In Brief
The Optus breach triggered a A$140 million remediation provision. Medibank faced remediation costs exceeding $125 million plus APRA-mandated capital requirements. MediSecure's breach contributed to the organisation entering voluntary administration. In each case, the board's preparedness for incident response shaped regulatory, financial, and reputational outcomes more than the technical details of the attack. With Australian directors now facing potential personal liability for cyber governance failures under the SOCI Act, ASIC director duties, and APRA CPS 234, a board that has not rehearsed its crisis governance role is relying on hope rather than governance.
What the Recent Breaches Actually Revealed
The Optus breach of September 2022 exposed 9.8 million customer records and triggered a remediation provision exceeding A$140 million, before regulatory penalties and class action exposure were calculated. Medibank’s breach two months later compromised health data for 9.7 million Australians, with remediation costs exceeding A$125 million and APRA imposing a A$250 million capital adequacy requirement that constrained the company’s balance sheet for over a year. By 2024, MediSecure’s breach of 12.9 million prescription records had contributed to the organisation entering voluntary administration amid compounding operational and reputational damage.
cyber security incidents responded to by the ACSC in 2023-24, with numbers rising further in the current reporting period
ASD Annual Cyber Threat Report 2023-24
The technical postmortems of these incidents have been widely discussed. What has received less attention is how differently the governance responses played out. In each case, the board’s preparedness for crisis decision-making shaped regulatory and financial outcomes more than the sophistication of the attack itself. Optus faced prolonged public criticism partly because early communications created expectations the organisation could not meet. Medibank’s decision not to pay the ransom was a governance call, made under extraordinary pressure, that required pre-existing board-level frameworks for that specific scenario. MediSecure’s trajectory suggests that governance gaps can compound operational failures into existential outcomes.
These are not cautionary tales about firewalls. They are case studies in board governance under acute pressure, and they share a common lesson: the quality of governance visible in the first 72 hours after detection appeared to shape eventual outcomes at least as much as the quality of the security architecture breached.
The Regulatory Framework Boards Must Navigate
Australian directors face overlapping reporting obligations that can, in some circumstances, create personal liability exposure.
Australian Cyber Incident Reporting Obligations
| Framework | Trigger | Timeline | Consequence of Failure |
|---|---|---|---|
| SOCI Act (critical) | Significant impact on availability | 12 hours to ASD | CISC enforcement, step-in powers |
| SOCI Act (other) | Relevant impact on critical asset | 72 hours to ASD | Regulatory scrutiny, compliance action |
| APRA CPS 234 | Material info security incident | 72 hours to APRA; 10 days for control weaknesses | Supervisory action, capital charges |
| Privacy Act 1988 | Eligible data breach | 30 days to assess; notify OAIC as soon as practicable | Civil penalties up to $50M per contravention |
| ASX Listing Rules | Material price-sensitive information | Continuous disclosure | ASIC enforcement, market sanctions |
ITCSAU regulatory advisory analysis based on published legislative instruments, as at March 2026
A single breach affecting a SOCI-registered, APRA-regulated, ASX-listed entity could trigger five separate notification obligations with different timelines, different recipients, and potentially conflicting disclosure requirements. The legal teams managing these notifications must coordinate with forensic investigators still assessing scope, communications teams managing market messaging, and operational teams containing the threat. Without pre-established counsel relationships and pre-drafted notification templates, meeting all obligations simultaneously under crisis conditions is, in our assessment, exceptionally difficult for most organisations.
ASIC has signalled through enforcement actions and public guidance that director duties under the Corporations Act extend to cyber risk oversight. The standard is reasonable care and diligence, applied to the governance of the risk rather than the prevention of the breach itself. The Medibank and Optus regulatory proceedings are establishing case law on what “reasonable” means in practice. The OAIC’s action against Medibank alleges failure to take reasonable steps to protect personal information. When those proceedings conclude, the outcome will define the governance standard for every organisation holding comparable data volumes.
