Directors & Officers in the Digital Age: Managing New Technological Risks Across APAC

With rapid technological advancements, directors and officers face increasing liabilities. Proactive risk management and board oversight can help ensure organisational resilience.

The integration of advanced technologies, such as artificial intelligence (AI) into business operations and the increasing prevalence of cyber threats, has introduced new dimensions of risk for directors and officers today.

Aon’s 2024 Intangible Versus Tangible Risks Comparison Report found that most organisations use or intend to use AI products or services. Nearly half of S&P 500 companies now mention AI on their earnings calls, with this number even higher in some cases. [1]

Andrew Mahony, Aon’s financial services, professions and cyber solutions leader for Asia, notes: “Vulnerability exploitation is becoming more effective than spear phishing in recent times, which requires more than just training staff. It requires technical solutions and a robust approach to attack surface management.”

The Australian Securities and Investments Commission reports that cyber attacks, data breaches and system failures are eroding market confidence and causing financial losses.[2] It is no wonder that cyber risks are expected to be a top priority for directors and officers (D&O) insurance markets in the Asia Pacific (APAC) region.[3]

“Strong governance frameworks addressing technology-related risks are vital to protect directors and officers from potential liabilities,” says Julie Hamilton, national D&O practice group leader in Australia. “For example, boards need to ensure they are providing clear stewardship to their organisations in an evolving landscape. They should also ensure their D&O policies cover liabilities from AI and other advanced technologies.”

In 2024, Stanford Securities Litigation Analytics began tracking Securities Class Actions filings with allegations related to AI as a trend category.[4] While AI-related filings are not new (the number of AI-related filings more than doubled in 2024 compared to 2023),[5] the growing prominence of AI in many companies’ business models may lead to an increase in such filings in the future.

Growing Legal Expectations for Directors Across APAC

As technology rapidly evolves, so do the legal expectations placed upon directors. They must now navigate a complex regulatory landscape designed to address the growing risk associated with technological advancements.

A notable development is the introduction of a statutory tort for serious invasions of privacy in Australia, effective 10 June 2025.[11] This law allows individuals to seek damages for privacy infringements or misuse of information, potentially resulting in significant legal and regulatory repercussions for directors and officers.[12]

Similarly, several Asian countries are also enhancing their legal and regulatory frameworks to address cyber security and privacy concerns.

In South Korea, the Personal Information Protection Act is one of the world’s most stringent privacy laws.[13] The law requires companies to implement robust data protection measures and report data breaches promptly.[14] Non-compliance can lead to heavy fines and criminal charges against responsible officers.[15]

In Singapore, the Cyber Security Act 2018 mandates that owners of critical information infrastructure take proactive steps to protect their systems and report cyber incidents.[16] The Personal Data Protection Commission enforces strict guidelines under the Personal Data Protection Act to safeguard personal data, with penalties reaching up to SGD 1 million or more for severe breaches.[17]

Japan has also strengthened its regulations with the enactment of the Act on the Protection of Personal Information (APPI).[18] The amended APPI, effective since April 2022, imposes stricter requirements on businesses handling personal data, including mandatory breach notifications and enhanced data subject rights.[19] Failure to comply can result in substantial fines and reputational damage.[20]

These developments across the APAC region point toward a global trend to hold directors and officers accountable for cyber security and privacy, stressing the need for strong risk management and vigilance against technological threats.

For instance, after the 2017 Equifax breach[21], various lawsuits were brought against the company, and a senior executive was charged in connection with the incident.[22] Similarly, the SolarWinds incident[23] saw its chief information security officer held responsible in lawsuits. These cases highlight the ongoing legal accountability for cyber security management, emphasising the need for robust risk management and vigilance against technological threats.

Directors are also being held accountable for their company’s breaches of statutory obligations through the “Stepping Stone” liability.[27] Regulators may allege that directors or officers have breached their duty of care and diligence by allowing or failing to prevent a company from breaching other legal obligations, potentially leading to civil penalties and disqualification.

Directors and Officers Face Regional Complexities

On top of expanding legal expectations, directors and officers may be seeing significant differences in the D&O insurance landscape across the APAC region. While heightened competition among insurers presents opportunities for cost savings, each country faces unique challenges and regulatory scrutiny. Rapid digital transformation, climate disclosures, AI governance, and cyber security are key factors influencing the D&O insurance market, with varied emphasis and impact across different countries.

Australia

The D&O market for insureds has seen favourable conditions with increased competition and opportunities for cost savings.
Insurers are focusing on emerging risks such as climate disclosures, AI governance and cyber security.

