask management how AI is being used both as a defensive tool and how it represents a potential attack vector.
The ASD Essential Eight as a Governance Baseline
The Australian Signals Directorate (ASD) Essential Eight is a valuable framework. However, for a board, it should be treated as a governance baseline, not a technical report card. In 2026, the key question is not "Are we compliant with the Essential Eight?". The right questions are "How does our Essential Eight maturity level align with our stated risk appetite?" and "What residual risks remain even at our target maturity level?". We must challenge management to explain the strategic implications of these controls. We must also be alert to the danger of "green-washing" internal reports, where maturity levels are presented optimistically without reflecting the reality of day-to-day operations.
Accountability Frameworks and Reporting Lines
Clear accountability is the bedrock of good governance. This requires unambiguous reporting lines that flow from the CISO to the Audit and Risk Committee and, ultimately, to the full board. Information asymmetry between the technical teams and the board is one of the greatest sources of director liability. The board must therefore oversee the process of any deep review into its cyber governance posture. Reporting must be "board-ready". This means it is concise, strategic, and focused on business outcomes and risk-based decisions. It must translate technical complexity into a clear governance narrative that demonstrates defensible oversight.
From the Boardroom
I recall a board meeting where the Chief Information Security Officer presented a dashboard showing 98% patch compliance. Every metric was green. The committee was ready to move on. I asked a single question: "What is the business impact of the 2% that remains unpatched?". The CISO could not answer. A follow-up revealed that the unpatched 2% included the organisation's primary payment gateway and a critical legacy system managing sensitive customer data. The silence in the room was profound. That was the day the board shifted from receiving reports to actively interrogating them. We realised that our oversight depended not on the numbers presented, but on the questions we were prepared to ask.
Establishing Board-Ready Reporting and Accountability
To effectively challenge management reporting, boards often require an independent perspective. The gap between deep technical expertise and strategic governance is significant. Independent advisory exists to bridge that gap, translating technical assessments into the language of fiduciary duty and defensible oversight. This enables a transition from the passive receipt of reports to the active interrogation of digital risk.
One of the most effective tools for testing board-level response is the facilitated incident simulation. These are not technical drills. They are high-stakes workshops designed to pressure-test the board's decision-making, communication protocols, and governance frameworks during a crisis. As an independent ally for Australian directors, my focus is on ensuring boards are prepared to lead through these events, not just react to them.
The Role of Independent Strategic Advisory
Internal reporting, no matter how well-intentioned, requires external validation to be truly defensible in the eyes of a regulator. An independent advisor provides that validation without conflict of interest. Many firms that provide cyber advice also sell implementation services, creating an inherent conflict. True independence comes from advisory that is not tied to the sale of technology products or managed services. This approach builds the long-term trust and transparency required for effective board-level governance.
Incident Simulation: Beyond Technical Recovery
A technical recovery plan is not a governance response plan. An incident simulation tests the board’s decision-making framework under immense pressure. It reveals the blind spots in communication, legal privilege, and stakeholder management that only emerge during a realistic crisis scenario. These simulations identify gaps in the organisational response plan before a real event exposes them. Incident simulations provide direct evidence of the board's active and defensible oversight for regulators.
Frequently Asked Questions
What is the primary role of an Australian board in cyber governance? The primary role is one of active oversight and strategic direction. The board must set the organisation's risk appetite, ensure adequate resources are allocated, and hold management accountable for executing a defensible cyber strategy that aligns with director duties.
How does an information technology strategy differ from a cyber security plan at the board level? An information technology strategy is a broad plan for how technology will be used to achieve business goals. A cyber security plan is a component of that strategy focused on protecting digital assets. At the board level, governance must ensure the two are integrated, with security enabling, not hindering, strategic objectives.
What are the current AICD cyber security governance principles for 2026? The AICD principles provide a framework for boards to set clear roles, develop a cyber-aware culture, and manage cyber risks. For 2026, these principles must be interpreted through the lens of new legislation like the Cyber Security Act 2024 and heightened regulatory expectations for demonstrable, active oversight.
Can Australian directors be held personally liable for a cyber breach? Yes. Directors can face legal action from shareholders and regulators like ASIC for breaching their duty of care and diligence under the Corporations Act 2001 if they fail to provide adequate oversight of cyber risk. A breach itself does not create liability; a failure of governance does.
If this resonates, I would welcome a conversation.
Cyber Governance Deep Review
aradvice.com.au/contact.html
Article by
Andrew Roberts
Founder and Principal Advisor at Andrew Roberts Advisory. I work directly with Australian boards and non-executive directors on cyber governance, AI governance, and IT general controls and strategy, translating complex regulatory terrain into clear, defensible oversight frameworks that directors can own and act on.
I have founded and exited two technology companies. I founded Field Solutions Group, served as Group CEO for a decade, and led the ASX listing in 2017. During that time I held direct board accountability for cyber risk, ISO 27001 certification, and governance at the listed company level. I have also served as Deputy Chairman of a federally funded Cooperative Research Centre.
I am a Member of the Australian Institute of Company Directors (AICD) and the Australian Computer Society (ACS), holding the ACS designation MACS (Snr) CP (Cyber), and am a Member of ISACA.
aradvice.com.au
