It’s been another major news week in Australia—and one that should send shivers down the spine of every board director in the country.
The recent cybersecurity breach impacting major superannuation funds, including AustralianSuper, has revealed a deeply concerning vulnerability at the heart of our financial ecosystem. We’re not just talking about data breaches anymore. Funds were targeted. Assets were at risk. Real money—hard-earned retirement savings—were exposed.
This is not a drill. It’s not theoretical. And it’s no longer something boards can afford to treat as a future problem.
“We understand some accounts have been impacted by unauthorised access attempts… We’re treating this matter extremely seriously.” — AustralianSuper spokesperson, as reported in the Sydney Morning Herald, April 2025
The Alarming Trend No One Can Ignore
Cybersecurity professionals—CISOs, CTOs, IT managers—are sending me distress signals. Many are working in under-resourced teams, fighting for budget increases, battling internal bureaucracy, and burning out from the sheer weight of responsibility.
In the higher education sector, I’ve heard from cybersecurity leaders who are the only person in charge of protecting thousands of sensitive student and research records—barely scraping by on constrained budgets. In financial services, the story is similar: teams spread too thin, risks growing faster than the capacity to respond.
And now, even well-resourced super funds—organisations that should be leading the charge on cybersecurity maturity—have been breached.
What the Board Needs to Understand—Now
As someone who works closely with board members, C-suite leaders, and advisory committees, I’m urging you to put this topic back on your agenda. Not next quarter. Not after the audit. Now.
The Australian Institute of Company Directors (AICD) has previously emphasised this point:
“Cyber security is no longer just an IT issue. It is a board-level priority requiring active oversight and understanding from directors.” — AICD, Cyber Security Governance Principles
Yet the gap between awareness and action remains dangerously wide.
What I’m hearing behind closed doors is deeply concerning:
- Firms downplaying known vulnerabilities
- Boards refusing budget requests
- Decision-makers deferring action to protect reputation
These behaviours are no longer sustainable. When the next breach occurs—and it will—directors will be asked: “What did you know? What did you do about it?”
And increasingly, those answers are going to be tested in legal, financial, and public arenas.
We Are on the Brink of a Cyber Pandemic
The Australian Cyber Security Centre (ACSC) has warned of a “deteriorating threat environment”, with cybercriminals becoming more sophisticated and targeting institutions where the payoff is high and the defences are low.
We are fast approaching what I believe is a cyber pandemic—a systemic breakdown that could affect not just one institution, but multiple sectors simultaneously. If the events of last week are anything to go by, we may already be on the edge.
What Directors Must Do Next
Here’s what I believe every board must action immediately:
- Reopen the Cybersecurity Discussion Even if it’s been reviewed before—ask again: Where are we vulnerable? Have our risk assessments been updated? What has changed?
- Demand an Independent Audit Get a third-party expert to review your security posture. Don’t rely solely on internal reporting.
- Allocate Appropriate Budget Good cyber governance is an investment in your organisation’s continuity and reputation. Treat it accordingly.
- Bring the Right Expertise into the Boardroom Whether that’s a cyber-specialist director or an external advisor, you need people who understand the threat landscape in real time.
- Lead with Transparency If something does go wrong, your best defence is to show you took every reasonable step to prevent it—and that requires clear documentation and open governance.
Final Thoughts
We’re living in a time where trust is currency, and cyber breaches can bankrupt it overnight. Board directors must step up—not as spectators but as stewards of their organisations’ digital and financial safety.
The time for passive oversight is over. This is a call to action. Don’t wait for the headlines to name your organisation next.