What Every Director Needs to Ask About Cyber Risk

A significant cyber breach is one of the fastest ways to destroy shareholder value, erode customer trust, and land a company in a legal and regulatory nightmare.

In Australia, the regulatory landscape is tightening rapidly. The Australian Securities and Investments Commission (ASIC) holds directors accountable for failing to manage cyber risks, with enforcement action increasingly targeting licensees where cybersecurity deficiencies are the direct cause of governance failures. APRA-regulated entities face strict CPS 234 compliance. Furthermore, under the Privacy Act and recent updates to the Security of Critical Infrastructure (SOCI) Act, failing to properly protect data or report material incidents can result in multi-million dollar fines. The message is clear: the buck stops with the board.

1. Your Role Is Oversight

You don't need to be able to code or configure a firewall. You do need to be cyber-literate. Your job is to challenge and guide the executive team by asking the right questions.

• Governance: Who on the board is responsible for cyber risk oversight? Is it the full board, the audit and risk committee, or a dedicated technology/risk committee? Is this responsibility clearly defined in a charter?
• Expertise: How does the board get its cyber expertise? Do we have a director with this background? Do we use third-party experts to brief us?
• Reporting: How and when does management, specifically the Chief Information Security Officer (CISO), report to the board? Are they reporting on meaningful metrics like risk reduction and incident response readiness, or just technical "noise" (like the number of attacks blocked)?

2. Treat Cyber as a Business Risk

An effective way to approach cybersecurity is through the lens of business risk. This means moving the conversation from "Are we secure?" to "How are we managing this risk?"

• Risk Appetite: What is our organisation's risk appetite? What level of risk are we willing to accept to achieve our business objectives? This must be a board-level discussion.
• Identify the Critical: What are our most critical data assets, systems, and processes? What would be the business impact if they were stolen, encrypted, or destroyed? Not all data is created equal. Focus protection on what matters most.
• Financial Impact: Does management quantify cyber risk in financial terms? Understanding the potential dollar-value loss from a breach in a key business unit helps you prioritise resources effectively.

3. Prevention

Effective prevention measures significantly reduce the likelihood and impact of common attacks. Board oversight must confirm that management is focused on core protective controls. In Australia, this means ensuring alignment with the Australian Cyber Security Centre’s (ACSC) Essential Eight framework.

This includes ensuring a clear process to rapidly fix known software vulnerabilities (patch management) and the proper implementation of Identity and Access Management (IAM), particularly Multi-Factor Authentication (MFA), across all critical systems. Ask for metrics on the age of unpatched critical vulnerabilities and the percentage of high-value employee accounts protected by MFA. A strong prevention strategy also requires a commitment to replacing legacy systems that can no longer be adequately defended.

4. Resilience

The new assumption is not if you will be breached, but when. Your oversight must therefore shift from pure prevention to holistic cyber resilience. How are we able to anticipate, withstand, respond to, and recover from an attack?

• Incident Response (IR) Plan: Do we have a clear, tested, and up-to-date IR plan?
• Business Continuity: If our primary systems go down, how do we continue to operate and serve customers?
• Tabletop Exercises: When was the last time the executive team and board members ran a simulated cyber-attack? You need to test your cybersecurity plan and expose its weaknesses.
• Ransomware: Do we have a policy on paying ransom? In Australia, paying a ransom can carry complex legal, ethical, and sanctions risks. This must be discussed before an attack, not during one.

5. The Top Threats Are Not Just Hackers

Two of the biggest risks today are often overlooked in the boardroom.

• Third-Party & Supply Chain Risk: Your cybersecurity plan should account for all of your vendors, suppliers, and partners. If they are breached, you can be breached. How are we vetting the security of our critical third-party partners?
• The Human Element: The overwhelming majority of breaches begin with a human error, like a successful phishing email. What is our security awareness and training program? Are we fostering a positive security culture where employees are encouraged to report mistakes instead of hiding them?

6. Ten Key Questions Directors Should Ask

Use this list as a starting point for your next board meeting.

1. Has management identified our "crown jewel" assets, and what is the specific plan to protect them?
2. How are we measuring the effectiveness of our cybersecurity program against benchmarks like the ACSC Essential Eight?
3. What are the top 3 cyber risks that could cause material impact to our business, and what is our plan to mitigate them?
4. When did we last test our incident response plan with a tabletop exercise? What were the key lessons learned, and how have we improved?
5. What is our organisation's current level of compliance with Multi-Factor Authentication across critical administrative and employee accounts?
6. What is the process and timeline for addressing critical unpatched vulnerabilities?
7. How are we managing the cyber risks posed by our key suppliers and vendors?
8. What are the key metrics we use to measure the effectiveness of our security awareness training, and how does management ensure training is tailored to the highest-risk departments and roles?
9. How does our new investment in Artificial Intelligence affect our cyber risk profile, both as a tool for defence and a new target for attackers?
10. Where mandatory incident reporting obligations apply to our organisation — including strict timeframes to the Australian Cyber Security Centre (ACSC) for critical infrastructure entities, and continuous disclosure obligations to ASIC — are we confident management can identify, assess, and report a material incident within the required timeframes? Who makes that "materiality" call?