Liabilities by regulation

Core directors’ duties (Corporations Act)

Directors’ standard duties of care, diligence, good faith and proper purpose now clearly extend to foreseeable ICT and cyber risks. Failing to ensure adequate cyber, data and IT risk governance can be treated as a breach of these duties, exposing directors to civil penalties, compensation orders and disqualification. ASIC has explicitly framed cyber and technology risk management as part of mainstream risk oversight rather than a technical side issue.

Personal liability can arise under “stepping‑stone” theories where a company contravenes another law (for example, privacy or disclosure) because ICT risks were not appropriately governed at board level.

Privacy Act and data breaches

For entities caught by the Privacy Act 1988, failures in ICT and data governance (security of personal information, breach response, notifiable data breaches) can trigger regulatory enforcement and large civil penalties against the organisation. Directors can then face personal proceedings for breach of their Corporations Act duties in allowing those contraventions to occur or persist, especially where there were obvious deficiencies in ICT security or governance.

Where a privacy or data breach also affects listed‑entity disclosure obligations (for example, continuous disclosure of a material cyber incident), directors can be personally liable for disclosure failures as well.​

APRA CPS 234 (information security)

For APRA‑regulated entities, Prudential Standard CPS 234 makes the board “ultimately responsible” for information security. Boards must ensure an information security capability commensurate with threats, approve the information security policy, and oversee roles, controls and incident response, including incidents at material service providers.

If an APRA‑regulated entity suffers serious information‑security failures, APRA and ASIC can use those CPS 234 obligations and the Corporations Act duties as a platform for personal enforcement against directors who did not maintain adequate ICT oversight.

Security of Critical Infrastructure and cyber obligations

For entities designated under the Security of Critical Infrastructure framework, cyber duties (such as mandatory cyber incident reporting and risk management obligations for systems of national significance) effectively require active ICT and OT governance at board level. Failure to ensure compliance can lead to regulatory action against the entity, and then personal exposure for directors via breached Corporations Act duties where ICT risks were foreseeable and inadequately managed.

ASIC cyber and ICT governance expectations

ASIC has made clear that boards must treat cyber and ICT risk as a top‑tier governance issue, including third‑party ICT and cloud providers. ASIC’s cyber resources and speeches emphasise that directors cannot “blindly delegate” ICT risk, and that civil or even criminal action is on the table where poor cyber governance reflects a breach of directors’ duties.

Recent enforcement commentary stresses that directors may incur personal liability for AI‑related or broader digital harms where they fail to implement appropriate governance, even without direct involvement in the specific incident.

Continuous disclosure and fundraising documents

For listed entities, ICT incidents (for example, major cyber attacks, system outages, data‑loss events) can be price‑sensitive, and failure to disclose them properly can give rise to personal liability for directors under continuous disclosure and misleading disclosure provisions. Where ICT risks are material to the business, directors must ensure that prospectuses and other fundraising documents accurately describe those risks and the entity’s cyber and information‑security posture.

If you specify sector (for example, APRA‑regulated financial, health, NDIS, education, critical infrastructure), a more targeted map of ICT‑linked personal liabilities and standards can be provided.