View all services
What’s keeping Directors awake at night? Cybercrime and data security number one

17 May 2023

What’s keeping Directors awake at night? Cybercrime and data security number one

When asked, ‘What’s keeping you awake at night?’ the number one issue cited by Directors is cybercrime and data security. According to recent research, more than 50% of directors cited cybercrime as their major concern, up from 37% to 50% on previous results, and nearly double the next most important issue cited - legal and regulatory compliance.

The level of concern is no surprise when you consider the weight of responsibility for ensuring their organisations adequately protect the security and privacy of the data they hold, and the subsequent wide ranging reputation damage and financial implications recent examples have shown that result across all stakeholder groups if this data is breached.

The Australian government has openly acknowledged that no one group alone can protect from cybercrime. The need for strong collaboration between government, industry and businesses to keep data safe has been made clear with the call from Clare O’Neil MP, Minister for Home Affairs and Minister for Cyber Security, to ‘work as one team to build up the defences we need to protect our society and economy’.  Closely linked to this is the call for all organisations to accelerate actions to mitigate their risks and the introduction of new legislation to ensure this is a reality.

Most notable of these regulatory changes is the Federal Government’s Privacy Legislation Amendment (Enforcement and Other Measures) Bill passed in November 2022 increasing the maximum penalties for serious or repeated privacy breaches from a $2.22 million penalty to whichever is the greater of AUD$50 million; three times the value of any benefit obtained through the misuse of information; or 30% of a company's adjusted turnover in the relevant period.

Directors have a critical role to play and must seek to lift their own cyber literacy levels, recognising that this is a key risk that can never be eliminated but can be effectively managed.
           - Clare O’Neil MP, Minister for Home Affairs and Minister for Cyber Security

Financial implications by stakeholder

The below highlights the reputational damage and financial implications that can result across all stakeholder groups in the event of a cyber attack.


  • Recent privacy legislation amendments have increased maximum penalties for serious or repeated privacy breaches. Companies now face penalties to the greater of $50 million, 3 times the value of any benefit obtained through the misuse of information, or 30 per cent of a company's adjusted turnover in the relevant period.
  • Regulators have warned, boards and directors will be made increasingly accountable through penalties (fines and disqualifications) for failing to disclose material cyber-attacks.


  • Once investors discover a company has been 'successfully' cyberattacked market value declines an average of 5% to 25% - sources vary by breach.
  • Downgrades in ratings following an attack, such as credit and ESG, can result in loss of capital.

Loss of current and prospective clients / customers means reduced revenue.

Reputation damage can force companies to have to pay higher to attract and retain talent.

Reputation damage can lead to loss of partnerships or higher supplier prices. In the case of insurance, increased premiums.

How can organisations minimise risk? 

Having the right partners in place is critical.

The most obvious partners are cyber tech specialists who can assist with bolstering technology capabilities by implementing essential mitigation strategies for cyber security. The Australian Cyber Security Centre (ACSC) has highlighted eight essential strategies as a baseline.

The role of communication, however, cannot be underestimated. One of the biggest lessons learned to date is that communication with stakeholders plays a vital role in mitigating reputational risk and complying with the regulatory requirements. Depending on the type and scale of the breach, it may only be a matter of hours in which you have to prepare a range of communication materials to respond to your many stakeholders. This is where solid preparation and the ability to tap into additional, specialist resources become crucial.

Our expert team supports organisations to communicate with stakeholders in a timely, clear and strategic manner, minimising reputational damage and aligning with regulatory requirements. We have unrivalled depth of expertise in managing issues and crises.

We support clients at every stage of the crisis management cycle from crisis preparation and prevention to response and recovery. We do this in partnership with experts across the technology and legal sectors to offer a one stop service. This includes partnering on penetration testing and assurance, threat detection and response, and tabletop simulations.

Our success is built on trusted relationships and professional excellence working with organisations across most sectors and of all sizes. Our work demands we handle sensitive information with integrity and are agile in our response.

If you would like to learn more about our services, you can request a call with our team by clicking here.

Cyber Services – everything you need

  • Crisis communications strategy
  • 24/7 Crisis incident support 
  • Crisis communications review and audit
  • Crisis simulation workshops
  • Media training, monitoring & management
  • Crisis & reputation research tools 
  • Market & shareholder communications
Download now
For further inquiries
Contact us
Contact us

Please complete this form to be contacted by a Morrow Sodali representative.