Log in

Australian Cyber Law Map

You are here: Cyber Law » Australian Cyber Law Map » Directors' Duties

Directors' Duties

10 October 2025 - 15:18 | Version 25 |

Overview

  • While directors’ duties are grounded in the Corporations Act 2001 (Cth), common law and equity, their application has evolved significantly as organisations face unprecedented regulatory reform and scrutiny and a heightened threat landscape. In this environment, the responsibility for information security and data governance is with the board and senior management. The oversight of cyber risk is now fundamental to a business's risk management and potential survival, and a core component of a director’s duty to act with due care and diligence. Regulators including ASIC, APRA, and the OAIC have repeatedly emphasised the criticality of board-level oversight of cyber and data risk issues.
  • This position is supported by the 2023-2030 Australian Cyber Security Strategy, which commits to providing clear guidance to industry, including clarifying expectations of corporate cyber governance. As a result, boards are expected to be confident their organisation is prepared for a crisis , be ready to become actively involved in the response , and to contemplate the long tail of potential post-incident risks from the outset.

Background

  • Directors of corporations should be mindful that their duties under the Corporations Act 2001 (Cth) and at common law are now interpreted to require active engagement with and oversight of cyber risks. This reflects an evolving standard of care, whereby cyber resilience is considered fundamental to an organisation’s risk management and prospects for survival. Although research indicates a significant skills gap in cyber security expertise exists on the boards of major Australian companies , established legal principles require all directors to pay appropriate attention to the business of the company and exercise judgment in respect of foreseeable risks.
  • Directors of listed companies must also ensure they report any information to the ASX that could have a material consequence on the price or value of the company's securities, pursuant to continuous disclosure obligations. Furthermore, since the introduction of the 'Notifiable Data Breach Scheme' under the Privacy Act 1988 (Cth), directors are expected to oversee the disclosure of details about any eligible data breach that is likely to result in serious harm to any individuals.

Australian Prudential Regulation Authority (APRA)

  • Under APRA Prudential Standard CPS 234: Information Security, the board of an APRA-regulated entity is ultimately responsible for ensuring the entity maintains information security in a manner commensurate with the threats to its information assets. The board must also ensure that information security-related roles and responsibilities are clearly defined for the board, senior management, and other relevant parties.
  • Under APRA Prudential Standard CPS 230: Operational Risk Management, the board's role in overseeing operational risk is reinforced. This standard includes a key focus on managing risks associated with the use of third-party service providers, reflecting an increased regulatory focus on supply chain risk. Both standards include requirements for entities to notify APRA of material information security incidents and operational risk events.

Australian Securities Exchange (ASX)

ASX Listing Rules

  • Under ASX Listing Rule 3.1, a listed entity must immediately disclose to the ASX any information concerning it that a reasonable person would expect to have a material effect on the price or value of the entity’s securities. Section 677 of the Corporations Act 2001 (Cth) clarifies this as information that would, or would be likely to, influence persons who commonly invest in securities in deciding whether to acquire or dispose of them. An entity must form a view as to whether the effects of a cyber incident satisfy this test. However, ASX Listing Rule 3.1A provides an exception if the information is confidential and concerns an incomplete proposal or is insufficiently definite to warrant disclosure. This confidentiality exception is overridden by ASX Listing Rule 3.1B, which compels an entity to provide information if ASX considers there is, or is likely to be, a false market in its securities.
  • Applying these rules during a cyber incident can be challenging, as determining materiality may be difficult when information is incomplete and facts are changing rapidly. In these circumstances, guidance from the Australian Institute of Company Directors (AICD) suggests that a board should consider convening its continuous disclosure committee and whether to initiate a trading halt. Both ASIC and the ASX can take enforcement action for breaches of continuous disclosure obligations (see Memorandum of Understanding between Australian Securities and investments Commission and ASX Limited ABN 98 008 624 691 (28 October 2011)), and directors may face personal liability for their involvement in such breaches.

