Directors on the Hook for Cyber: What the Section 180 Position Actually Is in 2024

This is an IT operator’s perspective on how cyber risk management intersects with directors’ duties under the Corporations Act in 2024. It isn’t legal advice, a directors-duties opinion, or an ASIC position statement. Whether any particular governance arrangement satisfies section 180 in a specific circumstance is your corporate lawyer’s call. We implement the technical controls the board has decided on. The lawyer advises whether that decision discharges the directors’ duty.

Two and a bit years after the Federal Court decided ASIC v RI Advice, the posture is settled. Cyber risk is now squarely inside the duty of care owed by directors under section 180 of the Corporations Act, and ASIC has said so publicly on multiple occasions since. Directors of CCP-sized Australian companies (20 to 250 staff, typically on an unlisted structure, often with the founders or a small board running governance) are carrying exposure for a risk class that was not in their mental model five years ago.

The exposure is real, the standard is reasonable, and the controls required to discharge it are not exotic. But the pattern we see across incident work and in board-level conversations is that directors often find out about their exposure after the fact. An insurer’s questionnaire surfaces the gap, or a near-miss breach makes someone ask who was supposed to be watching. By then the question of whether the board had done enough is a retrospective one, which is a harder question to answer than the prospective version.

Does ASIC treat cyber risk as a director-level concern?

Yes. ASIC has stated publicly since 2022 that cyber risk management is a top priority for all boards, and it has backed the position with enforcement. The ASIC v RI Advice decision in 2022 was the first Australian case finding an AFSL holder in breach of the Corporations Act for cybersecurity-related failures. ASIC has continued through 2023 and 2024 to signal that it will use the stepping-stone approach to apply a company’s cyber failure to directors’ section 180 obligations where the facts warrant.

The position is not that directors have to be cyber experts. It is that directors have to exercise the same care and diligence over cyber risk that they exercise over any other material operational risk. The Corporations Act test under section 180 is objective; a director is held to the standard of a reasonable person in the same position. A reasonable director of a company that processes personal information or depends on IT systems to operate now understands that cyber risk is a material risk, and has taken reasonable steps to ensure it is being managed.

What “reasonable steps” looks like varies with the size and complexity of the business. For a CCP-sized firm (20 to 250 staff), it is not a full second-line risk-management function. It is closer to a credible first-line control environment, appropriate oversight at board level, and an honest conversation about where the gaps are.

What is stepping-stone liability, and how does it apply to cyber?

Stepping-stone liability is an enforcement approach ASIC has used in other contexts (financial services breaches, continuous disclosure failures) where the company’s contravention of the Corporations Act becomes the first step, and the director’s failure to prevent or address it becomes the second step. The directors’ section 180 duty is breached when they expose the company to a foreseeable risk of harm by failing to act with the care and diligence a reasonable director would.

Applied to cyber, the logic is: the company fails to manage a cyber risk, a consequence follows (a breach, a regulatory investigation, a prosecution, a class action, reputation damage), and the director who had the opportunity and capacity to prevent that consequence is in breach of section 180. The harm does not have to be financial. Reputational damage, prosecution exposure, and civil litigation all count.

The practical effect is that a cyber incident at the company level can become a directors’ duty issue even where the directors themselves did nothing wrong actively, if the failure was to ensure adequate oversight. That is harder to defend than a conscious decision that turned out badly.

What does ASIC expect directors to actually do?

ASIC has not published a prescriptive list. It has published indicative guidance (INFO 259 on cyber resilience is the most-cited in this context) and has repeatedly referenced the AICD Cyber Security Governance Principles as a reasonable baseline for board-level cyber governance. The AICD principles are not law but they are what ASIC would reasonably expect a well-informed director to have read.

The indicative expectation is roughly: boards understand the cyber risks material to the business, ensure there is management accountability for those risks, receive and challenge regular reporting, ensure adequate resourcing, and ensure an incident response plan exists and has been tested. None of this requires directors to become technical experts. It requires directors to apply governance discipline to cyber the same way they apply it to financial controls or workplace safety.

What does “reasonable steps” look like for a mid-size Australian company?