The insurance landscape adds a further consideration. Following recent high-profile incidents, many cyber insurance policies now include war exclusions or hostile nation-state clauses. Coverage caps that appeared adequate at policy inception may prove insufficient when regulatory consequences are included. APRA’s A$250 million capital adequacy requirement against Medibank demonstrated that regulatory costs can exceed breach remediation itself, a dimension that many insurance policies do not cover. Boards should review policy exclusions annually against the current threat landscape and, in our experience, plan on the assumption that financial risk transfer may be unavailable for the most severe scenarios. The ransomware payment reporting obligations under the Cyber Security Act 2024 add a further compliance layer that boards must account for in their governance frameworks.
Building Pre-Authorised Crisis Protocols
During several recent Australian incidents, critical decisions about system isolation and public disclosure required escalation through governance chains not designed for crisis speed. Because cyber incidents escalate in hours while board governance cycles operate in weeks, every hour of delay during active exfiltration increases the volume of compromised data.
The board should establish, in advance, a set of crisis protocols we call the ITCSAU Incident Governance Model: standing decision rights granted to named executives that activate without board approval during the first critical hours of an incident.
System isolation authority is the most consequential component. Taking a revenue-generating system offline during a suspected breach carries material financial consequences, but if that decision requires board approval while an adversary is active, the delay compounds the damage. The CISO or incident commander needs standing authority to isolate systems within defined parameters, with the board briefed after the fact.
Pre-contracted external counsel and forensics. A SOCI-registered energy company we advised maintained retainer arrangements with two cyber-specialist legal firms and a digital forensics provider. When ransomware hit their OT environment at 2am on a Saturday, the incident commander activated all three with a single phone call. The 12-hour SOCI notification was filed by 10am. Organisations forced to negotiate engagement terms during an active incident lose hours they cannot recover, and in some cases compromise legal privilege in the process.
Pre-drafted regulatory notifications for every applicable framework, requiring only incident-specific details under pressure. One organisation we reviewed after an incident had filed a SOCI notification that inadvertently disclosed information they later wished to withhold from the concurrent Privacy Act notification. The inconsistency became a point of regulatory scrutiny that a pre-drafted, legally reviewed template set would have prevented.
Simulations That Test Governance, Not Technology
An incident response plan that has not been exercised under realistic conditions provides false assurance. The Optus post-incident review revealed that the organisation’s plan had not been tested at board level. In our advisory work across critical infrastructure and financial services clients, this is common. Most boards review cyber risk annually through committee reports but have never participated in a scenario that forces actual governance decisions under time pressure.
Board-level simulations should test three capabilities that paper reviews cannot assess. Does the person designated to isolate systems actually know they have that authority, and will they use it when the revenue impact is staring at them in real time? Can the legal team file a SOCI notification within 12 hours and a Privacy Act assessment within 30 days without the two disclosures contradicting each other? And who decides what the organisation says publicly while legal counsel is advising against premature disclosure?
A financial services board we facilitated through a simulation exercise discovered that their designated incident commander had never been told they held isolation authority. The CISO believed the authority sat with the CTO. The CTO believed it required board approval. That ambiguity, invisible in the written plan, would have cost hours during a real exfiltration.
Simulations should run biannually with scenarios tailored to the organisation’s threat landscape. A financial services firm should simulate customer data exfiltration. A critical infrastructure operator should simulate an OT compromise affecting service delivery. Every gap identified feeds into the next cycle. One board we advised discovered during a tabletop exercise that their SOCI notification template still referenced the pre-December 2024 reporting timelines and their crisis communication plan assumed a 48-hour response window that the 12-hour SOCI deadline had already eliminated.
Priority Actions for the Next Board Meeting
ITCSAU Incident Governance Model: Readiness Checklist
| Action | Owner | Timeline | Priority |
|---|---|---|---|
| Conduct board-level incident simulation with realistic scenario | Board Chair / Company Secretary | Within 90 days | critical |
| Establish pre-authorised crisis protocols with named decision rights | CISO / General Counsel | Within 60 days | critical |
| Brief full board on personal director liability under Corporations Act | External Counsel | Next board meeting | critical |
| Retain cyber-specialist legal counsel on standing engagement | General Counsel | Within 30 days | high |
| Pre-draft regulatory notification templates for SOCI, Privacy Act, APRA, ASX | Legal / Compliance | Within 60 days | high |
| Review cyber insurance exclusions against current threat landscape | CFO / Risk Committee | Next renewal cycle | high |
The readiness checklist above is a focused set of governance priorities, not a comprehensive cyber strategy. It is the foundation that should be in place before a board can credibly claim it has discharged its duty of care on cyber risk. The Medibank and Optus proceedings will clarify what “reasonable care” means in practice. Boards that have already built these capabilities will find themselves in a materially different position from those still planning to start.