ASX Corporate Governance Principles and Recommendations (February 2019)

  • The ASX Corporate Governance Principles and Recommendations, 4th Edition (February 2019) sets out best practice guidance for listed entities. Under Recommendation 7.2, the board should review the entity’s risk management framework at least annually to satisfy itself that it continues to be sound and deals adequately with contemporary and emerging risks such as cyber security.
  • The Principles also recommend that a listed entity should have and disclose a board skills matrix setting out the mix of skills and diversity that the board has or is looking to achieve. This is particularly relevant to the board’s capacity to provide oversight of complex risks like cyber security, where a documented skills gap has been identified across Australian boards. The Principles are not mandatory, but operate on an ‘if not, why not’ basis, meaning an entity must disclose if it has not followed a recommendation and give reasons why.

Australian Securities and Investments Commission (ASIC)

  • ASIC considers the oversight of cyber risk to be a core and non-delegable responsibility of company directors, falling squarely within their duty of care and diligence under the Corporations Act 2001 (Cth). While ASIC has considered cyber resilience a key obligation for its regulated population for over a decade , its focus has intensified significantly, with ASIC Chair Joe Longo stating that a "failure to ensure adequate measures are in place exposes directors to potential enforcement action".
  • ASIC v RI Advice Group Pty Ltd [2022] FCA 496 concerned a series of cyber security incidents at several authorised representatives of RI Advice between 2016 and 2021, which included ransomware attacks and unauthorised access to client information. The Federal Court (Rofe J) found that RI Advice had breached its obligations as an Australian Financial Services (AFS) licensee under sections 912A(1)(a) and (h) of the Corporations Act 2001 (Cth) by failing to have adequate risk management systems to manage its cyber security risks. Justice Rofe acknowledged that "it is not possible to reduce cybersecurity risk to zero... but it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls". The decision established that the failure to implement and maintain adequate policies, systems, and resources to manage cyber risks can, in itself, constitute a breach of an AFS licensee's duty to act "efficiently, honestly and fairly". Following the judgment, ASIC publicly stated the decision was a "timely reminder for company directors about cybersecurity risk oversight and disclosure obligations", cementing its significance as a legal precedent for board-level accountability in this area.
  • Previous iterations of this Map noted that: the Australian Securities and Investments Commission, in its Cyber Resilience Health Check (Report 429, 2015), listed relevant cyber security obligations for the financial services entities it regulates and suggested that the provisions of the Corporations Act 2001 (Cth) may require active engagement with cyber risks. Since its enforcement outcomes report for July to December 2015 (Report 476, December 2015), ASIC has taken a new enforcement approach when dealing with cyber issues, increasingly choosing to accept enforceable undertakings or issue infringement notices. Under Regulatory Guide 104, entities holding an Australian Financial Services Licence must comply with licensing obligations relating to the security of client records. Furthermore, in its ASIC Enforcement Update for July to December 2018 (Report 615, April 2019), ASIC emphasised that it was paying particular attention to cyber-related market misconduct facilitated by technology, and has published a series of reports on the topic, including Cyber resilience of firms in Australia's financial markets (Report, November 2017) and its successor for 2020–2021 (Report, December 2021).

Corporations Act 2001 (Cth)

  • Under Part 2D.1 of the Act, directors owe a number of duties to the company. These include the duties to:
    • act with reasonable care and diligence (s 180(1));
    • act in good faith in the best interests of the company and for a proper purpose (s 181); and
    • not improperly use their position or information to gain an advantage or cause detriment to the company (ss 182, 183).
  • The duty of care and diligence (s 180(1)) is the primary duty through which a director's oversight of cyber security is assessed. This duty requires directors to take reasonable steps to guide the corporation in managing foreseeable risks, a category which now unequivocally includes cyber risk. Directors may be found to have breached this duty for failing to ensure the corporation has implemented reasonable measures to protect it from a foreseeable risk of harm. A director may seek to rely on the business judgment rule in s 180(2) as a defence, but this requires them, among other things, to have rationally believed their judgment was in the best interests of the company, which in turn requires that they were properly informed on the subject matter.
  • A breach of these duties can result in civil penalties, including disqualification from managing a corporation and significant financial penalties. Where a director acts recklessly or is intentionally dishonest in breaching their duties, criminal penalties may apply.
  • Previous iterations of this Map noted that some corporations must disclose risk in annual reports under Part 2M.3 of the Corporations Act 2001 (Cth), in satisfaction of continuous disclosure obligations under Chapter 6CA, and in some fundraising contexts. It also drew on case law establishing that directors have a continuing obligation to be informed about the affairs of their company (Daniels v Anderson (1995) 37 NSWLR 438), and may be negligent if they fail to balance the considerations of potential benefits to a company with its potential risks (ASIC v Maxwell [2006] NSWSC 1052).

