top of page
Search

Cyber Resilience Isn’t a Line Item - It’s a Board Obligation

  • Daniel Smith
  • Nov 4
  • 6 min read

Updated: Nov 4

Interpreting the ACSC’s 2025–26 Cyber Security Priorities for Directors through the lens of operational resilience and recoverability. (Cyber security priorities for boards of directors 2025-26)


Real executives in a Sydney boardroom studying a glowing map of Australia - symbolising sovereign cyber resilience and board-level oversight.
Australia’s boardrooms now sit on the front line of cyber resilience. The question is no longer “Are we protected?” but “Can we recover - and prove it?”

There was a time when cybersecurity lived deep in the IT basement, buried in patch reports, firewall logs, and budget line items that rarely reached the boardroom.

That era is over!


In a year defined by ransomware hearings, regulatory reforms, and insurer mandates, boards can no longer treat cyber resilience as a technical line item.


The Australian Cyber Security Centre (ACSC) and Australian Institute of Company Directors (AICD) have made the shift explicit in their Cyber Security Priorities for Boards of Directors 2025-26.

Directors are now expected to own cyber resilience, not simply endorse it.


This isn’t about approving bigger budgets.

It’s about asking sharper questions:

Can we recover from a breach?

Are our backups immutable?

Is our data sovereign?

And when - not if - an incident occurs, can we prove resilience instead of just claiming it?

These aren’t technical questions anymore.

They’re governance questions.

They go to the heart of fiduciary duty.


The Board’s New Reality - Accountability Without Excuses


Director’s reflection over digital locks, symbolising accountability for cyber resilience.
The ACSC guidance makes it clear: cyber accountability sits squarely with the board, not just IT.

Boards can no longer delegate cyber resilience to “the tech team.” Every director now shares legal and reputational exposure if the organisation can’t recover.

The ACSC guidance urges boards to verify that technology used is secure by design and secure by default.

That means understanding critical assets, supply-chain risk, and recovery capability.

Each director must now answer a single, deceptively simple question:

“If our systems failed tomorrow, could we get back up - and prove it?”

For many, that answer starts (and ends) with backup. But not all backups are equal.


Why Backup Has Become a Governance Control

This is where FullBackup focuses - helping Australian organisations verify their SaaS recoverability with independent, sovereign backup through Keepit.


single glowing cloud shielded in glass, representing SaaS data protected by independent backup.
True resilience means protection outside the production platform - not within it.

In the cloud era, critical data has drifted beyond the data centre.

Email, identity, collaboration, CRM, contracts, most of it now lives in SaaS platforms like Microsoft 365, Salesforce, Google Workspace, Atlassian, DocuSign, and Zendesk.


These platforms guarantee uptime, not recoverability.

If data is deleted, corrupted, or encrypted, the vendor’s duty is to keep the service running, not restore your records.


That gap is where governance now lives.


Under APRA CPS 230, regulated entities must provide evidence of operational resilience and data recoverability. The Essential Eight makes the same demand: at maturity levels 2 and 3, data recovery and system availability are measurable controls.

Resilience isn’t a checkbox; it’s a verifiable, auditable, sovereign control.


From IT Control to Board Assurance

Backup used to be an IT checkbox: jobs ran, reports ticked green. Now it’s a board-level proof point.

Directors should be able to demonstrate that::

  • Data is stored independently of production systems.

  • Storage is immutable - no deletions, no edits.

  • Residency aligns with APP 11, SOCI Act, and CPS 230.

  • Restoration testing is regular and auditable.


Keepit provides that assurance.

It delivers a sovereign, immutable, audit-ready backup cloud, independent from production, protected against deletion, and verifiable across compliance frameworks.

That independence is what regulators mean by control effectiveness. Boards must now demonstrate it - not assume it.


Four glowing teal pillars labelled Secure by Design, Critical Assets, Detect & Recover, and Supply Chain & Sovereignty, representing the ACSC’s board cyber priorities.
Australia’s cyber priorities for boards are clear - resilience must be proven, not presumed. FullBackup resells Keepit to give organisations the sovereign, immutable, audit-ready assurance regulators now call control effectiveness.

The Four Board Priorities for 2025–26 - and What They Mean for Data Resilience


1. Secure-by-Design, Secure-by-Default

Built-in resilience is board-designed resilience.

Boards must insist that resilience is built in, not bolted on.

In SaaS ecosystems, recovery cannot rely on the same cloud that failed.

It must live independently - immutable by default, sovereign by design.


Think of it as the spare engine of the ship, not the life raft under the bed. When power fails, that’s what gets you home.


2. Defend Critical Assets - Assume Compromise

Knowing your crown jewels isn’t enough - plan for when they’re stolen.

Boards are told to identify their “crown jewels” and plan as though they’ve already been breached.

Today those jewels are identities, records, contracts, and SaaS data.

Assume compromise

Then ask: If our tenant was encrypted or deleted, how fast could we restore - and who verifies that?


3. Detect, Respond, Recover - Logging and Proof of Control

Recovery evidence is the new incident report.

Logging matters.

But logs without recovery are autopsies, not resilience.