India

The country is experiencing rapid digital transformation, which has led to an increase in cyber threats.[28]
Directors and officers need to be vigilant about cyber security and ensure that their organisations have robust risk management frameworks in place.

Japan

There is a growing focus on AI governance and the ethical use of technology.
Directors and officers are expected to implement robust governance frameworks to manage AI-related risks and ensure ethical practices.

Mainland China

China’s stringent cyber regulations (Cyber Security Law, Data Security Law, Personal Information Protection Law) mandate rigorous data governance, cross-border transfer controls and breach reporting.[29]
Directors and officers must prioritise compliance amid rapid digitalisation, heightened cyber threats (e.g., state-sponsored attacks, ransomware) and evolving AI governance risks.[30]
The Cyberspace Administration of China enforces strict accountability, requiring robust response capabilities, vendor due diligence and compliance with Critical Information Infrastructure requirements.[31]
Insurers are showing greater interest in D&O insurance coverage to focus on cyber resilience and regulatory adherence.[32]

New Zealand

The country lacks broad regulatory rigour in cyber security and AI, but the Financial Markets Authority and Reserve Bank of New Zealand are increasingly interested in how regulated entities manage data privacy risk and cyber resilience.[33]
New Zealand D&O insurers are becoming aware of the need for compliance with data protection laws and ethical AI governance to mitigate evolving sources of claims.[34]
While litigation from cyber events has been rare locally, many New Zealand organisations and their boards could be influenced by international trends[35], especially from Australia.

Singapore

The regulatory environment is stringent, with the Monetary Authority of Singapore (MAS) emphasing the importance of cyber resilience.[36]
Directors and officers must ensure compliance with MAS guidelines to avoid regulatory penalties.[37]

Four Proactive Steps for Directors and Officers

Regional dynamics indicate the need for specific risk management strategies to address the challenges faced by directors and officers in different countries.

Four proactive steps that directors and officers can consider to help manage cyber security risks, ensure compliance with regulatory expectations and sustain organisational resilience include:

Regular Review of Risk Management Frameworks: Directors must ensure that their organisations’ cyber security measures are regularly reviewed and updated to address new and evolving threats. Using analytics frameworks and models, such as Aon’s Cyber Impact Analysis, can help to provide a financial quantification of cyber risks. Should a cyber incident occur, these models can demonstrate to regulators, shareholders, and courts that the board attempted to define the materiality of risks to inform appropriate control strategies in order to protect shareholder equity, customers, and the public.
Board Oversight and Accountability: The board must take an active role in overseeing cyber security practices and ensuring that there is accountability at all levels of the organisation. For example, Wyndham Worldwide Corporation managed to successfully dismiss a shareholder derivative suit seeking damages arising out of three data breaches that occurred between 2008 and 2010 by highlighting its proactive approach to cyber security during multiple board meetings. The board successfully demonstrated a consistent focus on data security, including regular updates on data security measures, risk assessments, and consultations with cyber security experts, reflecting the board’s ongoing commitment to addressing potential vulnerabilities.[38]
Training and Awareness: Directors should appropriately resource privacy and cyber security. They must ensure that they and their management teams are adequately trained and aware of the latest cyber security risks and best practices.
Incident Response Planning: Organisations must have robust incident response plans in place to quickly and effectively respond to cyber incidents and mitigate their impact.

“Ensuring that organisations are well-prepared to handle cyber incidents allows directors and officers to protect themselves and their business from the increasing risks associated with the digital age,” says Ling Yu, Aon’s financial services and professions group leader for Asia.

No matter the severity of a threat, we’re here to help you understand, quantify and manage your risk. Talk to our specialists.

[1] 2024 Intangible Versus Tangible Risks Comparison Report pg 13-14, Aon & Ponemon Institute

[2] Key issues outlook 2025, ASIC

[3] Key issues outlook 2025, ASIC

[4] Securities Class Action Filings – 2024 Year in Review, Cornerstone Research

[5] Securities Class Action Filings – 2024 Year in Review, Cornerstone Research

[6] Australia regulator tells Medibank to set aside $167 million after data breach, Reuters

[7]Medibank cyber-attack: should the health insurer pay a ransom for its customers’ data?, The Guardian

[8] Medibank admits it didn’t have cyber insurance to cover data hack, The ABC

[9] Corporate governance implications of Medibank enforcement proceedings, Johnson Winter Slattery

[10] Australia regulator tells Medibank to set aside $167 million after data breach, Reuters

[11] Statutory tort for serious invasions of privacy, Legal Services Commission South Australia