Financial Accountability Regime Act 2023 (Cth)

  • The Banking Executive Accountability Regime (BEAR), which was previously housed in Part IIAA of the Banking Act 1959 (Cth), has been replaced and expanded by the Financial Accountability Regime (FAR).
  • The FAR is established under the Financial Accountability Regime Act 2023 (Cth) and is jointly administered by APRA and ASIC. It applies to the banking industry from 15 March 2024 and extends to the insurance and superannuation industries from 15 March 2025. The regime imposes a strengthened responsibility and accountability framework for directors and the "most senior and influential executives" ('accountable persons') of regulated entities.
  • Key accountability obligations for these persons include the duty to act with "honesty and integrity, and with due skill, care and diligence", and to take "reasonable steps to prevent matters from arising that would result in a material contravention" of specified financial laws.
Privacy Act 1988 (Cth)
  • Under Part IIIC of the Privacy Act 1988 (Cth), a range of entities are subject to the Notifiable Data Breach (NDB) Scheme. These entities include Australian Government agencies and private sector organisations with an annual turnover exceeding $3 million, as well as specific other entities regardless of turnover, such as private sector health service providers, credit reporting bodies, credit providers, entities that trade in personal information and tax file number (TFN) recipients. These organisations must promptly inform individuals whose personal information has been affected in a data breach that is likely to cause serious harm.
  • A data breach occurs when personal information an entity holds is subject to unauthorised access or disclosure, or is lost, and a reasonable person would conclude this is likely to cause serious harm to affected individuals. An affected organisation must undertake a reasonable and expeditious assessment of a suspected data breach within 30 days after becoming aware of the grounds for suspicion. If a breach is confirmed, the entity must prepare a statement that includes its identity and contact details, a description of the breach, the kinds of information involved, and recommendations for affected individuals. The entity must then provide a copy of this statement to the Office of the Australian Information Commissioner (OAIC) as soon as practicable and take reasonable steps to notify affected individuals.
  • Part VIB of the Act contains penalties for non-compliance. The Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 (Cth) significantly increased the civil penalties for serious or repeated interferences with privacy under section 13G. The maximum penalty for a body corporate for a contravention of subsection 13G(1) is now the greater of:
    • $50 million
    • Three times the value of any benefit obtained from the misuse of information
    • 30% of the company's adjusted turnover in the relevant period
  • For a person who is not a body corporate, the maximum penalty for a serious or repeated privacy breach is $2.5 million. The Act also empowers the Commissioner to direct an entity to notify individuals of an eligible data breach in certain circumstances (26WR) , and grants the Commissioner new powers to obtain information and documents relating to an actual or suspected data breach (26WU). These strengthened penalties and powers apply to the relevant business entity and can also be pursued against those ‘knowingly concerned,’ such as directors or management (section 99A).
Criminal Law
  • The Criminal Code Act 1995 (Cth) criminalises a broad range of computer-based offences under Part 10.7 (Computer Offences). The key offences include:
    • Unauthorised access, modification, or impairment of data.
    • Possession or control of data with the intent to commit a computer offence.
    • Using a computer to cause unauthorised access, modification, or impairment with the intent to commit a "serious offence" (punishable by 5 or more years imprisonment).
  • The Criminal Code Amendment (Sharing of Abhorrent Violent Material) Act 2019 added new offences aimed at reducing the misuse of online platforms by perpetrators of violence. These offences, located in the Criminal Code, came into effect on 6 April 2019. They include:
    • Failure to report: an offence for internet service providers and hosting providers who fail to notify the Australian Federal Police (AFP) about material relating to abhorrent violent conduct occurring in Australia.
    • Failure to remove: an offence for content and hosting services that fail to "expeditiously" remove access to abhorrent violent material that can be accessed in Australia. These offences apply to providers who are aware of the material and fail to act, and they do not criminalise ignorance.
  • See Computer-Based Crime.

