ASIC has warned that Directors should avoid being caught out by cyber security breaches.

Directors are duty-bound to ensure their company has “adequate” cyber security and the ability to recover from an attack or they could face action by ASIC. 

According to ASIC, ‘cyber preparedness’ can no longer be considered enough; businesses must demonstrate an ability to respond or the board will be held accountable, the regulator says.

“For all boards, cyber security and cyber resilience have got to be top priorities. “If boards do not give cyber security and cyber resilience sufficient priority, this creates a foreseeable risk of harm to the company and thereby exposes the directors to potential enforcement action by ASIC based on the directors not acting with reasonable care and diligence.”

“If you’re not evaluating your third-party cyber security risk, you’re deceiving yourself. And recent events show that you will suffer for it.”

“Don’t put yourself in that position.”

For a small business, even a minor cyber security incident can have devastating impacts. In the 2021-2022 financial year, the average cost per cybercrime reported to the ACSC rose to over $39,000 for small businesses.

The ACSC has published a range of resources to help directors and small businesses protect themselves against common cyber security threats, including the Small Business Cyber Security Guide.