The Australian Signals Directorate (ASD) and the AICD have collaborated on cyber security governance guidance tailored to the current cyber threat environment. This publication assists a board to ask informed questions of management about how the organisation is addressing key cyber controls, given current and emerging threats.
A volatile and evolving threat landscape
The recent annual ASD Cyber Threat Report paints a picture of a cyber threat environment that is constantly changing. New and evolving threats are posing significant risks to all sizes and types of Australian organisations.
The report highlights that the threat from cybercrime continues to challenge Australia’s economic and social prosperity, with average reported financial losses, the frequency of ransomware attacks and the number of reported data breaches all increasing in 2024–25. The average self-reported cost of cybercrime for businesses rose by 50 per cent to $80,850. Medium-sized businesses reported a 55 per cent increase (to $97,200) and large businesses saw a 219% jump (to $202,700).
The ASD calls particular attention to the risks faced by critical infrastructure owners and operators. The ASD informed these entities of potential malicious cyber activity impacting their networks over 190 times during the period – up 111 per cent from the previous year. Critical infrastructure is an attractive target for state-sponsored actors, cyber criminals and hacktivists, due to large sensitive data holdings and the critical services that support Australia’s economy.
ASD – AICD governance guidance
The ASD and AICD have collaborated on targeted, point in time guidance Cyber Security Priorities for Boards in 2025-26.
Boards play a key role in overseeing the cyber resilience and digital risks of their organisations, including engaging with management on how the organisation is responding to current threats. This publication will help directors ask informed threshold questions in four priority areas, to test the organisation’s resilience in the current threat environment.
The publication provides supplementary technical questions to help directors to understand in greater detail the cyber security controls in place within organisations. These questions may assist directors on risk or technology committees to engage senior management in discussion about key controls.
The four priority areas, informed by ASD intelligence and reflected in the Cyber Threat Report, are event logging and threat detection, management of legacy IT assets, cyber supply chain controls and preparation for a post quantum cryptography environment.
For example, on oversight the cyber supply chain, the publication prompts a board to ask the threshold governance questions:
- Have we categorised suppliers by criticality and risk exposure?
- Have we assessed suppliers’ cyber security posture using assessments or certifications?
The guidance then sets out supplementary technical questions:
- Do we limit supplier access to only necessary systems and data?
- Do we implement cyber security measures, such as network segmentation and multi-factor authentication, for supplier access to our systems?
- Do we monitor and log supplier access to oursystems?
The publication foreshadows the future development of post-quantum computing cryptography and the impact this may have on how data and communications are secured. It signals that if quantum computing develops as expected, it will render contemporary cryptography insecure. Accordingly, the publication sets out questions for boards to discuss with management to assess how quantum computing could affect the organisation’s cyber security posture and existing cryptographic controls.
The ASD and AICD recognise that for the boards of many organisations, particularly SMEs and NFPs, it may not be possible to follow all advice in the publication. However, the advice enables any board to ask questions to better understand their organisation’s existing cyber security posture and identify areas for improvement.
Foundational AICD cyber and data publications
We encourage directors to read this new ASD–AICD guidance in conjunction with existing AICD cyber and data publications. While the new guidance responds to the current threat environment, these more in-depth publications impart guidance on the foundational elements of effective cyber governance resilience.
While the ASD AICD publication has a section dedicated to supply chain risk. the publications Cyber Security Governance Principles (in partnership with the CSCRC) and separately Data Governance Foundations for Boards (in partnership with Allens and MBS) comprehensively cover better practice oversight of key digital suppliers, complementing the new guidance. For instance, a key message is that the board should have visibility, via a map or stocktake of key third-party partners who support the organisation’s critical data and digital assets, including the providers’ location and interdependencies with other IT systems and infrastructure.
Governing Through a Cyber Crisis (in partnership with Ashurst and the CSCRC) stresses the importance of all organisations having a comprehensive and up-to-date response plan with the board participating in simulation exercises to test the plan with management. The new ASD and AICD guidance complements this message by conveying that boards should be asking whether key supplier responsibilities are reflected in the organisation’s response plan and what communication protocols exist with key suppliers during a critical incident.
The AICD is committed to updating our cyber security and data governance suite of resources as technology and cyber threats evolve in the future.
Latest news
Already a member?
Login to view this content