ASD and AICD outline cyber security priorities for boards in 2025-26

The Australian Signals Directorate (ASD) and the Australian Institute of Company Directors (AICD) have outlined what they deem as cyber security priorities for boards in 2025-26.

The advice from the two organisations focuses on two key areas: understanding whether technology used or provided to customers is secure by design and secure by default; and prioritising the defence of an organisation’s most critical assets.

The ASD and AICD said boards should understand whether there is an enterprise wide-approach to event logging and threat detection. In implementing cyber security measures, including event logging and threat detection measures, boards should have visibility of shared responsibilities between service providers and their organisation.

Boards were also advised to have oversight of how cyber security risk is managed in the cyber supply chain.

For Australian Prudential Regulation Authority regulated entities, there are specific obligations set out in prudential standards on the oversight of suppliers and the Security of Critical Infrastructure Act 2018 has obligations that extend across various participants in the critical asset supply chain.

"Cyber supply chain risk management should form a significant component of your organisation’s overall cyber security strategy," the organisations said

Boards were told that they should be aware that in the near future, cryptographically relevant quantum computers will render most contemporary cryptography insecure. This will result in existing secure communications based on current cryptography technology becoming vulnerable to compromise.

As the creation of a cryptographically relevant quantum computer presents new cyber security risks, boards should oversee steps to anticipate future business requirements and dependencies for vulnerable systems during the transition period to post-quantum cryptography standards.

The joint publication also provides questions boards can ask of management and their organisation to better understand its cyber security posture.

The questions are divided into two categories: threshold governance questions that assist in determining the cyber security posture of organisations, given the 2025-26 cyber threat environment; and supplementary technical questions to understand in greater detail the cyber security controls in place within organisations.

These questions may assist directors of a risk or technology committee engage on key controls with senior management.