Accountability for Cybersecurity in Australia—A Major Regulatory and Litigation Risk

There are showers, there are squalls, and there are storms. The growth in cybersecurity attacks in Australia, as in much of the world, is a storm and Australian companies need to batten down the hatches. In the period from 1 July 2019 to 30 June 2020 alone, the Australian Cyber Security Centre ("ACSC") responded to 2,266 cybersecurity incidents at a rate of almost six per day and the ACSC expects the true volume of malicious activity to be much higher. 

When you consider the continued increase in cybersecurity attacks in Australia, it is unsurprising that cybersecurity has become a key policy issue for the Australian Government and is considered critical to Australia’s national security, innovation and competitiveness. 

This Jones Day White Paper considers the rise of cybersecurity risk for Australian companies, the increasing importance of cybersecurity and cyber resilience from the perspective of the Australian Government policy agenda and Australian regulators, particularly in the financial sector, and the ways in which Australian companies and their individual directors and officers will be held to account for cybersecurity issues moving forward. The paper concludes by addressing the steps companies, and individual directors and officers, should be taking to ensure they are adequately prepared for a cybersecurity incident and to avoid the potential legal, financial and reputational costs to firms.

Read the full White Paper.


Jones Day publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our “Contact Us” form, which can be found on our website at The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.