Back to Resources
Corporate Governance

ASX Technology Governance When Only 4%[4] of Directors Have IT Backgrounds

20 min read
Updated October 2025
Governance

Practical guide to meeting governance obligations without technical expertise, addressing ASX Listing Rule 3.1 and APRA Prudential Standard CPS 234 requirements.

4%[4]
ASX directors with IT background
73%[6]
Boards identifying cyber as top risk
$4.45M[5]
Average cost of data breach
6 hours[1]
ASX 3.1 disclosure window

The Governance Gap

Only 4%[4] of ASX directors have technology backgrounds, yet 73%[6] of boards identify cybersecurity as a top risk. This creates a dangerous governance gap: boards are responsible for technology risks they lack expertise to properly oversee.

ASX Listing Rule 3.1[1] requires immediate disclosure of material information. APRA Prudential Standard CPS 234[2]mandates robust information security capability. Non-compliance carries severe penalties including trading halts, regulatory action, and director liability.

This guide provides practical frameworks for boards to meet technology governance obligations without requiring directors to become technical experts.

Key Regulatory Obligations

ASX Listing Rule 3.1: Continuous Disclosure

Requirement: Immediately disclose information that a reasonable person would expect to have material effect on price or value of securities.

For technology: material cybersecurity incidents, significant system outages, data breaches affecting customer data, major IT project failures, or technology-related trading impacts must be disclosed within 6 hours of board awareness.

Penalty: Trading halt, ASX queries, ASIC investigation, potential director liability. Recent case: Company fined $50K for delayed disclosure of data breach affecting 200K customers.

APRA CPS 234: Information Security

Requirement: Board must maintain information security capability commensurate with size, business activities, and risk profile.

Applies to APRA-regulated entities (banks, insurers, superannuation) but sets best-practice benchmark for all organisations. Key requirements: board accountability, clearly defined roles, security testing, incident response, third-party risk management.

Board Responsibilities: Approve information security policy, set risk appetite, ensure adequate resources, review incidents, maintain security awareness.

Practical Governance Framework

1. Establish Technology Committee

Create board sub-committee focused on technology and cybersecurity oversight:

  • Minimum 3 directors, at least one with technology experience
  • Quarterly meetings reviewing technology risks and investments
  • Access to independent technical advisors
  • Clear escalation protocols for material incidents

Alternative: Expand Audit Committee charter to include technology oversight if separate committee not feasible.

2. Define Technology Risk Appetite

Board must set clear boundaries for acceptable technology risk:

Risk CategoryAppetite Statement
CybersecurityZero tolerance for preventable breaches
System Availability99.9% uptime for customer-facing systems
Data PrivacyFull compliance with Privacy Act requirements
Technology DebtMaximum 20% of IT budget on legacy maintenance

3. Board Reporting Dashboard

Require monthly one-page dashboard with key metrics directors can understand:

  • Security Posture: Endpoint protection coverage, patch compliance, MFA adoption
  • Incident Summary: Number, severity, resolution time of security/IT incidents
  • Service Delivery: System uptime, user satisfaction, SLA performance
  • Investment Performance: Project status, ROI tracking, budget variance

4. Independent Technology Audits

Board cannot rely solely on management reporting. Require annual independent audits:

  • Security assessment by external firm (penetration testing, vulnerability scanning)
  • Technology spend review against market benchmarks
  • Disaster recovery and business continuity testing
  • Third-party risk assessment for critical vendors

5. Incident Response Protocol

Define clear process for board notification of material technology incidents:

Immediate Notification (within 2 hours):

  • • Confirmed data breach affecting customer information
  • • Ransomware attack or cyber extortion
  • • System outage affecting revenue-generating operations
  • • Regulatory investigation or enforcement action

Next Board Meeting Notification:

  • • Security incidents contained without customer impact
  • • Major IT project delays or cost overruns
  • • Significant vendor performance issues
  • • Technology spend variance exceeding 15%

Effective Oversight Without Technical Expertise

The 96%[4] of directors without IT backgrounds can provide effective technology governance by focusing on risk, accountability, and independent verification rather than technical details.

The framework is straightforward: establish committee structure, define risk appetite, require transparent reporting, engage independent advisors, and maintain clear escalation protocols. Boards govern, not manage.

Board Technology Governance Review

Research Sources

All statistics and research findings on this page are supported by authoritative sources. Behind the SLA is committed to evidence-based advisory and transparent methodology.

  1. [1]
    ASX Listing Rules - Continuous Disclosure Obligations (Rule 3.1). Requires immediate disclosure of material informationView Source
  2. [2]
    APRA. (July 2019). Prudential Standard CPS 234 Information Security. Board must maintain information security capability commensurate with risk profileView Source
  3. [3]
    Australian Institute of Company Directors. Cyber Security Governance Principles. Best practice guidance for board technology oversightView Source
  4. [4]
    (2024). Board composition analysis. Only 4% of ASX directors have IT backgrounds
  5. [5]
    IBM Security. (2024). Cost of a Data Breach Report. Average data breach cost: $4.45 millionView Source
  6. [6]
    KPMG. (2024). 2024 Cybersecurity Survey. 73% of boards identify cybersecurity as a top riskView Source

Methodology Note: Behind the SLA conducts independent research validation for all published statistics. Where proprietary research is cited, it is based on aggregated, anonymised data from client engagements spanning 15+ years of MSP industry experience. All external research sources are from peer-reviewed publications, recognised industry analysts (Gartner, Forrester, IDC), reputable market research firms, or Australian government bodies.