Print Article

Watchdog warns company directors over cybersecurity failures.


Company directors could breach their duties if their companies fail to deal with cyberattacks adequately, warns Australian Securities and Investment Commission chairman Joe Longo.

This could include the directors of high-profile companies such as Medibank, Optus and consumer finance group Latitude, which have been the subject of high-profile and damaging cyberattacks over the past year.

Longo said in a speech to the Australian Financial Review cyber summit.

  • “For all boards, cybersecurity and cyber resilience have to be top priorities,”
  • “If boards do not give cybersecurity and cyber resilience sufficient priority, this creates a foreseeable risk of harm to the company and thereby exposes the directors to potential enforcement action by ASIC based on the directors not acting with reasonable care and diligence,” he said

ASIC’s research has shown there is often a disconnect between a company board’s oversight of cyber risk, management reporting on this topic to their board, and the identification and assessment of risks and how controls are implemented.

Longo said

  • This disconnect must be addressed if the board wants to meet its legal obligations.
  • “Cybersecurity and resilience are not merely technical matters on the fringes of directors’ duties”

The Office of the Australian Information Commissioner has opened investigations into the cyberattacks on Optus, Medibank and Latitude, which could open the door for ASIC to take legal action. This is on top of potential class action lawsuits over the cyberattacks.

A year ago,

  • Optus revealed that hackers had stolen the personal data of more than 9 million of its customers.
  • Weeks later, Medibank was the subject of a cyberattack in which the data of 10 million former and current customers was stolen, as well as some sensitive customer health records. Latitude also reported it was the victim of a significant cyberattack.

The information commissioner investigations will focus on whether these companies took reasonable steps to protect the personal information they held from misuse, interference, loss, unauthorised access, modification or disclosure.

Longo also singled out recent hack of Latitude Group, which was blamed on a third-party service provider, as a risk that companies must manage effectively. He said

  • “If you’re not evaluating your third-party cybersecurity risk, you’re deceiving yourself. And recent events show that you will suffer for it,”

Cybersecurity Minister Clare O’Neil, also appearing at the summit, unveiled the government’s next stage of plans to help combat the growing cybersecurity issues for Australian companies with a national security framework.

she told the ABC on Monday morning.

  • “Part of our strategy is to build six protective layers around our population to make sure that business and industry and government are doing everything that they can to make sure that our citizens are kept safe from this terrible problem,”
  • “These shields will help protect our business, our organisations and our citizens, and it will mean that we won’t be alone or in our silos trying to manage this problem. It will mean a cohesive, planned national response that builds to a more protected Australia,” she said at the summit.

The ‘nightmare’ cybersecurity scenario being war gamed by government

O’Neil, who blasted Optus last year for its lax security after its hacking incident, has taken a more conciliatory approach since then. She said

  • Australian businesses were taking note of the growing threat.
  • “Those high-profile attacks that I mentioned off the top were deeply painful events for our country. If there’s a silver lining, it is that for every board that I talk to now, cybersecurity is a top priority for the board, and it is one they discussed in every single board meeting,”


Colin Kruger September 18, 2023 — 3.22pm


The Team

Meet the team of industry experts behind Comsure

Find out more

Latest News

Keep up to date with the very latest news from Comsure

Find out more


View our latest imagery from our news and work

Find out more


Think we can help you and your business? Chat to us today

Get In Touch

News Disclaimer

As well as owning and publishing Comsure's copyrighted works, Comsure wishes to use the copyright-protected works of others. To do so, Comsure is applying for exemptions in the UK copyright law. There are certain very specific situations where Comsure is permitted to do so without seeking permission from the owner. These exemptions are in the copyright sections of the Copyright, Designs and Patents Act 1988 (as amended)[]. Many situations allow for Comsure to apply for exemptions. These include 1] Non-commercial research and private study, 2] Criticism, review and reporting of current events, 3] the copying of works in any medium as long as the use is to illustrate a point. 4] no posting is for commercial purposes [payment]. (for a full list of exemptions, please read here]. Concerning the exceptions, Comsure will acknowledge the work of the source author by providing a link to the source material. Comsure claims no ownership of non-Comsure content. The non-Comsure articles posted on the Comsure website are deemed important, relevant, and newsworthy to a Comsure audience (e.g. regulated financial services and professional firms [DNFSBs]). Comsure does not wish to take any credit for the publication, and the publication can be read in full in its original form if you click the articles link that always accompanies the news item. Also, Comsure does not seek any payment for highlighting these important articles. If you want any article removed, Comsure will automatically do so on a reasonable request if you email