A plain-English guide for Australian company directors on whether they can be personally liable for a cyber breach. Explains how ASIC has reframed cyber resilience as a governance and directors' duty issue rather than a purely technical one, the landmark ASIC v RI Advice Group (2022) case that first established cyber risk management as a legal obligation, how the section 180 Corporations Act duty of care and 'stepping stone' liability can flow a company's cyber failure through to directors personally (with penalties over $1.5 million and possible disqualification), that this duty applies to directors of small private companies too, and the practical steps boards should take: put cyber on the agenda, make someone accountable, and fund the Essential Eight basics, tested backups and an incident response plan. General information, not legal advice.
Cyber security is now a directors' problem
Can a director be personally liable for a cyber breach? In Australia, that is no longer a hypothetical. The regulator has made cyber resilience a boardroom duty, and the way the law is written, a company's failure can land on the people who were meant to be overseeing it.
The short version
ASIC treats cyber resilience as a directors' duty, not just an IT job. It has litigated on cyber risk management, and it has been explicit that oversight of cyber risk sits with the board.
The duty of care under section 180 can reach directors personally. Through 'stepping stone' liability, a company's cyber failure can flow to directors who did not take reasonable steps, with penalties over $1.5 million and possible disqualification.
This applies to small company boards too. You do not have to become a security expert. You do have to make sure the risk is genuinely being managed, and be able to show it.
How cyber became a boardroom issue
For a long time, cyber security lived firmly in the IT department. A breach was treated as a technical failure, something for the tech team to clean up. That framing is gone. Australia's corporate regulator, ASIC, has spent the last few years making the point, loudly and repeatedly, that cyber resilience is a matter of good governance, and that responsibility for it runs all the way to the board.
The turning point was ASIC v RI Advice Group in 2022. The Federal Court found the company had breached its obligations by failing to have adequate cyber risk management in place. It was the first case of its kind in Australia, and its real significance was the message: managing cyber risk is a legal obligation, and regulators will act when it is neglected. Cyber had officially become a governance question, not just a technical one.
ASIC has been blunt about it. Its consistent public message to boards is that cyber preparedness is a directors' responsibility, and that 'we left it to IT' will not wash as a defence when something goes wrong.
The duty that puts it on you
The legal hook is section 180 of the Corporations Act: the duty to act with the care and diligence a reasonable person would in your position. It is not a cyber-specific law. It is the general duty every director already has, and ASIC's position is that overseeing cyber risk sits squarely inside it.
Lawyers call the mechanism 'stepping stone' liability. The company contravenes an obligation, and the director who failed to take reasonable steps to prevent it is treated as having breached their own duty of care by exposing the company to that risk. The harm does not even have to be financial. Reputational damage, litigation and regulatory action all count. In other words, a cyber failure at the company level can become a personal one for the people who were supposed to be watching.
What personal liability actually looks like
Section 180 is a civil penalty provision. For an individual, the maximum penalty runs to more than $1.5 million, and that is before the indirect costs. Courts can also disqualify a person from managing corporations, which for many directors is the more frightening outcome than the fine.
The point is not to frighten you into paralysis. It is that cyber risk now carries the same personal weight as financial or safety risk. You would never sign off accounts you had not scrutinised. Cyber deserves the same seriousness.
And to be clear, this is not just a big-company concern. The section 180 duty applies to directors of companies of every size, including the small private ones that make up most of the WA business landscape. What is 'reasonable' scales down for a smaller business, but the duty itself does not disappear.
What a board should actually do
You are not expected to read firewall logs. You are expected to make sure the risk is being managed and to be able to prove you took it seriously. Three things carry most of that weight.
Put cyber on the agenda
Cyber risk should be a standing board item, not an IT footnote. Regular, minuted discussion is part of how you show the risk was actually being overseen.
Make someone accountable
Name who owns cyber risk and make sure they are competent, resourced, and reporting up. 'We assumed IT had it covered' is not a defence.
Fund the basics and a plan
The Essential Eight controls, tested backups, and a written incident response plan. Being able to point to these is the difference between reasonable steps and negligence.
A practical starting point is the Essential Eight, the ACSC's baseline of controls. Pair it with something that gives you real visibility, like a monitored security operations service, and you have both the substance and the evidence of oversight that the duty calls for.
The takeaway
Cyber security has quietly climbed the ladder from an IT concern to a genuine directors' duty, with personal consequences attached. The regulator has said so, the courts have backed it, and the law was already written in a way that reaches individual directors. Pretending it is still someone else's job is now the risky position.
The reassuring part is that the same practical steps that protect the business also protect its directors. Getting the basics in place, monitored, and documented is exactly what our managed security service is built to do. If your board has never had a proper conversation about cyber, this article is the nudge to put it on the next agenda.
Common questions
Can a director really be held personally liable for a cyber breach?
Potentially, yes. Under section 180 of the Corporations Act, directors owe a duty of care and diligence, and ASIC's clear position is that overseeing cyber risk falls within that duty. Through what lawyers call 'stepping stone' liability, a company's cyber failure can flow through to directors who did not take reasonable steps to manage the risk. Section 180 is a civil penalty provision, with penalties for an individual running to over $1.5 million, and courts can also disqualify a person from being a director.
Does this only apply to big listed companies?
No, and this is the part that surprises people. The section 180 duty of care applies to directors of all companies, including small private ones. What counts as 'reasonable' scales with the size and nature of the business, so no one expects a small company board to run like a bank's. But the underlying duty is the same, and the excuse that you are 'too small for this to matter' does not hold.
What did the RI Advice case actually establish?
In ASIC v RI Advice Group (2022), the Federal Court found that the company had breached its obligations by failing to have adequate cyber risk management in place. It was the first Australian case of its kind, and it drew a firm line: managing cyber risk is a legal and regulatory obligation, not simply IT best practice. It reframed cyber from a technical issue into a governance one.
What does 'reasonable steps' look like for a director?
You are not expected to be a security expert. You are expected to make sure the risk is genuinely being managed: that cyber is on the board agenda, that a competent person owns it, that there is an incident response plan, and that the basic controls are funded and in place. Crucially, you should be able to show you asked the questions. Evidence of active oversight is what separates a defensible position from a negligent one.
Doesn't our cyber insurance take care of this?
Not on its own. Cyber insurance can help with the costs of an incident, but it does not discharge a director's duty, and insurers increasingly require the very same controls before they will cover you or pay out. Treat it as a backstop that sits behind good governance, not a replacement for it. Our cyber insurance deep dive covers what it does and does not do.
This article is general information, not legal advice. For how directors' duties apply to your specific circumstances, speak to a qualified legal adviser.