Fines and jail time for directors: ASIC increasing pressure on SME manufacturers to take cybersecurity seriously

With the manufacturing industry under siege from an unprecedented wave of cyberattacks, the need for robust cybersecurity measures has become urgent. Now there is an even more compelling reason for action: directors of companies generating over $3 million in revenue are personally at risk of severe penalties, including jail time, for failing to adequately protect their business from cyber threats.

The Australian Securities and Investment Commission (ASIC) has made it clear that businesses must be prepared for the ever-rising risk of cybercrime. According to ASIC Chairman Joe Longo, “cyber resilience has got to be a top priority.” He warns against placing too much trust in third-party IT providers, emphasising that the responsibility for cybersecurity ultimately rests with the directors.

ASIC’s mandate is unequivocal: companies that fail to take reasonable steps or make cybersecurity investments proportionate to their risks will face hefty fines. Businesses could be fined up to $50 million, while individual directors could face fines up to $2.5 million, revocation of directors’ rights, or even imprisonment for gross negligence. Furthermore, shareholders now have the power to sue individual directors for negligence, adding another layer of personal risk.

A Better Than Good Chance a Hack Will Happen to You

Manufacturers are particularly vulnerable to cyberattacks. According to IBM’s X-Force Threat Intelligence Report, the manufacturing industry has been the most-attacked for three consecutive years, accounting for over 25% of security incidents last year. These attacks often involve ransomware, which can halt production and lead to significant financial losses. Data from Statista shows that the average downtime per attack is 24 days, with IBM research indicating that 34% of manufacturers paid significant ransoms to mitigate these attacks.

Consider the impact: In December 2023, two Australian manufacturing businesses, Yakult Australia and Decina, were hit with ransomware attacks. These attacks brought production to a standstill, compromised company financials, and exposed sensitive employee data. This included employee passports, driver’s licenses, medical assessments, employment certifications, salary information, and performance reviews. Unlike credit cards, identities cannot be reissued, making this type of data extremely valuable to hackers and highly damaging to the individuals affected.

Apathy towards cybersecurity and low tolerance for downtime means that SME manufacturing businesses are high-quality targets for cybercriminals, despite the common misconception among manufacturing leaders that they have nothing worth protecting. The notion that manufacturing firms are not “information businesses” and thus immune to cyber threats is a dangerous fallacy. The reality is that every business holds valuable data, particularly identity information, which is increasingly targeted by cybercriminals.

Ignoring cybersecurity is not an option. The financial, legal, and reputational cost can be crippling. The average cost of a data breach for organisations with fewer than 500 employees is approximately $5 million, encompassing detection, recovery, legal fees, reputational damage and direct financial losses. For SME manufacturers, these costs can be particularly devastating, draining vital resources and potentially threatening the survival of the business.

A Call to Action

To support SME manufacturers in navigating these complexities, AMGC member Shane Williams offers cybersecurity workshops designed specifically for directors and business owners who are not technologists. Your discussion will demystify the complexities of cybersecurity and provide you with a straightforward approach to enhancing your digital safety. You’ll also receive a custom report that includes a tailored roadmap of clear actionable steps to help you strengthen your digital defences efficiently, ensuring your business is well-protected against online threats.

Manufacturing SMEs must recognise that cybersecurity is not just an IT issue but a critical boardroom priority. Directors need to take a proactive role in safeguarding their organisations. This involves understanding the risks, actively managing them, and ensuring compliance with regulatory requirements. Importantly, the personal director’s risk cannot be outsourced or insured.

For more information and to register for these cybersecurity workshops, visit

Together, we can build a resilient manufacturing industry equipped to face the challenges of the digital age.