Regulatory & Policy Framework

Duty to Report Cyber Security Incidents

Australia has several obligatory and voluntary reporting regimes for cyber security incidents, driven by recent legislative reforms aimed at strengthening national cyber resilience. There is no common law duty to report cyber incidents. However, a range of legislative and contractual obligations now apply to specific sectors and types of incidents. The Australian Cyber Security Centre (ACSC) defines a cyber incident as 'an unwanted or unexpected cyber security event, or a series of such events, which have a significant probability of compromising business operations'.

1. Security of Critical Infrastructure Act 2018 (SOCI Act)
  • The SOCI Act imposes mandatory reporting on responsible entities for critical infrastructure assets. A cyber security incident under this Act is broadly defined and includes unauthorised access, modification, or impairment of computer data or electronic communications. The reporting deadlines depend on the incident's impact:
    • Critical cyber security incidents that have a "significant impact" on the availability of an asset must be reported to the ACSC within 12 hours of becoming aware of the incident. A written report must follow a verbal report within 84 hours.
    • Other cyber security incidents that have a "relevant impact" on the asset's availability, integrity, or confidentiality must be reported to the ACSC within 72 hours of becoming aware of the incident. A written report must follow a verbal report within 48 hours.
  • See Security of Critical Infrastructure.
2. Cyber Security Act 2024 (Cth)
  • The Cyber Security Act 2024 (the Act) introduces a mandatory ransomware and cyber extortion payment reporting obligation, effective from 30 May 2025. This obligation applies to "reporting business entities":
    • An entity with an annual turnover exceeding a set threshold (proposed to be $3 million).
    • Responsible entities for critical infrastructure assets.
    • This obligation applies only when a ransom payment (monetary or non-monetary) is made in response to an extortion demand.
    • The report must be made to the Australian Signals Directorate (ASD) within 72 hours of making the payment or becoming aware that a payment was made on its behalf.
    • Failure to report can lead to a civil penalty of up to 60 penalty units (or $19,800).
  • An "education-first" approach will be taken to enforcement for the initial six-month period from 30 May 2025 to 31 December 2025.
  • See CyberSecurityAct.
3. Privacy Act 1988 (Cth)
  • The Notifiable Data Breaches (NDB) scheme applies to entities covered by the Privacy Act 1988 (Cth). A data breach is an "eligible data breach" that must be reported if it is likely to result in serious harm to an individual.
    • Entities must notify both the Office of the Australian Information Commissioner (OAIC) and affected individuals.
    • The investigation and reporting of the incident should occur within 30 days of the entity becoming aware of it.

4. My Health Records Act 2012 (Cth)
  • Entities such as registered healthcare provider organisations and contracted service providers must notify the Australian Digital Health Agency (as the System Operator) of any actual or potential data breach relating to the My Health Record system.
    • This notification must be made as soon as practicable after becoming aware of the breach.
    • For entities that are not a state or territory authority, the Information Commissioner must also be notified.
    • The entity must also take reasonable steps to contain the breach and assess the risks.

