Cyber risk: A responsibility for boards, management and business owners – waiting is no longer an option

20 August 2025

For too long, many boards, executives and business owners have treated cyber risk as if it belongs exclusively in the IT department. The truth is stark: IT teams manage IT systems, but directors and management govern risk. Regulators, courts, customers and investors now view cyber resilience as a core leadership obligation, not merely a technical side issue. Failures can lead to court action, regulatory penalties and reputational loss.

Enforcement action in response to a lack of board oversight of cyber risks has already begun. In 2025 alone, ASIC has taken enforcement action in response to a lack of board oversight of cyber risks. Proceedings were commenced against Fortnum Private Wealth over phishing, business email compromise and a data breach affecting 9,000 clients. The Australian Information Commissioner (AIC)’s civil case against Optus for the 2022 breach affecting 9.5 million customers is another high-profile warning, with potential penalties of up to A$2.2 million per affected individual.

“The expectation has shifted. Cyber resilience is no longer ‘nice to have’. It’s a legal and governance obligation,” says Carien Ahdar, Senior Financial and Professional Risks Insurance Broker, DKG Insurance Brokers.

Busting the myth: “we are too small to be a target”

Think cybercriminals only target large corporates? Think again. Smaller organisations often have weaker defences, lower budgets and slower response times all of which make them perfect targets.

The Australian Signals Directorate (ASD) reports that business email compromise, ransomware and data theft remain the top cybercrime types impacting Australian businesses.

Recent high-profile breaches, including those affecting large technology distributors such as Ingram Micro, highlight that no business is immune.

It is not just criminals pursuing cyber-crime anymore. “Hacktivism” where attackers strike in pursuit of political or social cause, is growing across the USA, Europe and Asia. Targets range from universities and social platforms to critical infrastructure.

The ASD’s 2023/2024 Annual Cyber Threat Report provides another sobering snapshot:

• 36,700 calls to the Cyber Security Hotline (+12% year-on-year).
• 1,100 cyber incidents handled, 11% involving critical infrastructure.
• Ongoing escalation of state-sponsored and organised criminal attacks.
• Ongoing prevalence of phishing, credential theft and ransomware.

“These numbers should be a wake-up call for every director, manager and business owner. The risk environment is intensifying, not slowing. Effective cyber governance which should include well-structured cyber insurance is no longer optional,” comments Carien.

Why insurance is part of the governance toolkit

Modern cyber insurance is less about writing a cheque after the fact and more about ensuring your survival during and after an attack.

Quality cyber policies now provide:

• Specialist incident response teams: On-call and experienced cyber claims coaches to contain and manage the breach.
• Legal and regulatory guidance: For you to stay compliant under pressure.
• Crisis public relations support: To defend your reputation in the public arena.
• Business interruption cover: To protect revenue and recovery post-incident.

Insurers in Australia and abroad are rethinking how quotes and cover are delivered. On demand quotes, clear policy language, corporate and SME-tailored products and even cyber “health checks” as part of the underwriting and onboarding process. These risk assessments can be invaluable in identifying vulnerabilities early. A specialist liability insurance broker can help translate that insight into action.

Insurers abroad and in Australia (i.e. CFC, Cylo, Emergence, Coalition, Sync) now provide quote platforms, simple policy language and even SME-focused coverage that aligns with governance best practices. This aligns with the industry’s shift toward speed, simplicity and clarity in coverage delivery.

As Carien concludes, “Quick access to robust cover and response teams means you don’t waste precious time when every second counts.”

Boardroom Action Plan

To move from reactive to resilient, boards and business leaders should:

1. Acknowledge reality: Cyber is a governance risk, not an IT problem.
2. Stress-test resilience: Ongoing review of your cyber incident response and your cyber Business Continuity Plan (BCP). Review and stress test your cyber insurance regularly against known and emerging cyber risks.
3. Make insurance a strategic priority: View cyber insurance as an active governance tool, not a passive policy.
4. Challenge assumptions: Erase the “too small to be targeted” myth in your leadership team.
5. Remain vigilant: Track regulatory enforcement and evolving threat trends closely.
6. Engage expertise: Work with an experienced liability insurance broker to close gaps before attackers find them.

In summary, the question is no longer if a cyber event will impact your business, but when. The difference between survival and scandal is whether your board, management or the business owner treat cyber risk as part of governance or as someone else’s problem.

Next steps

Need clarity around your cyber governance? Let’s have that conversation. Carien and the DKG team are ready to help you prepare and mitigate the risk, not just protect. Contact DKG Insurance Brokers today to review your D&O coverage by calling us today on 1800 252 926 or email us at insurance@dkg.com.au.