Cyber incident governance is a board discipline. It must be owned, rehearsed, and tested before the crisis arrives. Boards that treat it as a compliance exercise will discover the difference during the 72-hour window they cannot rewind.
Questions for Leadership
When were we last briefed on our incident response plan, and when was it last tested under realistic conditions?
Untested plans fail under pressure. Boards that review plans annually but never simulate execution discover gaps during real incidents.
What are our mandatory reporting obligations and timelines under SOCI Act, Privacy Act, and sector regulators?
SOCI Act requires reporting within 12 hours for critical incidents. Missing regulatory windows creates additional exposure beyond the breach itself.
Who has authority to isolate systems, engage external counsel, and notify regulators without board approval?
Incidents escalate in hours. Pre-authorised crisis protocols prevent decision bottlenecks that worsen outcomes.
Do we have cyber insurance, and what does it actually exclude?
Many policies now exclude nation-state attacks. Risk assumed transferred may have migrated back to the balance sheet.
What is our board's exposure under ASIC director duties for a cyber governance failure?
ASIC has signalled that director duties extend to cyber governance. Boards unable to demonstrate reasonable oversight may face liability risk.
The Strategic Imperative
Cyber incident response is the sharpest test of board governance. Every control failure, every missed reporting deadline, and every delayed decision during an incident traces back to a governance choice made months or years earlier. The boards that will navigate the next major breach are those that rehearsed for it and pre-authorised crisis protocols before the crisis arrived.
Frequently Asked Questions
What is the board's specific role during a cyber incident?
The board's role during a cyber incident is governance, not operations. This means receiving timely briefings from the incident commander, authorising strategic decisions such as system isolation or ransom payment, overseeing regulatory notification compliance, managing external communications strategy, and ensuring the organisation's legal position is protected. The board should not direct technical response but should ensure those directing it have authority and support to act decisively.
What are the mandatory reporting requirements for cyber incidents in Australia?
Australian organisations face multiple reporting obligations depending on sector. The SOCI Act requires critical infrastructure entities to report significant cyber incidents to the Australian Signals Directorate within 12 hours and other incidents within 72 hours. The Privacy Act 1988 allows up to 30 days to assess whether an eligible data breach has occurred, after which notification to the OAIC and affected individuals must happen as soon as practicable. APRA CPS 234 requires notification within 72 hours for material incidents and 10 business days for control weaknesses.
Should boards conduct cyber incident simulations?
Tabletop exercises that simulate realistic cyber incidents are among the most effective ways to identify governance gaps before they materialise during a real event. Simulations should involve the full board, not just the risk committee, and should test decision-making under time pressure including regulatory notification decisions, external communications, and system isolation authority. Leading practice is to conduct these exercises biannually with scenarios reflecting the organisation's specific threat landscape.
What cyber insurance considerations should boards be aware of?
Cyber insurance policies have narrowed significantly since the Medibank and Optus incidents. Many policies now include war exclusions or hostile nation-state clauses that may exclude state-sponsored attacks. Coverage caps may be insufficient for major incidents affecting millions of records. Boards should review policy exclusions annually and plan on the assumption that financial risk transfer through insurance may be unavailable for the most severe scenarios.
How do ASIC director duties apply to cyber governance?
ASIC has indicated that director duties under the Corporations Act extend to oversight of cyber risk as a material business risk. Directors must exercise reasonable care and diligence in governing cyber risk, which includes ensuring adequate investment in cyber capability, maintaining oversight of incident response preparedness, and demonstrating that the board engaged with cyber risk governance at a level commensurate with the organisation's threat exposure.