What do boards want?

This trend was backed up by other data, which may signal cyber fatigue at the board level. For example, 32% of respondents did not believe their board had a clear understanding of the delineation between board and management roles and responsibilities during incident response. This may indicate that boards are not being familiarised with cyber incident response plans (CIRP), or that CIRPs do not clearly articulate ‘who owns what’ in the event of a cyber incident.

This dynamic may also be exacerbated by lack of exposure and upskilling via simulations: only 36% of boards participated in a cyber simulation in the past 12 months, and 18% have never participated in a simulation.

Courts and regulators expect boards to play a critical, but limited, role in incident response. One key decision usually reserved for the board is the decision pay, or not to pay, a ransom demand. This decision requires directors to engage with a complex set of considerations, including an assessment based on directors’ duties, reputational matters and the legality of payment.

Despite this, the survey found only 33% of boards have a ransom payment decision-making framework, and 33% of boards have not formed a view as to whether they would be open to paying a ransom. This latter statistic has not meaningfully shifted in the last 12 months (36% in 2024) and leaves us with a recurring problem: discussions in relation to payment may occur for the first time when an incident actually hits. We believe that many of these considerations can (and should) be addressed prior to any extortion demand.

These results also suggest that boards may not possess the necessary agility to effectively respond to a cyber ransom demand acting consistently with their duties, noting that threat actors typically do not afford their victims much time to deliberate.

Importantly, organisations with an annual turnover of greater than $3 million (and many SOCI Act-regulated entities) are now required to report payment of a ransom in connection with a cyber security incident within 72 hours under the Cyber Security Act 2024.

There is also a possibility cyber security has dropped in priority for boards amid an environment of competing demands. This plays out, for example, in the Australian Institute of Company Director’s Director Sentiment Index for H1 2025: after holding the top spot for several years, cyber security dropped to third in order of priority.

Pugsley believes cyber risk is still a top concern for boards, with the shift in risk prioritisation reflecting the fact organisations are embedding cyber as a standard risk type. She observed: “Cyber risk isn’t going anywhere – it’s here to stay. Boards are focusing on cyber reporting cadence and what effective cyber reporting looks like, while recognising the threat landscape and organisational risk will continue to change. For boards, cyber risk management has to be in your DNA”.

Pugsley notes that boards want to see the right kind of combination of stakeholders engaged around cyber as a risk area and know how those people and teams are working together to manage and mitigate risk.

“We’ve also moved beyond Board reports that are just a list of actions that have been taken since the last update. Good reporting draws out how the threat is changing, how well the business is (or isn’t) prepared, how cyber preparedness intersects with other risks and opportunities and what further actions are recommended. Fitting all of this into a punchy, digestible report is not easy, but directionally we are seeing a desire for and a shift toward more mature Board reporting,” she said.