National Level

Australian Cyber Security Centre (ACSC)
  • The ACSC is a part of the Australian Signals Directorate (ASD), is the lead Australian Government agency for cyber security. The ACSC's role is to help make Australia the most secure place to connect online by providing proactive advice and assistance to government, businesses, and the public.
  • The ACSC offers a range of services and resources to improve cyber resilience, such as:
    • A 24/7 cybersecurity hotline (1300 CYBER1).
    • Publishing alerts, technical advice, and advisories on significant and emerging cyber threats.
    • Cyber threat monitoring and intelligence sharing with Australian and international partners.
    • Developing mitigation strategies like the Essential Eight to help organizations protect themselves from common threats.
  • The ACSC receives reports of cyber incidents and provides guidance on how to recover from events like data breaches, malware, and phishing. Reports can be made through their ReportCyber portal, which is a webform for reporting cybercrime, incidents, or vulnerabilities. While the ACSC provides templates and guidance, such as the Cyber Security Incident Response Plan, these documents are designed to help organisations develop their own plans and do not impose specific reporting timeframes themselves.
Australian Government Information Security Manual (ISM)

The Australian Government Information Security Manual (ISM) is a cybersecurity framework developed by the Australian Signals Directorate (ASD) that organisations can apply to protect their systems and data from cyber threats. It uses a risk management framework, which includes the protection of the cyber supply chain. The ISM is intended for Chief Information Security Officers (CISOs), Chief Information Officers, cybersecurity professionals, and IT managers.
  • Internal Reporting: Cybersecurity incidents, including unplanned outages, should be reported to an organisation’s Chief Information Security Officer (CISO), or one of their delegates, as soon as possible after they occur or are discovered.
  • External Reporting: The ISM advises that incidents should also be reported to the ASD as soon as possible. This helps the ASD provide assistance, identify trends, and maintain an accurate picture of the threat environment. The reporting of a cybersecurity incident to the ASD is subject to a 'limited use' obligation, meaning it cannot be used for regulatory purposes. Reports to the ACSC can be made through their ReportCyber portal.
Australian Prudential Regulatory Authority (APRA) CPS 234

The Australian Prudential Regulation Authority (APRA) Prudential Standard CPS 234 Information Security sets mandatory minimum requirements for all APRA-regulated entities. The purpose of the standard is to ensure these entities, which include banks, insurers, and superannuation funds, are resilient against cyber attacks. The ultimate responsibility for maintaining an entity’s information security rests with the Board.

The standard defines two types of notifiable events:
  1. Information security incidents: An entity must notify APRA as soon as possible, but no later than 72 hours after becoming aware of a significant information security incident. An incident is considered significant if it materially affects, or has the potential to materially affect, the entity or the interests of its customers.
  2. Material control weaknesses: An entity must notify APRA as soon as possible, and no later than 10 business days, after identifying a material information security control weakness that it expects it will not be able to remediate in a timely manner. A control weakness is considered material if it could materially affect the entity or its customers.
Notifications must be made to APRA even if the incident has been reported to other Australian or international regulators.

This is in addition to the Notifiable Data Breaches (NDB) scheme under the Privacy Act 1988 (Cth), which requires notification within 30 days of a data breach likely to cause serious harm. CPS 234's 72-hour timeframe is notably shorter and covers a broader range of incidents.

APRA has repeated concerns about persistent weaknesses in information security controls, particularly related to multi-factor authentication (MFA), inadequate oversight of third-party providers, and the resilience of backup arrangements. In response, it has required trustees of superannuation funds to undertake a self-assessment and report any material weaknesses.
Cyber Incident Management Arrangements for Australian Governments (CIMA)
  • The Cyber Incident Management Arrangements for Australian Governments (CIMA) is the framework that guides how Australian governments cooperate in response to, and to reduce the harm associated with, national cyber security incidents. It is part of the broader Australian Government Crisis Management Framework (AGCMF) and supports existing incident response plans at the state and territory level unless circumstances require it to take precedence. CIMA defines a cyber incident as "an unwanted or unexpected cyber security event... that have a significant probability of compromising business operations".
  • The AGCMF designates the Minister for Cyber Security as the Lead Minister, with the National Cyber Security Coordinator (NCSC) and the National Office of Cyber Security (NOCS) in the Department of Home Affairs designated as the lead coordinating body for cyber incidents. The NCSC is responsible for managing responses to cyber incidents of national significance and coordinating a whole-of-government effort.
  • The Cyber Security Act 2024 (Cth) has complemented the CIMA by introducing a new "limited use" obligation (Part 4) for information voluntarily shared with the NCSC during a significant cyber security incident. This provision is designed to encourage businesses to share information with the government without fear it will be used for regulatory or civil action against them, thereby enhancing national situational awareness.
Protective Security Policy Framework (PSPF)

