In an era where cyberattacks can bring even the biggest companies to their knees, the Australian Securities and Investments Commission (ASIC) is upping its game. For SMEs, this crackdown means directors and executives can no longer afford to take a back seat on cybersecurity.

Corporate boards will face serious consequences if they fail to protect their companies
from cyber threats, with penalties ranging from hefty fines and even prison terms for serious breaches (unlikely, says The Australian Financial Review, but still on the table).

Cyber Washing and Empty Promises

ASIC is cracking down on “cyber washing”—when companies claim strong cybersecurity practices without real action to back it up. In other words, businesses can’t just say, “We’re secure” without proof. Boards now have to show they’re actively working to prevent cyberattacks. ASIC is making it clear: cybersecurity is no longer just the IT team’s job; it’s a board-level responsibility.

Why This Matters to SMEs

You might think this is a problem for big companies, but SMEs aren’t exempt. The Optus and Medibank breaches show that hackers target businesses of all sizes. SMEs are often seen as easier targets, with fewer resources dedicated to cybersecurity. In fact, over 60% of SMEs fall victim to cyberattacks. Neglecting cybersecurity could lead to serious financial losses and legal consequences if your board is found to be negligent.

How Are Boards At Risk?

Boards are responsible for protecting both the business and individual members. If ASIC determines that a board hasn’t prioritized cybersecurity, directors could face personal liability.

Potential penalties include:

• Civil penalties (up to $1.565M for individuals, higher for companies, depending on breach severity under the Corporations Act 2001, S.180)
• Disqualification
• Compensation orders
• Reputational damage

And it’s not just ASIC—clients, suppliers, and employees expect businesses to take cybersecurity seriously. A breach can lead to devastating consequences.

Is the Punishment Too Severe?

There’s debate over whether ASIC’s tough stance might backfire. Industry leaders like Qantas chairman John Mullen argue that harsh penalties could make businesses less open about their cybersecurity efforts and mistakes. If boards fear penalties, they might be hesitant to share lessons learned from breaches, slowing progress in combating cyberattacks.

What Can Your SME’s Board Do?

For your SME, it’s clear: cybersecurity must be a priority. Directors should be asking tough questions about your company’s cybersecurity practices, such as:

• Are systems regularly updated?
• Do you have an incident response plan?
• Is enough budget allocated to cybersecurity?

ASIC wants more than words—they want evidence of action. To bolster your strategy, check out resources, such as the business.gov.au website, the Australian Cyber Security Centre, and the Cyber Security Handbook for small business and not-for profit directors.

How Insurance Can Help

Cyber insurance helps manage risk and provides peace of mind in the event of a cyberattack. Ensure your policy covers the specific risks your business faces—this is where we come in, tailoring coverage to fit your needs. With ASIC’s increased focus, the right coverage and regular policy reviews are essential.

We’re here to guide you. If you want more detail about how cyber security rules are tightening CLICK HERE, or contact us for a discussion today.