Your Personal Liability.
Our Problem to Solve.
Under S180 of the Corporations Act, directors must exercise care and diligence — including over cyber security. If you can't demonstrate you took reasonable steps, you're personally exposed.
What the Law Requires of You
Sections 180–184 of the Corporations Act 2001 set out the duties every Australian director must meet — and the penalties for falling short.
Care & Diligence
You must stay informed about cyber risks affecting your organisation. You're measured against what a competent director should know — not what you currently know. Ignorance is not a defence.
Good Faith, Position & Information
You must act in the company's best interests, not use your position for personal gain, and protect confidential information — even after you leave the role.
Criminal Liability
Reckless or intentionally dishonest breaches of these duties can result in criminal prosecution and imprisonment — not just fines.
Why Directors Are Exposed
The regulatory landscape has shifted. Cyber governance is no longer optional — it's a board-level obligation with real enforcement behind it.
"Cyber preparedness is squarely a board-level issue. How the board ensures sufficient oversight of threats, vulnerabilities and mitigating controls will set the tone for the cyber resilience of an organisation."— ASIC Chair Joe Longo, Australian Governance Summit 2023
"An organisation's website, internet connections and IT systems are now so important that it can be argued if directors do not ensure properly implemented security, they would not be acting with due care."— AICD Directors Handbook, 2024/25 V1
ASIC named cyber as an enforcement priority for 2025
Cyber security is no longer an IT issue — it's a named regulatory enforcement focus. ASIC expects boards to demonstrate oversight.
ASIC v FIIG Securities (2025) — the first enforcement action
ASIC took action against FIIG Securities for failing to protect against a ransomware attack. This is the precedent — enforcement is reality, not theory.
D&O insurers are asking cyber governance questions
At renewal time, your D&O insurer now wants evidence of cyber policies, board engagement, and incident response plans. No evidence, higher premiums — or no cover.
"I trusted IT" is not a legal defence
Delegating cyber to IT or a provider does not discharge your duty under S180. The Business Judgment Rule only protects directors who were actually informed.
The Board Cybersecurity Checklist
From the AICD Cyber Security Governance Principles and ASIC REP 468 — key questions every board should be asking.
Are cyber risks an integral part of your risk management framework?
How often is cyber resilience reviewed at board level?
What risk is posed by cyber threats to your business?
Does the board need further expertise to understand the risk?
How can cyber risk be monitored? What escalation triggers exist?
What is the people strategy around cybersecurity?
What protects your critical information assets?
What needs to occur in the event of a breach?
If you can't confidently answer these questions, you may have a governance gap that exposes you to personal liability under S180.
How GetCimple Helps You
Meet Your Obligations
Our services deliver the artefacts, frameworks, and knowledge that constitute your S180 evidence — policies, governance structures, assessments, and training.
Fit-for-Purpose Cyber Policies
Board-approved policies aligned to the Essential Eight are documented evidence of care and diligence. A director who can point to these has a S180 defence — not a director who hoped IT had it covered.
Governance Kickstart
We establish your cyber governance framework — roles, responsibilities, risk register, and reporting structure. This is exactly what AICD Principle 1 calls for: clear accountability from board to operations.
Board Cyber Workshop
Director education on cyber risk is explicitly called out in AICD Principle 4. Attending a governance workshop is direct evidence you took your obligations seriously.
Essential Eight Assessment
The assessment itself is evidence the board sought to understand its cyber posture. Mapped to Australia's baseline framework — the standard ASIC and insurers reference when evaluating your governance.
Don't Wait for an Incident
Book a free 15-minute assessment to understand your current cyber governance posture and where you stand against your obligations under the Corporations Act.
Serving Australian businesses nationally. Based in Sydney.