Can Business Leaders Be Held Personally Liable for a Cyber Breach?

If your business was hit by a cyber breach tomorrow, could you be held personally accountable? The answer for executives and business owners: yes.

Cyber attacks continue to be on the rise (one is reported to the federal government’s Australian Signals Directorate every six minutes), and the threat landscape is evolving as AI tools are leveraged to rapidly create convincing scams. When a cyber breach strikes, IT responses aren’t enough, with both regulators and customers expecting leaders to be held accountable. When the right steps aren’t taken, penalties and reputational damage follow.

In this blog, we’re breaking down regulatory expectations, risks, proactive steps you can take to protect your business and yourself, and how our team of experts can support good cyber security governance.

The Shift in Accountability

Cyber security has shifted from an IT issue to a governance and compliance issue, supported by expectations from the Australian Securities and Investments Commission (ASIC) and the Australian Cyber Security Centre (ACSC). Rather than relying on IT departments alone to understand and plan for online threats, the responsibility to understand risks and oversee compliance, accountability, resources, and more now falls to directors, boards, and business owners. You don’t need to be a technical expert (you have a team or IT partner for that), but cyber security does need to be included in the risk management framework of every business – no matter the size.

Local high profile breaches, like the Optus data breach in 2022, clearly demonstrate this shift and the increasing scrutiny placed on boards and business leaders. This breach affected the data of around 9.5 million local customers, resulted in scrutiny from the public, regulators, government, and media, and consequences for the business continue today. The Office of the Australian Information Commissioner (OAIC) is now suing Optus for failing to have the right protections in place to safeguard data up to three years before the cyber attack occurred. This is breach of the Privacy Act, reveals cyber security risk was not appropriately managed at a strategic board level, and could leave Optus with a fine costing trillions.

It’s clear that when a cyber breach strikes, consequences for business leaders extend far beyond the immediate impact. So, what do your responsibilities look like?

Where Liability Falls

  • Director’s duties: You need to act in the best interest of the business, which includes staying across current risks and compliance obligations, creating and upholding policies, ensuring there are the right resources and relevant plans in place to respond to cyber security incidents, and building a strong cyber security culture.
  • Privacy obligations: Business leaders have a duty of care to safeguard sensitive data. This includes understanding risks, regulations (such as the Privacy Act), and compliance obligations. If due diligence is lacking and data is mishandled, leadership falls under scrutiny and regulatory consequences can follow.
  • Insurance caveats: While your business might have cyber insurance, claims can be rejected if governance controls aren’t met. Board members and business owners need to understand these conditions, and oversee their implementation, maintenance, and documentation.

The Real-World Impact

When business leaders fail to prioritise cyber security, real-world consequences follow. This could look like financial penalties, including class action lawsuits or the loss of contracts, lasting reputational damage and loss of trust which can lead to executive turnover, and high levels of stress, guilt, and time spent handling the fallout. With the potential to seriously impact your life in and outside the office, cyber security governance is a responsibility that needs to be taken seriously.

What Leaders Can Do

In good news, there are steps you can take to prevent this impact. This includes:

  • Treating cyber security like financial governance, with board level oversight.
  • Insisting on clear reporting and KPIs from your IT team or IT partners, which supports informed decision making and alignment with business goals. · Adopting robust cyber security frameworks, like the ACSC’s Essential Eight, to support measurable and practical compliance.
  • Working with a trusted IT partner, like Bekkers. The right partner will have the tools and expertise to support your organisation, ensuring you can take the right steps to stay audit ready and enhance your resilience online.

How Bekkers Supports You

At Bekkers we’re well-versed in supporting leaders to manage their cyber security responsibilities. As a Technology Services Partner, we translate compliance into plain English, design and monitor systems that meet standards like the Essential Eight, PCI DSS, NIST, and more, and provide clear reporting for governance and board packs. We back this with over thirty years’ experience helping WA businesses to stay secure and accountable with business-led IT solutions.

Don’t put your reputation, or position, at risk. Get in touch with our experts today, and we can discuss strengthening your cyber security governance.

More Insights

Demystifying IT Compliance for Business Leaders

IT compliance is more than just ticking boxes – it’s about protecting your business, reputation, and operations. However, with conflicting advice and scare tactics, it can be hard for business leaders to know where to begin, or if you’re even on the right track.

Read more

How Do SMBs Stay Secure Without an Internal Security Team?

For many small and mid-sized businesses, cyber security can feel like something that requires a dedicated in-house team – specialist staff, complex tools, and constant monitoring. For most SMBs, that model isn’t realistic. More importantly, it’s no longer necessary.

Read more

5 FAQs WA Businesses Ask About Managed Services

IT forms the foundations of your business’ daily operations, but without the right support you’ll be left dealing with frustrating challenges spanning downtime, unpredictable costs, and complex cyber threats that will only become more of a risk as AI develops.

Read more

We take care of everything for your peace of mind, allowing you to focus on running and improving your business.

Get In Touch