Australia’s Cyber Laws Just Changed on Who Takes the Hit

Executive Communication | Governance & Risk | Government & Policy

Posted: Tuesday, Jan 13

KBI.Media
$
Australia’s Cyber Laws Just Changed on Who Takes the Hit

Karissa Breen, crowned a LinkedIn ‘Top Voice in Technology’, is more commonly known as KB, and widely known across the cybersecurity industry. A serial Entrepreneur and co-founder of the TMFE Group, a holding company and consortium of several businesses all relating to cybersecurity. These include an industry-leading media platform, a marketing agency, a content production studio, and the executive headhunting firm, MercSec. She is also the former Producer and Host of the streaming show, 2Fa.tv. Our flagship arm, KBI.Media, is an independent and agnostic global cyber security media company led by KB at the helm of the journalism division. As a Cybersecurity Investigative Journalist, KB hosts her renowned podcast, KBKast, interviewing cybersecurity practitioners around the globe on security and the problems business executives face. It has been downloaded in 65 countries with more than 300K downloads globally, influencing billions of dollars in cyber budgets. KB is known for asking the hard questions and getting real answers from her guests, providing a unique, uncoloured position on the always evolving landscape of cybersecurity. She sits down with the top experts to demystify the world of cybersecurity, and provide genuine insight to executives on the downstream impacts cybersecurity advancement and events have on our wider world.

i 3 Table of Contents

Australia’s Cyber Laws Just Changed on Who Takes the Hit

From Karissa Breen

There’s a new kind of tension creeping into Australian boardrooms. For years, when cyber incidents hit, accountability had a familiar landing zone to fob off and ‘talk to security’. Well, those days are over.

With new federal cyber legislation now placing personal liability on company directors, responsibility has shifted upstream and everyone feels it. CISOs. CFOs. CEOs. Boards. You’re on the hook more than ever, cyber resilience is no longer optional, and ignorance is no longer a defence.

Cybersecurity has long relied on a quiet mythology: the tireless security leader holding the line with limited budget, limited authority, and unlimited expectations.

I’ve heard it countless times — talented practitioners stretched thin, propping up entire organisations through sheer grit and moral responsibility. Many entered the field to protect people and systems, not to carry existential risk alone.

That imbalance is finally being challenged.

Daniel Churches, ANZ Director at ColorTokens, in a recent interview added:

“It’s no longer a solo act.”

Accountability is no longer collapsing onto the CISO by default. Directors and senior executives are now formally on the hook, not symbolically, but legally. And that changes behaviour fast.

If an organisation suffers a breach without demonstrable cyber resilience and continuity planning, consequences now extend beyond fines. Directors may face removal from leadership roles.

The Australian has come in firing on all cylinders and has effectively said that they’re setting the bar.
What they haven’t said is exactly how high it is… or how forgiving the landing will be. Australia isn’t locking security leaders behind bars, like the United States… yet.

“I know of countries holding CISOs personally liable, even prison terms. That’s not Australia… but the pressure here is still very high,” said Churches.

The difference now comes down to visibility. Cyber risk has moved from the IT basement to the board agenda, and it’s staying there. Boards can’t obfuscate and say ‘we didn’t understand’.
And CISOs can’t quietly absorb blame for underfunded, unsupported decisions made far above their pay grade. If it ain’t broke, don’t fix it? Well, that logic no longer exists.

“You need to articulate cyber risk in terms leadership understands — not just liability, but measurable business value,” Churches went on to say.

Government mandate gives boards the leverage they didn’t previously exercise. It creates permission to act decisively, not reactively, and ultimately to fund resilience before you’re up the creek without a paddle.

Traditionally, majority of boards fixate on fines, ransoms, and insurance exposure. Security practitioners know the real damage is slower and often worse.

A major breach doesn’t just interrupt operations, it has ongoing downstream impact, even actuarialists haven’t fully captured the long-term damage.

“The average recovery from a full-blown breach is around 260 days,” added Churches.
“That’s almost a year of operating below capacity.”

That’s lost trust. Lost momentum. Lost talent. Lost credibility.

And when critical infrastructure or major telcos go down, it’s serious. Constant connectivity is a dependency. Governments know this now and are now fighting to ensure companies remain to keep their head above the water. They’re no longer willing to absorb repeated economic and societal hits because organisations failed to prepare.

Already, vendors are exploiting director liability as a sales tactic… buy this or lose your job. It’s lazy, harmful, and counterintuitive for our industry who’s already battling burnout.

“Composure matters. Measurable outcomes matter. That’s what we should have been doing all along,” Churches commented.

Fear doesn’t build resilience. Trust, clarity, and shared ownership do. This legislation doesn’t fix cybersecurity, but it finally aligns power with responsibility.

Now, it’s shared. And that what matters.

Because the threats aren’t slowing down, neither is AI, automation, and quantum. But foundational resilience still works. The basics still matter.