In April 2025, LK Law published a sobering analysis of ASIC’s evolving stance on cybersecurity. The message is clear: directors who fail to oversee adequate cyber risk management may soon face personal liability.
This isn’t theoretical. ASIC has already taken action against two financial services firms—FIIG Securities and RI Advice Group, highlighting what it considers the minimum standards for cyber resilience.
Cyber Risk Is Now a Foreseeable Business Risk
According to ASIC, cyber risk is no longer a niche IT concern. It’s a foreseeable business risk that demands active oversight from boards and directors. Just as directors are accountable for financial, health, and safety obligations, they must now demonstrate proactive governance over cybersecurity.
The courts have reinforced this expectation, pointing to three key factors directors must weigh:
- The magnitude of the cyber risk
- The likelihood of its occurrence and the cost of mitigation
- The difficulty and inconvenience of taking action
In other words, ignorance is no longer a defence. Nor is delay.
The Fallout Is Real and Expensive
In the case of FIIG Securities, a ransomware attack by ALPHV exposed 385GB of sensitive client data, including passports, bank details, and tax file numbers. ASIC alleges FIIG failed to implement reasonable cybersecurity measures and is seeking penalties, compliance orders, and independent oversight.
RI Advice Group faced similar scrutiny after nine separate cyber incidents, including phishing, ransomware, and unauthorised server access, led to a $50,000 fraudulent transfer. The Federal Court found that RI Advice’s systems lacked basic protections, including antivirus software, email filtering, backups, and password hygiene.
These cases are more than cautionary tales. They serve as a blueprint for what ASIC now expects from directors and boards.
What Cybermate Offers Directors and Boards
At Cybermate, we help organisations meet these expectations with a behavioural-first approach to cybersecurity. Our platform is designed to:
- Build awareness across teams with bite-sized, accessible training
- Reduce human error through real-time nudges and reminders
- Align with Australian standards and ASIC’s guidance
- Provide directors with clear visibility into behavioural risk
We believe cybersecurity isn’t just a technical challenge. It’s a leadership responsibility. And we’re here to make it manageable, measurable, and meaningful.
The Takeaway
Directors must act now. Cyber risk is foreseeable, and regulators are closely monitoring it. Whether you’re leading a school, charity, or SME, the time to front-load your cyber posture is today, not after an incident.
Because when cybersecurity fails, it’s not just systems that suffer. It’s trust, reputation, and now, personal accountability.
