SME Manufacturing Directors Personally Liable: Fines and Gaol Time for Cyber Negligence

With the manufacturing industry under siege from an unprecedented wave of cyberattacks, the need for robust cybersecurity measures has become urgent. Now there is an even more compelling reason for action: directors of companies generating over $3 million in revenue are personally at risk of severe penalties, including gaol time, for failing to adequately protect their business from cyber threats.

The Australian Securities and Investment Commission (ASIC) has made it clear that businesses must be prepared for the ever-rising risk of cybercrime. According to ASIC Chairman Joe Longo, “cyber resilience has got to be a top priority.” He warns against placing too much trust in third-party IT providers, emphasising that the responsibility for cybersecurity ultimately rests with the directors.

ASIC’s mandate is unequivocal: companies that fail to take reasonable steps or make cybersecurity investments proportionate to their risks will face hefty fines. Businesses could be fined up to $50 million, while individual directors could face fines up to $2.5 million, revocation of directors' rights, or even imprisonment for gross negligence. Furthermore, shareholders now have the power to sue individual directors for negligence, adding another layer of personal risk.

A Better Than Good Chance a Hack Will Happen to You

Manufacturers are particularly vulnerable to cyberattacks. According to IBM’s X-Force Threat Intelligence Report, the manufacturing industry has been the most-attacked for three consecutive years, accounting for over 25% of security incidents last year. These attacks often involve ransomware, which can halt production and lead to significant financial losses. Data from Statista shows that the average downtime per attack is 24 days, with IBM research indicating that 34% of manufacturers paid significant ransoms to mitigate these attacks.

Consider the impact: In December 2023, two Australian manufacturing businesses, Yakult Australia and Decina, were hit with ransomware attacks. These attacks brought production to a standstill, compromised company financials, and exposed sensitive employee data. This included employee passports, driver’s licenses, medical assessments, employment certifications, salary information, and performance reviews. Unlike credit cards, identities cannot be reissued, making this type of data extremely valuable to hackers and highly damaging to the individuals affected.

Apathy towards cybersecurity and low tolerance for downtime means that SME manufacturing businesses are high-quality targets for cybercriminals, despite the common misconception among manufacturing leaders that they have nothing worth protecting. The notion that manufacturing firms are not "information businesses" and thus immune to cyber threats is a dangerous fallacy. The reality is that every business holds valuable data, particularly identity information, which is increasingly targeted by cybercriminals.

Ignoring cybersecurity is not an option. The financial, legal, and reputational cost can be crippling. The average cost of a data breach for organisations with fewer than 500 employees is approximately $5 million, encompassing detection, recovery, legal fees, reputational damage and direct financial losses. For SME manufacturers, these costs can be particularly devastating, draining vital resources and potentially threatening the survival of the business.

Manufacturing SMEs must recognise that cybersecurity is not just an IT issue but a critical boardroom priority. The stakes are incredibly high, and the consequences of inaction could be catastrophic. Directors must take a proactive role in safeguarding their organisations, starting with a thorough understanding of the specific cyber risks they face. This includes actively managing these risks, ensuring robust cybersecurity policies are in place, and making informed investments in the right technologies and practices. Compliance with regulatory requirements is not optional; it is a fundamental responsibility that cannot be delegated, outsourced, or insured away. As a director, your personal and professional reputation, as well as the survival of your business, is on the line. The time to act is now, before a cyberattack forces your hand.

If you’d like help with your security strategy, you might want to consider my CyberSecurity for Manufacturers Workshop. This workshop is specifically designed to not only bring directors and CEOs up to speed on the cyber threats their organisations face but also to equip them to make informed, risk-based decisions about where and how to invest. Every company will walk away with a tailored cybersecurity plan, backed by the Australian Cyber Security Centre, including simple 'now, next, later' steps to lift their cyber posture. Together, we can build a resilient manufacturing industry equipped to face the challenges of the digital age.