GCs must play a stronger role in managing cyber security risk. Recent court decisions reinforce that cyber security is no longer purely a technical matter for the Chief Information Officer (CIO) and Chief Information Security Officer (CISO). This is increasingly relevant due to heightened geopolitical risk. Data from Akamai suggests that Iran and Iranian-aligned malicious cyber activity increased by 245% after the start of hostilities in February. Some of this activity targets the most significant strategic risk – operational technology.
Courts increasingly assess cyber failures through a governance lens, including:
- what management knew
- whether the risk was properly escalated
- whether the organisation had the controls, oversight and resourcing expected in the circumstances.
This is particularly important for energy, resources and infrastructure businesses operating in the heightened geopolitical threat environment, including those within the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act) regime. The direction of travel under the SOCI Act is clear. Jill Slay’s independent review, the Government’s response, and current consultations on Critical Infrastructure Risk Management Program (CIRMP) enhancements and Part 3 intervention powers all point to more mature, evidence-based governance of cyber, operational resilience and supply chain risk.
ASIO has confirmed that authoritarian regimes are already probing Australian critical infrastructure networks to map systems and maintain access for future use. They are pre-positioning for disruptive effects in Australia. On 7 April 2026, the FBI issued a cyber advisory detailing the exploitation of programmable logic controllers (PLCs) across US critical infrastructure by Iranian-affiliated threat actors. These are the same PLCs used by some Australian critical infrastructure and resources companies to control operational technology, such as water treatment, pump controls and mineral processing. While Australia is not currently assessed as a target, the risk implications are clear and there are steps we recommend our clients take now.
What GCs should do now
1. Revisit cyber escalation and board reporting
ASIC v Bekier is a reminder that cyber risk must be escalated as an enterprise risk. GCs should work with CIOs and CISOs to ensure clear triggers when escalating cyber issues, significant vulnerabilities, incidents and major third-party risks to the board.
2. Refresh SOCI governance settings
For SOCI-regulated assets, confirm that asset coverage, responsible entity obligations, CIRMP governance, reporting lines and assurance processes are current, documented and capable of being evidenced upon request. Assess any controls or risk mitigants that continue to operate under exceptions as a priority.
3. Test whether controls match the legal risk
Regulators and courts will look beyond policy documents to whether controls were designed to meet the legal requirements (including matching the risk and sophistication of the company). They will also assess control effectiveness, including implementation, maintenance and resourcing, particularly in legacy environments and after acquisitions.
4. Treat supply chain and FOCI risk as a legal governance issue
Supply chain exposure, including foreign ownership, control and influence (FOCI), now needs much closer attention. GCs should work with procurement, cyber and operations teams to assess critical suppliers, remote access arrangements, subcontracting chains and change-of-control risk, across the supplier lifecycle, including due diligence, onboarding, in-flight management and offboarding.
Preparing for incoming SOCI changes
5. Begin a gap assessment against the proposed reforms
Do not wait for the reforms to be finalised. The proposed CIRMP amendments and changes to Part 3 powers signal greater focus on supply chain mapping, FOCI, personnel security, outage tolerances and government intervention settings. GCs should now identify where governance processes, contracts, access models and incident response arrangements may need to change.
The central lesson is simple: in a critical infrastructure context, cyber risk is a governance issue first. GCs must ensure cyber risk is escalated, documented and managed accordingly.