For years, organisations viewed cybersecurity failures as costly but absorbable mishaps. That era is over. Relentless, high-impact breaches now demand evolving accountability, impacting not just technology resilience but also governance, trust, and the rule of law.

A Defining Test Case

The Office of the Australian Information Commissioner’s lawsuit against Optus for its 2022 mega-breach, which exposed the data of 9.5 million Australians, marks a turning point. With significant fines per violation at stake, this case could establish a precedent that redefines how organisations perceive their data protection obligations. If successful, it will compel boards to see cybersecurity failures as breaches of governance, not mere technical slip-ups.

Why Accountability Must Evolve

Cybersecurity is no longer solely an IT problem. It has now become a governance problem. The sheer scale of modern breaches means the consequences are systemic – eroding investor confidence, shaking markets, and undermining public trust.

Other domains have learned this lesson. Workplace safety laws emerged from industrial disasters. Financial reporting standards hardened in the wake of corporate collapses. Data protection must also follow suit.

The Power of Consequences

Executives respond to incentives. History shows that clear, enforceable penalties drive real change. Environmental standards, capital adequacy ratios, and safety regimes all became effective only when non-compliance carried tangible costs. Cybersecurity is no different.

This is not about punishing companies for being targeted, as anyone can fall victim to an attack. It is about holding organisations accountable when they fail to implement reasonable, proportionate safeguards in the face of known risks. In 2025 and beyond, ignorance is no defence.

The Optus lawsuit is, therefore, more than a legal battle. It signals that regulators are prepared to treat cybersecurity with the same seriousness as financial or occupational failures. Boards should assume the bar is rising and act accordingly.

The Road Ahead

Pressure will not come from regulators alone. Investors are already asking sharper questions about cyber resilience. Customers are less forgiving. Insurance markets are raising premiums to reflect escalating risk. The market is aligning around a single truth: companies that neglect security will pay for it, whether through lawsuits, lost trust, capital costs, or all of these.

For boards, the path forward is simple. Treat cybersecurity as a standing and independent governance obligation. Demand metrics that show progress, not just activity. Tie executive incentives to measurable cyber resilience. And be well prepared for the day when regulators, shareholders, and courts ask not if you were breached, but whether you were negligent.

The digital era has erased any safe harbour for complacency. Cybersecurity negligence will now carry financial, legal, and personal consequences. Organisations that succeed will not be those that scramble after a breach but those that embed accountability for cybersecurity into their strategy and culture.