Keynote ยท Cybersecurity & Board Risk

"The Regulator Is Coming, And Your Board Accepted the Risk"

Enforcement actions are landing. Directors are personally exposed. Privacy reforms are tightening. The keynote that translates ASIC, APRA, and OAIC posture into what your board needs to do this quarter.

Book this keynote All keynote topics

The hook

I have watched the regulatory tide turn three times in 30 years. This is the fastest one. ASIC has filed against directors. APRA has put cyber on its enforcement priority list. The OAIC now has the budget and the appetite to chase. And Privacy Act reforms have raised the maximum penalty to the greater of fifty million dollars or 30 per cent of adjusted turnover. That is not a typo.

The era of accepting "medium residual risk" and hoping no one looked too hard is over.

What this talk is about

This keynote walks the audience through the Australian regulatory landscape as it actually stands today, not the seminar version. Real cases. Real findings. Real director exposure. And the practical roadmap from "acceptable risk" to "defensible position".

I cover the ASIC v RI Advice judgment that established cyber as a director duty, the Optus and Medibank regulator response, the AustralianSuper and Latitude follow-on, the OAIC representative complaint regime, and where the next wave is landing. SOCI Act amendments. Critical infrastructure controls. APRA CPS 230 operational resilience. Sector-specific licence conditions. The threads tie together into a single picture every director needs.

The talk is not a legal seminar. I am not a lawyer and I do not pretend to be. I am the person who sits between the lawyers and the technologists and translates one to the other so the board can act. That is what the audience gets. A picture clear enough to move on, with the questions to ask and the controls to demand before the next risk committee.

What the audience walks away with

  • The recent enforcement actions, what the regulators actually found, and why directors should be concerned about the precedent.
  • Privacy Act reforms, SOCI obligations, APRA CPS 230, and the converging regulatory expectations on boards.
  • What "personal director liability" now means in cyber, with a clear read of the case law.
  • The defensible-position checklist: documentation, controls, oversight, and reporting that holds up under scrutiny.
  • A 90-day plan boards can task management with on Monday.

Who this talk is for

Financial services and APRA-regulated entities. CPS 230, CPS 234, and the operational resilience regime. The keynote shows how the regulatory expectations interlock and where current practice is failing the test.

Critical infrastructure. SOCI Act risk management programs, mandatory reporting, ASIO engagement, and the standards being set in Canberra. What the next inspection actually checks.

Director institutes and legal forums. A non-lawyer's translation of the case law and enforcement posture into language a board uses to set strategy, not just defend a deposition.

Format options

  • 45-minute conference keynote
  • 60-minute keynote with audience Q&A
  • 30-minute board briefing in camera
  • Half-day workshop on regulatory exposure mapping and remediation planning

The question I get asked every time

"How exposed am I, personally, today?" The answer depends on what is in your board minutes, what your CISO has flagged, and what your management has told you. None of those are abstract. The keynote gives directors the framework to answer that question for their own organisation, before someone else does it for them.

Why this keynote lands in 2026

The regulatory landscape moved faster in the last 18 months than it had in the previous decade. ASIC v RI Advice put cyber on every Australian director's duty list. The OAIC is bedding in the new representative complaint regime. APRA CPS 230 took effect. Critical Infrastructure obligations expanded. Privacy Act tier-2 and tier-3 penalties came online. None of that is theory. All of it is enforceable now.

The keynote is calibrated for the audience that is running through the regulatory implications and finding three or four threads it has not yet pulled together. The talk pulls them together. Directors leave with a single, coherent picture of where the exposure sits and what the defensible position looks like.

I work hard not to be the doom merchant in this talk. The regulators are doing their job. The board's job is to govern. The keynote is about getting the governance to a place where the regulator is not the first body to find the gap. That is achievable. The talk maps the path.

What I bring to the stage

30 years inside the regulatory conversation in Australia. Former Big Four advisory partner advising on board cyber duty. Former CISO operating under APRA, ASIC, and OAIC scrutiny. Author of the AI safety research that drew regulatory and international media attention in early 2026. Translator between the lawyers and the technologists at the level the board needs.

The accepted-risk paper trail

Most boards do not realise they have already accepted the risks the regulator is about to come asking about. It sits in board papers from 2022 and 2023. A risk register entry rated medium. A treatment plan deferred for budget. A vendor assessment marked complete on the strength of a SOC 2 report nobody read. That paper trail is exactly what regulators look at when something goes wrong.

I take directors through the questions ASIC, APRA, and OAIC are asking right now, what good answers look like, and how to recover from a paper trail that does not flatter the board. The honest news: regulators do not expect perfection. They expect evidence of genuine inquiry and genuine action. This keynote is how you build it.

Book this keynote

Enquire now   Browse all 10 topics

Related