The Protective Security Policy Framework (PSPF), managed by the Department of Home Affairs, sets the Australian Government's minimum protective security standards to protect its people, information, and resources, both domestically and internationally. It consists of a series of mandatory policies that non-corporate Commonwealth entities must apply. The PSPF extends to private sector contractors and service providers who handle Commonwealth information, typically through contractual arrangements.
  • Annual Reporting: All non-corporate Commonwealth entities must submit an annual protective security report to their Minister and the Department of Home Affairs by October 31st each year. These reports provide assurance that entities are implementing sound security practices and managing risks.
  • Significant Security Incidents: PSPF Policy 5, "Reporting on security," requires entities to report "significant or externally reportable security incidents" to the relevant authority as soon as possible after they occur or are detected. This includes reporting to the Department of Home Affairs and, for cybersecurity incidents, to the Australian Signals Directorate (ASD)'s Australian Cyber Security Centre (ACSC). A significant security incident is a deliberate, negligent, or reckless action that could lead to the loss, damage, or compromise of official resources.
  • Contractual Reporting: Under Policy 6, "Security governance for contracted goods and service providers", contracts must require service providers to report any actual or suspected security incidents to the entity and to follow reasonable directions from the entity in response to an investigation.

State and Territory Level

New South Wales

The NSW Cyber Security Policy (2023-2024) is a comprehensive framework that sets mandatory requirements for all NSW government departments and public service agencies. The policy's objective is to ensure cyber security risks to information and systems are managed through a risk-based approach aligned with international standards such as ISO 27001.
  • The policy is mandatory for all NSW government agencies, including statutory authorities, and entities that submit an annual report to a Minister. It is, however, a recommended framework for local government, state-owned corporations, and universities.
  • Agencies are required to have a defined workflow for incident management that includes reporting cyber events to Cyber Security NSW. For third-party service providers, contracts must include a process for notifying the agency of suspected or actual security incidents and data breaches.
  • Agencies must submit an annual report to Cyber Security NSW by 31 October each year. This report must include an assurance assessment against all mandatory requirements, a list of high or extreme residual cyber risks, and a signed attestation from the Agency Head.
Queensland

The Queensland Government's Information security incident reporting standard is a core component of its cyber security framework, and is enforced by the Information and cyber security policy (IS18). It provides a standardised and centrally coordinated approach to incident reporting for all Queensland government agencies.
  • Incident Reporting: Agencies are required to report incidents to the Queensland Government's Cyber Security Unit (CSU). The reporting timeframes are tiered based on the business impact level (BIL) of the incident:
    • Immediate Reporting: Incidents with a medium or high BIL, or those affecting multiple systems/agencies, must be reported immediately. Oral notifications must be followed by a formal written report.
    • Low BIL Incidents: Incidents with a low BIL are to be reported within five days.
  • Voluntary Reporting: The CSU encourages all government entities, including local government, to report incidents at the earliest opportunity to facilitate timely support and threat intelligence sharing. The Queensland Government also has a broader Cyber Security Hazard Plan that outlines the whole-of-government response to cyber incidents with statewide or national consequences.
Other States and Territories
  • Western Australia: Western Australia has a Whole-of-Government Cyber Security Incident Coordination Framework that aligns with the national CIMA. The framework mandates that government entities report cyber security incidents to the Office of Digital Government and the WA Police Force's Technology Crime Services. The WA Government Cyber Security Policy recommends adhering to the NIST Cybersecurity Framework 2.0 and the ACSC's Essential Eight controls.
  • Victoria: The Office of the Victorian Information Commissioner (OVIC) administers an Information Security Incident Notification Scheme for Victorian public sector agencies. Agencies must notify OVIC of incidents that have a limited business impact (BIL 2) or higher on public sector information, with a deadline of no later than 30 days after the incident is identified. OVIC's role is to collect data to inform government risk profiles, not to provide an incident response service itself.
  • Tasmania: The Tasmanian Government has a Protective Security Policy Framework (TAS-PSPF) that provides policies and guidelines for its agencies. Policy GOVSEC-6 mandates that the Accountable Authority must develop and implement processes for reporting and investigating security breaches and incidents.
  • South Australia: The South Australian Government manages the South Australian Cyber Security Framework (SACSF), a policy framework for public sector agencies. In accordance with the Premier and Cabinet Circular PC042, all agencies and applicable suppliers must report cyber security events and incidents to the Watch Desk immediately upon identification.
Relevant Organisations
  • Attorney-General’s Department
  • Australian Cyber Security Centre (ACSC)
  • Australian Prudential Regulatory Authority (APRA)
  • Australian Securities and Investments Commission (ASIC)
  • Australian Securities Exchange (ASX)
  • Office of the Australian Information Commissioner (OAIC)