For a company of 20 to 250 staff, a defensible board-level cyber governance posture in 2024 looks roughly like this. An identified senior-executive owner for cyber risk (CEO, COO, or a delegated officer). A current cyber risk register, reviewed at least semi-annually at a board or audit-committee meeting. A baseline control environment that covers the Essential Eight (the ACSC’s canonical control set) or a credible equivalent. A documented incident-response plan that has been tested within the last 12 months. A cyber insurance policy in force with an insurer that has asked real diligence questions, not a policy that was purchased without engagement. And an external perspective at least annually, whether via a managed service provider, a consultancy, or an internal audit function.

Most of the work is in the first two items. An organisation that knows what its material cyber risks are, and has assigned accountability for managing each one, tends to close the rest of the gap naturally. An organisation that has never formalised either finds it hard to talk about the rest coherently.

What if we outsource IT entirely?

Outsourcing IT does not discharge the directors’ duty. ASIC has been explicit that third-party risk (including outsourced IT providers) falls within directors’ cyber oversight obligations. The board still needs to understand what the provider is contractually responsible for, what the gaps between the contract and the risk picture are, and how it knows the provider is actually doing what it said it would. We have been on both sides of that conversation, and the version where the provider can produce evidence on demand is the version that holds up to scrutiny.

The trap we see is a cyber insurance questionnaire asking the directors to attest to controls, the board turning to the MSP to answer, and the MSP returning evidence that is generic rather than specific to the company’s posture. The attestation is the director’s, not the provider’s. Providers that cannot produce company-specific evidence are leaving the director exposed.

When is the risk of personal exposure highest?

Our observation across incident work and board conversations is that personal exposure crystallises in three predictable situations. First, when the company has been on the receiving end of a serious breach and the post-incident review finds that the board’s cyber oversight was thin or nominal. The breach itself is the company’s problem; the board’s role in letting it happen becomes the director’s problem. Second, when a cyber insurance claim is declined because the insured did not have the controls attested to in the policy application, and the director signed the application. Third, when ASIC is conducting a broader investigation for unrelated reasons and finds cyber governance gaps as a secondary issue.

A standing cyber governance posture reduces exposure across all three. A reactive posture heightens it.

What has changed between 2022 and 2024?

Three things. ASIC’s enforcement posture has firmed up from “we will pay attention to cyber” to “we are actively looking for cases to run.” The Albanese government’s cybersecurity strategy (2023) and the Cyber Security Legislative Package currently before Parliament (expected to pass later in 2024) together signal a broader regulatory posture that treats cyber as a first-class compliance area rather than an IT concern. And cyber insurance underwriting has tightened dramatically, with questionnaires that now look more like regulatory diligence than insurance forms.

The combined effect is that a board which was comfortable with its cyber posture in 2021 should not assume that same posture is defensible in 2024. The bar has moved. Directors who haven’t asked “what has changed about what we need to do” since the RI Advice decision are probably underestimating the current expectation.

What CCP does on director-level cyber governance

We don’t write board papers. We make sure the IT environment the board relies on for its cyber governance posture can actually substantiate what the board is being told.

For a CCP client with an engaged board, our involvement typically looks like the following. We produce the technical evidence that management reports up from: a current risk register against the Essential Eight, an incident-response capability that has been tested and has a writeup, patching and identity hygiene metrics that management can present to the board without fabrication, and a report-shaped set of outputs that fit into board papers rather than forcing the director to interpret raw technical data. Where the board has questions that management cannot answer credibly from inside, we come into the room and answer them.

The director-duties interpretation, the board-paper drafting, the decisions about what gets escalated when, remain with the company’s legal advisors, company secretary, and chair. Our boundary is explicit. We provide the evidence. They make the governance judgement.

Directors who want to understand their actual exposure without committing to an engagement can start with our Essential Eight self-assessment, which produces a written report suitable for a first board conversation. That conversation is usually worth having before the insurer’s questionnaire arrives, not after.

Primary sources

• ASIC v RI Advice Group Pty Ltd [2022] FCA 496, the Federal Court decision establishing AFSL-holder cyber obligations under the Corporations Act. Accessed 15 August 2024.
• ASIC Information Sheet 259: Cyber resilience good practices, ASIC’s published guidance on cyber governance expectations. Accessed 15 August 2024.
• AICD Cyber Security Governance Principles, the Australian Institute of Company Directors’ published governance principles. Accessed 15 August 2024.
• Corporations Act 2001 (Cth), section 180, available via Federal Register of Legislation.