“We’ve Got IT” Isn’t Enough: Why Cyber Security Requires Director Oversight

In our experience assisting Australian businesses through dozens of cyber incidents and assessments, we’ve observed a recurring and dangerous belief from directors and executives:‍

“Our IT provider handles everything — we’re covered.”

This assumption leaves serious legal, reputational, and financial risks unaddressed, because cyber security is not the same as IT, and directors are the ones ultimately responsible for managing it.

The Growing Risk: What Directors Often Miss

We speak with business leaders across industries, healthcare, manufacturing, finance, and beyond — and the most common issue we encounter isn’t negligence. It’s a lack of clarity.

Many directors:

• Don’t know what their actual obligations are under the Privacy Act 1988 or Notifiable Data Breach (NDB) scheme
• Don’t know what a compliant incident response plan looks like
• Don't know that ASIC can take action against them, personally for a data breach
• Aren’t sure whether their business has been assessed for cyber security risk in the last 12 months
• Believe their MSP or IT provider is “probably doing something about cyber”
  

The truth? Most directors underestimate their exposure, and many directors don’t realise what they’re personally accountable for under the Corporations Act 2001 (Cth).

ASIC Is Clear: Directors Are Responsible for Cyber Risk

Under section 180 of the Corporations Act, directors must exercise due care and diligence, and that includes managing cyber risk.

ASIC has publicly reinforced this, stating:

“If boards do not give cyber security and cyber resilience sufficient priority, this creates a foreseeable risk of harm to the company and thereby exposes the directors to potential enforcement action by ASIC.” — ASIC Chair Joe Longo (AFR Cyber Summit, 2023)

In plain terms: Cyber security isn’t optional. It’s a director and board-level responsibility.

The Disconnect We See with IT Providers

IT Service Providers/Managed Service Providers (MSPs) are essential to keeping your IT systems operational — but in our audits and incident response services, we’ve consistently found that MSPs often do not include cyber security strategy in their standard scope.

This includes:

• No board-level cyber risk reviews
• No documented response planning
• No privacy compliance alignment
• No insurance readiness
• No legal reviews

This creates a disconnect: Directors believe their IT Service Provider/MSP is handling these things, but the MSP isn’t even scoped to and assumes the Board/Directors/Executive Team are across it.

And when an incident occurs, it’s already too late.

A Real-World Example: Misplaced Confidence, Major Consequences

We recently engaged by an organisation on an Incident Response basis, and they believed they were covered. They had an MSP, backups, and antivirus.

But when a breach occurred:

• There was no incident response plan
• There was no incident response team
• The MSP wasn’t prepared to lead a coordinated response
• Four weeks of delays caused additional damage
• The company had no cyber insurance and failed to notify regulators or affected customers
• Pending legal action against said company.

The fallout? Regulatory pressure, loss of trust, and pending legal action — all avoidable if the directors had been more involved in strategy and planning.

The Core Issue: Lack of Awareness and Direction

From what we’ve seen, most directors don’t ignore cyber security out of neglect — they put it in the “too hard basket” because they simply don’t know where to start. We get it, it's overwhelming.

Here are some questions to ask yourself:

• "Who should be involved in an incident if one were to occur"
• “How often do we review our incident response plan”
• “Are we adhereing to the 13 Privacy Principals outlines in the Privacy Act?”
• "When was the last time we had a cyber security review conducted"
• "What were the outstanding items to be addresses in our last review"
• "When was the last time we reviewed our Cyber Security Insurance coverage"

These are common, fair questions.

The problem is, doing nothing because it feels complex doesn’t reduce your liability, it increases it.

Strategy Before Tools - Our Approach

At EvolveCyber, we help businesses understand what cyber security means at a director level. For our clients, this is not an afterthought, it’s embedded into how we work.

We:

• Partner with directors and executive teams to develop practical, risk-based cyber security strategies
• Conduct independent reviews to assess policies, procedures, and posture
• Guide your internal response capability — before an incident occurs
• Make sure the right people (internal and external) are ready if a breach happens

Because you can’t guarantee protection, but you can guarantee preparation.

As A Director - What Should We Be Looking For?

We believe in investing in securing your business, but at the same time, preparing your organisation for the worst, not just hoping for the best.

Our services include:

✅ Ongoing cyber security assessments every 3/6/12 months (depending on size and scale of the business)

✅ Incident response planning and tabletop simulations

✅ Privacy Act and NDB Reviews

✅ Cyber insurance readiness and advisory

✅ Executive awareness training and board-level guidance

✅ Understanding the neccassary protections you need to have in place, implementing these protections and controls, and ensuring they're effective.

Our team has supported dozens of Australian businesses to get clarity on their obligations, implement the right measures, and prepare confidently for the reality of modern cyber threats.

What can I do today?

If you’re unsure where your organisation stands, or if you’ve put cyber strategy in the “too hard” basket, now is the time to take action.

Taking action, no matter what, is better than doing nothing.

We recommend booking in for a cyber security assessment with EvolveCyber to:

• Understand where your cyber security maturity is at, across the entire organisation
• Understand the impact of a data breach on your business (Financial, Reputational, Operational)
• Understand where your internal policies, processes and polices are
• Identify critical gaps in your strategy
• Receive a roadmap to improve risk, readiness, and resilience

👉 Schedule your review now — and start taking cyber security seriously, at the level directors are expected to.

Because IT keeps your systems running. But cyber security protects your entire business.