What the AICD Cyber Security Governance Principles Actually Require from Your Board
The Australian Institute of Company Directors, in partnership with the Cyber Security Cooperative Research Centre, released Version 2 of the Cyber Security Governance Principles in November 2024. These Principles are now the benchmark framework for cyber governance in Australia, referenced by regulators, auditors, and increasingly by plaintiffs' counsel assessing whether a board discharged its duty of care following a cyber incident. If your board hasn't formally assessed itself against Version 2, that gap is itself a governance finding.
What the Principles Cover
The five Principles establish what the AICD considers the minimum standard for board oversight of cyber security risk:
Set clear roles and responsibilities
The board must be clear on who owns cyber risk within the organisation, how decisions escalate to the board, and what the board's own oversight responsibilities are, not just that someone in the executive team "handles" it.
Develop, implement and evolve a comprehensive cyber strategy
Cyber security must be treated as a strategic issue, not an IT cost line. The board should be able to articulate the organisation's cyber strategy, understand how it aligns with business risk appetite, and evidence that it is reviewed and updated as threats evolve.
Embed cyber security in risk management
Cyber risk should appear in the organisation's enterprise risk framework with defined risk appetite, tolerance levels, and measurable controls, not as a standalone IT report that the board receives but cannot interrogate.
Promote a culture of cyber resilience
The board has a role in setting tone from the top on cyber resilience: ensuring that cyber training, incident reporting culture, and accountability for security behaviours extend beyond the IT department.
Plan and prepare for significant cyber incidents
Boards must oversee the existence and testing of incident response and business continuity plans. Version 2 introduced new guidance on governing through a cyber crisis, including board-specific responsibilities during and after a significant incident.
What Version 2 Added
The November 2024 update expanded guidance on three areas that have become materially more significant since 2022:
Digital supply chain risk
Boards must actively oversee the cyber risk profile of material suppliers and third-party providers, not assume that a vendor's ISO 27001 certificate is sufficient assurance. The Australian Signals Directorate has identified supply chain cyber risk as a board priority for 2025–26.
Data governance
The Principles now connect cyber governance to data governance more explicitly, recognising that poorly governed data is both a cyber target and a source of exposure under the Privacy Act.
Cyber incident response and recovery
Version 2 includes world-first guidance specifically for directors on their responsibilities during a live cyber incident, recognising that boards have failed in past incidents not because they lacked a response plan, but because they did not know their own role in executing it.
Where Most Boards Fall Short
The most common gaps are not failures to understand the threat landscape. They are structural:
No genuine board-level risk appetite statement for cyber
Many boards have endorsed an IT security policy. That is not a risk appetite statement. A cyber risk appetite statement specifies what level of risk the board will tolerate, under what conditions it expects management to escalate, and what outcomes it considers unacceptable, in language an auditor or regulator could assess.
Reporting that measures activity, not outcomes
Boards regularly receive dashboards showing number of patches applied and phishing tests run. Very few receive reporting that answers the question ASIC and courts will ask post-incident: what was the board's reasonable basis for concluding that its controls were operating effectively?
No documented assurance over supplier cyber risk
The supply chain requirement in Version 2 is not satisfied by a procurement policy. The board needs to understand which suppliers are material, what assurance has been obtained over their security posture, and how that is reviewed.
Incident response plans that have never been tested at board level
An untested plan is not a plan, it is a document. The Principles expect boards to ensure that incident response plans are exercised, including scenarios that test board-level decision-making under pressure.
The Regulatory and Legal Context
The AICD Principles are a voluntary framework, but they function as the practical standard against which board conduct will be measured when things go wrong. ASIC has signalled clearly that it will assess whether directors exercised reasonable care and diligence in overseeing cyber risk. Average self-reported cybercrime costs for large Australian businesses reached $202,700 in the most recent ASD Cyber Threat Report, a 219 per cent increase in a single year.
From Framework to Defensible Governance
The Andrew Roberts Advisory Cyber Governance Deep Review assesses your board's governance position against the AICD Cyber Security Governance Principles (Version 2), ASIC director duty obligations, and the ASD's 2025–26 board cyber priorities.
