| For many boards, cyber risk still sits on the IT agenda. It’s reviewed periodically, ticked off in compliance updates, and revisited when a breach makes headlines.
But the scale and nature of today’s threats demand more. Cybercrime has become relentless, targeted, and high-consequence. In 2024-25, the Australian Signals Directorate received more than 94,000 cybercrime reports (roughly one every six minutes). Attacks are no longer confined to data theft. They’re disrupting operations, exploiting critical infrastructure, and shaking investor confidence (ASD, 2025). Ransomware remains one of the most damaging threats. The financial impact on medium-sized organisations now exceeds $97,000 per incident on average, and that doesn’t account for reputational fallout, legal exposure, or downtime. Despite this, less than 70% of large Australian businesses hold standalone cyber insurance, and even fewer SMEs have cover in place (Insurance Council of Australia, 2022). For boards and executive teams, cyber resilience must now be treated as a core pillar of governance alongside financial, legal, and operational risk. Why insurance must be part of the risk conversationFor too long, cyber insurance has been viewed as an optional layer of protection, considered after investing in firewalls and employee training. But as attacks become more sophisticated and their consequences more widespread, insurance is becoming a critical part of business risk strategy. Today’s incidents extend well beyond IT. They trigger regulatory investigations, class actions, public scrutiny, and operational shutdowns. In 2024-25 alone, the Australian Signals Directorate responded to 127 cyber security incidents affecting critical infrastructure sectors, with many incidents also impacting supply chains and sensitive financial data (ASD, 2025). While cyber insurance policies are a vital recovery strategy, they also contribute to resilience. Many include:
Yet, despite these benefits, coverage remains low. Just 20% of SMEs and between 35-70% of larger businesses in Australia currently hold standalone cyber insurance (Insurance Council of Australia, 2022). That leaves a significant number of organisations exposed. If your systems go dark, how long can you wait?Ransomware has evolved. Once encrypting files and demanding payment, it now brings entire systems to a standstill. In 2024-25, over 80% of all ransomware incidents reported to the ACSC involved data theft or encryption, with many impacting core business operations, including finance, logistics, and customer service (ASD, 2025). That makes cyber resilience a business continuity issue. Modern continuity plans should include:
Yet many plans go untested or overlook cyber risks entirely. Business email compromise alone cost Australian organisations over $77 million last year, often while key teams were locked out or unaware of the breach (ASD, 2025). Cyber risk must sit in the enterprise risk register alongside supply chain and regulatory risk. It’s a business issue with real-world consequences. Where your financial data lives and who can touch itCybercriminals aren’t chasing headlines, they’re chasing high value data. In most organisations, that means financial information. Payment systems, supplier accounts, payroll platforms, investment details, and customer billing data are all high-value targets. Business email compromise (BEC) was the most costly cybercrime for Australian organisations in 2024-25, with an average reported loss of over $39,000 per incident and a total loss exceeding $77 million (ASD, 2025). Many of these cases began with compromised credentials or socially engineered invoice redirection scams. Beyond antivirus software and strong passwords, protecting financial data demands:
A recent ACSC threat report confirmed that 80% of cybercrime reports to ReportCyber in 2024-25 involved compromised credentials (ASD, 2025). Many of these incidents could have been avoided with better internal controls and awareness. Resilience starts with visibility. Know where your financial data lives, who has access, and how it’s protected, because a single exposed credential can become a company-wide crisis. Auditing the maturity of your cyber securityBeyond auditing access, the next step towards improving your cyber security is having a comprehensive understanding of your status today. Conducting a maturity audit will give you the clarity on next steps and how to inevitably broach the subject with the wider board. The National Institute of Standards and Technology (NIST) has developed a global Cybersecurity Framework (CSF) that helps you to identify your maturity level and work to a common language internally:
Your cybersecurity risk management is reactive and adhoc; there are not formal processes or guardrails in place.
You have some policies and procedures in place however they may be outdated and not fully integrated across the organisation.
At this tier, your cybersecurity is more of a priority; there are defined policies, implemented tools, monitoring schedules, and regular reporting.
At the highest maturity level, your cybersecurity is well integrated into the organisation, you are conducting regular checks and improvements, and the organisation responds quickly to threats. Bring cyber to the boardroom tableCyber security now shapes reputation, influences investor confidence, and can determine the success of major strategic decisions. Yet too often, it remains absent from executive agendas, treated as a siloed IT issue rather than an enterprise-wide concern. That gap leaves organisations vulnerable. From disrupted operations and leaked financials to stalled acquisitions and shaken customer trust, the consequences of cyber incidents now touch every corner of the business. And with regulators placing greater accountability on directors, the stakes are only getting higher. Here’s why it belongs on the agenda:
Boards that engage early—and have a maturity level goal—can often help their organisations stay secure, resilient, and ready to respond. Cyber risk is now a director’s responsibilityCyber risk is a board-level vulnerability with material consequences. Yet many organisations remain underinsured, underprepared, and unclear on where accountability sits. Threats are escalating, recovery costs are climbing, and directors are now expected to demonstrate oversight. Boards have a clear opportunity to shift from reactive defence to strategic resilience. That means embedding cyber risk into enterprise risk frameworks, ensuring insurance is fit for purpose, and regularly testing response plans. The stakes are high. So is the value of getting it right.
References Australian Cyber Security Centre (ACSC) 2025, Annual Cyber Threat Report 2024-25, Australian Signals Directorate, Canberra. https://www.cyber.gov.au/about-us/view-all-content/reports-and-statistics/annual-cyber-threat-report-2024-2025 Insurance Council of Australia (ICA) 2022, Cyber Insurance: Protecting our way of life in a digital world, Insurance Council of Australia, Sydney. https://insurancecouncil.com.au/wp-content/uploads/2022/03/Cyber-Insurance_March2022-final.pdf DNA Cyber Security. (n.d.). 2025, NIST Cybersecurity Framework: Guide for Australian Businesses. https://dnacyber.com.au/nist-cybersecurity-framework-a-strategic-guide-for-australian-businesses/ |