Boards should demand:

  • Restore testing evidence

  • Immutability verification

  • Data-integrity checks


FullBackup selected and resells Keepit, the leading independent SaaS backup platform, to deliver those controls - immutable versioning, retention time-lock, and cryptographic verification - giving boards CPS 230-aligned, Essential Eight and SOCI-ready assurance of recoverability.


4. Supply-Chain and Sovereignty Risk

Visibility defines accountability.

The ACSC urges boards to map data dependencies and third-party exposures - the invisible web beneath every cloud service. For Australian directors, sovereignty is the linchpin.

Backups hosted in sovereign Australian data centres (e.g., Sydney/Melbourne) with local legal control and customer-held keys reduce exposure to extra-territorial laws (such as the U.S. CLOUD Act) and align with SOCI oversight expectations and the Essential Eight objective of assured recoverability.

Boards cannot mitigate what they cannot see, nor control what sits outside jurisdiction. Sovereign architecture brings data and accountability home.

SOCI link-up: For critical-infrastructure entities, board oversight of supplier obligations should include recoverability evidence from third parties (documented restore tests, log retention, and exit/portability plans) - not just security claims.


Infographic showing four board-level cybersecurity priorities - Secure by Design, Critical Assets, Detect & Recover, and Supply Chain & Sovereignty - with corresponding Keepit responses on independent, immutable, and sovereign backup assurance.
Translating the ACSC’s board priorities into measurable backup governance and recovery assurance.

Translating Policy into Board Questions

Board Question

Keepit Response

How do we ensure recoverability if our SaaS provider suffers a breach or misconfiguration?

Keepit maintains an independent backup cloud, separate from the SaaS vendor’s infrastructure. Even if Microsoft 365, Google Workspace, or Entra ID are compromised, backup data remains untouched and recoverable.

Can backup data be altered or deleted by administrators, attackers, or the vendor?

Immutable, append-only architecture means data can’t be changed or removed once written. Every version is cryptographically verified to ensure integrity.

Is our backup data stored in Australia under Australian law?

Yes - Keepit uses sovereign Equinix Australian data centres, operated independently of hyperscalers and fully compliant with Australian privacy and security frameworks.

Have we tested our ability to restore within regulatory timeframes?

On-demand and scheduled restore tests generate audit-ready reports, providing evidence of recoverability for CPS 230, Essential Eight, and ISO 27001.

These are not technical diagnostics; they are board-level audit questions and the answers define whether an organisation can demonstrate control effectiveness.

This is how the ACSC’s priorities become measurable outcomes, recoverability, accountability, and sovereignty expressed in evidence.


From Risk Awareness to Cyber Resilience for Boards

Resilience is measurable.

Directors don’t need to understand encryption algorithms, but they must insist on evidence that someone does.


The ACSC and AICD guidance marks a cultural shift: cyber resilience is no longer the CISO’s lonely battle; it’s the board’s collective obligation.

To meet it, directors should:

  • Treat recoverability as a standing agenda item.

  • Demand proof of immutable, sovereign backup.

  • Tie backup testing to CPS 230 operational resilience frameworks for financial entities.

  • Align recovery controls with SOCI Act requirements for critical infrastructure and Essential Eight maturity levels for government and enterprise.

  • Include resilience metrics in quarterly governance and risk reports.

  • Confirm ASD-aligned logging: centralised, time-synced, alerting wired to incident playbooks, documented retention, regular review.

  • Own legacy IT risk: name risk owners, define compensating controls, maintain a decommission roadmap.

  • Start a post-quantum transition plan: crypto-agile backups, vendor timelines, test in non-prod first.

  • Keep the basics tight: patching cadence and MFA on all public-facing services.


This approach doesn’t just satisfy regulators, it builds trust. Boards that can demonstrate control over their digital assets earn confidence from investors, insurers, and customers alike.


Cinematic sunrise over a calm ocean with two crystalline teal Keepit clouds reflecting on the water, symbolising verified, sovereign, and independent data recovery.
Every storm ends in light. Keepit’s dual independent clouds deliver verified, sovereign recovery - proving resilience beyond the production platform.

Every Story Has Its Turning Point

In every cyber incident, there’s a quiet second after the screens go dark when someone asks,

“Can we get it back?”

That moment defines reputation, resilience, and responsibility.

With FullBackup and Keepit, the answer is provable: Independent. Immutable. Sovereign.

Resilience isn’t something you buy - it’s something you demonstrate when everything else stops working.


Because in that moment, proof is everything.


Run a SaaS Resilience Pilot → fullbackup.com.au/demo-and-pilot


Show your board what verifiable recovery looks like.

Immutability. Sovereignty. Audit-ready proof.


FullBackup × Keepit - Where Australian resilience becomes verifiable.


Further reading

• ASD: Cyber Security Priorities for Boards of Directors (2025–26)

• AICD/CSCRC: Cyber Security Governance Principles v2

• ACSC: Essential Eight Maturity Model

1 Comment

Rated 0 out of 5 stars.
No ratings yet
Add a rating
Guest
Nov 04
Rated 5 out of 5 stars.

This is spot on. Could you share a bit more around the audit and evidence framework you mentioned? Sounds like something boards would really value.

Like
bottom of page