Recent ASIC and OAIC enforcement actions make it clear: “reasonable steps” is no longer optional. Here’s what you need to know.
What's Changed?
Australian regulators are no longer issuing warnings — they’re taking action.
- Australian Clinical Labs (2024) – $5 million penalty for failing to protect 223,000 patient records. The breach was preventable.
- FIIG Securities (2024) – $2.2 million penalty after exposing client data through poor access controls.
- Fortnum Private Wealth (ongoing) – ASIC alleges the firm failed to implement “reasonable steps” to protect client information, despite knowing the risks.
The common thread? Governance failures, not just technical ones.
What Does "Reasonable Steps" Actually Mean?
Under the Privacy Act 1988 (and upcoming reforms), organisations must take reasonable steps to protect personal information.
Courts and regulators now expect:
- Board-level oversight of cyber risk
- Documented policies and regular reviews
- Third-party risk management
- Incident response plans that are tested
- Evidence of action, not just intent
“Good intentions” won’t hold up under scrutiny.
IT Security ≠ Cyber Security Governance
Your IT team can secure the network. But governance sits with the Board.
IT Security = firewalls, patching, backups Cyber Security Governance = risk appetite, accountability, reporting, third-party oversight, incident response
If your Board can’t answer these questions, you have a governance gap:
- Who owns cyber risk?
- How often is it reviewed?
- What’s our response plan if something goes wrong?
- Are our third parties compliant?
What Should Directors Be Doing?
- Treat cyber security as a Board-level risk not an IT issue. A governance, legal, and reputational one.
- Document your “reasonable steps” Policies, reviews, training, third-party assessments — all must be evidenced.
- Understand your third-party exposure Most breaches involve vendors. Do you know their security posture?
- Test your incident response plan If you don’t have one, or haven’t tested it, you’re exposed.
- Get independent assurance Self-assessment is a start. Independent validation is what regulators expect.
Not sure where you stand?
Take our 5-minute Cyber Security Executive Health Check – designed specifically for Directors and senior leaders.
You’ll get:
- A confidential snapshot of your governance posture
- A clear view of where regulatory risk sits
- Practical next steps you can action immediately
Or book a free confidential 20-minute discussion with one of our vCISOs to discuss your current governance structure and how to demonstrate “reasonable steps” to regulators.