AICD managing director and CEO Mark Rigotti calls for boards to be better prepared for cyber incidents and to be aware of the potential scale of the issue.
Directors have a significant role to play in developing policy on cyber. They are at the apex of the companies being threatened. They are involved in an organisation’s readiness for an incident, its response, recovery and remediation, explained Mark Rigotti in conversation with Herbert Smith Freehills (HSF) partner Cameron Whittfield in a recent Cross Examining Cyber podcast.
Lawyers in the boardroom
Whittfield posed the following question: “What does a good lawyer look like in the boardroom when a cyber incident is occurring at full speed — with maximum ambiguity, huge risk and action required immediately?”
In the moment of crisis, the board needs a lawyer who can think through the legal issues, but also balance the commercial and the communications issues, replied Rigotti.
“A good lawyer can get the legal advice — and the level of risk around not following it — and can help bring into the decision-making process all the non-legal factors the board needs to weigh before deciding what direction to take.”
In the most recent AICD Director Sentiment Index for H1 2025, cyber threats were listed as the third-biggest concern keeping directors awake at night.
“The DSI result is broadly reflective of people starting to understand this is a key board function and a key management function,” said Rigotti. “We can’t outsource it. We’ve got to get educated on it.”
Speaking CISO
The difficulty for the chief information security officer (CISO) can be in communicating with the board. The CISO might report the company is looking good and ranking about a six out of 10. They will have spent countless hours getting the company to that level of compliance, readiness and protection.
“If I’m on the board, I’ll say to you, ‘What will it cost to get to seven and then to eight — and how quickly can we do it?’” said Rigotti. “Be that director saying, ‘What’s next?’”
While boards might delegate incident response to a cyber committee, the full board needs to be across threat readiness. “Five years ago, cyber was seen as the responsibility of the technology department,” said Rigotti. “Those days are gone. Cyber is actually the responsibility of the whole organisation — from the CEO down and the whole board.”
The scale of threat
In FY2023–24, the Australian Signals Directorate received more than 36,700 calls to its Australian Cybersecurity Hotline, an increase of 12 per cent from the previous financial year.
1. Average self-reported cost of cybercrime per report for businesses, down eight per cent overall
Small business: $49,600 (up eight per cent)
Medium business: $62,800 (down 35 per cent)
- Large business: $63,600 (down 11 per cent)
2. Top three self-reported cybercrime types for business
Email compromise (20 per cent)
Online banking fraud (13 per cent)
- Business email compromise fraud (13 per cent)
3. Eleven per cent of all incidents responded to included ransomware, a three per cent increase from last year
Source: Annual Cyber Threat Report 2023-24, published November 2024 by the Australian Cyber Security Centre.
Lean in
One of the real challenges for directors is, how much do they lean in? Are they treading on management’s toes? Differing opinions about the importance of the issue among board members can corrode trust, said Rigotti. While some directors recognise the need to discuss and prepare, others can’t wait to get back to discussing the “real business” on the agenda.
“If you’ve got those different perspectives running around the room, that is a very divisive culture. You’ve got to create an environment where it’s safe for everyone to contribute to the debate. You’ve got to remove the jargon — and you need a pretty good chair to work out when you go deep and when you pull up.”
Supply chain risk
Supply chain and third-party risk are also a growing concern for organisations. Companies can make themselves as cyber-threat-ready as possible, but without knowing the key components in their supply chain, they can still be penetrated, creating disruption and a continuity risk.
“You want a robust, resilient supply chain, and that might not be the cheapest or it might mean a degree of collaboration with your suppliers,” said Rigotti. “There are many ways you could respond. I’m seeing more and more directors thinking about that, probably as they start to feel they’ve done as much as they can, but then, thinking through a risk management lens, asking where is the next risk to them in respect of cyber?”
Evolving education
Against a background of changing questions from boards, the AICD has built cyber into the foundations of the Company Directors Course.
“There’s a module in it and case studies about it,” said Rigotti. “Learners get exposed to it right at that early stage. It’s not like you learn to be a director then you learn about cyber. It’s actually when you’re learning to be a director that includes cyber.”
There are also short courses available for people who want education more focused on cyber governance than cyber itself.
The need for reference materials, checklists or practical aids people can use has been immense, said Rigotti. “For directors on an NFP or an SME, which don’t have a CISO, we found some of the checklists and principles we’ve produced have had huge downloads. The Cyber Governance Principles has had over 25,000 downloads.”
Before joining the AICD as managing director and CEO in 2022, Mark Rigotti served as HSF global CEO for two terms over the course of 2014–20, leading a number of practice groups, including the banking and finance group and the HSF corporate group.
Practice resources — supporting good governance
AICD’s contemporary governance practice resources for members:
- Cyber Governance Principles: Version 2
- The Board’s Role in Cyber
- Cyber security handbook for small business and NFP directors
Latest news
Already a member?
Login to view this content