Director Liability Notice: ASIC v RI Advice established that inadequate cyber controls breach a company’s licence obligations, exposing directors to personal liability.

Director Liability & Cyber Governance

Your board pack says green.
ASIC doesn’t care about your dashboard.

The Cyber Security Act 2024 confirmed that Non-Executive Directors are personally liable for failures in cybersecurity governance. Passive acceptance of management reporting is no longer a defensible position. Directors’ duties under s180 of the Corporations Act require active, informed oversight.

Get the NED Question Card → Review Advisory Tiers
The Systemic Problem

“Watermelon” Reporting: Green on the outside, red underneath.

The board sees compliance completion metrics (% complete), but the attacker sees defensive capability gaps (% effective under attack). This gap exists because GRC frameworks measure control implementation, not independent stress testing.

The Board Report Says:
Multi-Factor Authentication Implemented
Coverage Target 100%
Audit Status Compliant
The Actual Reality:
Token Binding None
Session Invalidation Failing
Tested Against Token Theft? Never

The ASIC Litmus Test

“What specific questions did you ask to validate those assurances?”

Your CISO is reporting Green across the board. But these metrics are vanity—they measure activity, not outcome. On the two most critical risks (ransomware preparedness and SOCI compliance) you are flying completely blind.

Directors are entitled to rely on management—but only where that reliance is reasonable and informed. If an incident occurred today, your personal liability exposure under the RI Advice precedent would be significant. The governance framework itself needs to change.

Advisory Engagements

From Personal Liability Exposure to Governed Assurance.

Independent, unvarnished truth for the Audit & Risk Committee.

01

The Shadow Board Pack Review

$7K – $8K · Fixed Fee

You send us your last three board cyber reports. We annotate them in red: what is being hidden, what is watermelon reporting, and which three critical risks are not being disclosed.

  • Annotated board reports (Red Team review)
  • Identification of vanity metrics
  • Personal 2-page liability briefing for the NED
Review Your Board Pack →
Enterprise Standard
02

Governance Framework Uplift

~$40,000 · Scoped Project

Complete redesign of the board-level cyber governance architecture, moving from passive reporting to active, outcome-based oversight.

  • Revised Board Cyber Charter
  • Updated Risk Appetite Statement (Tolerances)
  • Outcome-based Board Reporting Dashboard
  • Director’s Due Diligence Framework
Rebuild Governance
03

The Independent Board Advisor

$5K – $8K / mo · Retainer

Dean attends Risk Committee meetings as your independent cyber expert. He translates technical reporting into governance language, asks the hard questions, and provides an independent opinion on management’s assurances.

  • Risk Committee attendance & advisory
  • Translation of technical metrics
  • Validation of management assurances
Inquire on Availability →
Board-Ready Resource

The Director’s “Get-Out-of-Jail” Question Card

A printable, wallet-sized PDF with five hard questions a NED must ask at their next board meeting to demonstrate cyber governance due diligence. Questions are calibrated so that honest answers from management will reveal the true capability gaps.

Independent Cyber Lens

Book an Advisory Scoping Briefing

Dean Kastelic

Dean Kastelic

Former Enterprise CISO & KPMG Director

Dean operates as the “independent cyber lens” for mid-market boards across Australia. He bridges the gap between technical security failure and director liability, providing directors with the evidentiary record required to demonstrate active, informed oversight.

“The next director facing enforcement will not be able to point to green dashboards as a defence. We build the record of oversight before the incident occurs.”