Industry Materials

  • A Ahmed et al, ‘How Can Organisations Develop Situation Awareness for Incident Response: A Case Study of Management Practice’ (2021) 101(8) Computers & Security 1, 2–3.
  • A Vamialis, ‘Online Service Providers and Liability for Data Security Breaches’ (2013) 16(11) Journal of Internet Law 23.
  • Allens Linklaters, ‘Coming Clean and Staying Clean: Continuous Disclosure Obligations in the Age of Data Breach’ (Web Page, 7 December 2020).
  • Australian Cyber Security Centre, Cyber Security Incident Response Planning: Practitioner Guidance (Guide, April 2024).
  • Australian Cyber Security Centre, Strategies to Mitigate Cyber Security Incidents (Guide, September 2023).
  • Australian Institute of Company Directors (AICD), Cyber Security Governance Principles (Guidance, November 2024).
  • Australian Institute of Company Directors (AICD), ‘Governing Through a Cyber Crisis’ (Guidance, February 2024).
  • Australian Prudential Regulation Authority (APRA), Prudential Practice Guide CPG 234: Information Security (June 2019).
  • Australian Prudential Regulation Authority (APRA), Prudential Standard CPS 234: Information Security (July 2019).
  • Australian Signals Directorate, Strategies to Mitigate Cyber Security Incidents (Guide, September 2025).
  • Clifford Chance, ‘Cybersecurity and the ASX Listing Rules: Key Takeaways from the Updated Guidance Note 8’ (Web Page, June 2024).
  • J Duffy, ‘How Should Directors Tackle Cyber Risks?’ (2018) 46(2) Australian Business Law Review 134.
  • K Manwaring and P Hanrahan, ‘BEARing Responsibility for Cyber Security in Australian Financial Institutions: The Rising Tide of Directors’ Personal Liability’ (2019) 30 Journal of Banking and Finance Law and Practice.
  • M Duffy, ‘Shareholder Democracy or Shareholder Plutocracy?: Corporate Governance and the Plight of Small Shareholders’ [2002] UNSWLawJl 28; (2002) 25(2) University of New South Wales Law Journal 434.
  • MinterEllison, ‘Pay and Tell: Mandatory Ransomware Payment Reporting Obligations in Force’ (Insight, June 2025).
  • National Anti-Scam Centre (NASC), Scamwatch (Web Page, 2025).
  • Office of the Australian Information Commissioner (OAIC), Notifiable Data Breaches Report (latest statistical reports).
  • Queensland Audit Office, Responding to and Recovering from Cyber Attacks (Report 12: 2023–24).
  • T Voogt, ‘Tall Trees and Digital Literacy: Lessons from Palkon v Holmes’ (2016) 31 Australian Journal of Corporate Law.
  • V Ravishankar et al, ‘Stepping Up Governance on Cyber Security – What Is Corporate Disclosure Telling Investors’ (Report by Principles for Responsible Investment, 2018).

This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding AustLII Communities? Send feedback
This website is using cookies. More info. That's Fine