The Insider Threat Boards Can No Longer Ignore

Fraud and internal misconduct are among the most damaging risks facing Australian organisations. The question for boards is whether their governance frameworks are genuinely equipped to detect and manage them.

Introduction

The conversation about board-level risk governance in Australia has intensified considerably over the past two years. High-profile data breaches, regulatory scrutiny, and a wave of guidance from the Australian Institute of Company Directors (AICD) have pushed cyber security and risk oversight firmly onto boardroom agendas.

But while external threats attract most of the attention, a quieter and often more damaging risk category continues to be underweighted in many governance frameworks: fraud and insider threats.

These are not edge cases. Internal actors, whether motivated by financial pressure, grievance, or opportunity, represent a persistent and material risk for organisations of every size and sector, and unlike external attacks, insider threats are uniquely difficult to detect precisely because those responsible already have legitimate access to systems, processes, and sensitive information.

The Governance Gap

Boards should be aware that disgruntled employees and malicious insiders can pose a unique risk since they already have legitimate access to systems and may be intimately familiar with the organisation's operations.

This observation, drawn from the AICD's Cyber Security Governance Principles, points to a risk that sits at the intersection of cyber security, fraud prevention, and internal controls, and one that requires a governance response that spans all three.

The challenge for many boards is that existing frameworks tend to treat these risks in isolation. Cyber security is addressed through one lens, fraud through another, and misconduct through a third. In practice, serious insider incidents rarely respect those boundaries. A disgruntled employee with system access and financial motivation does not fit neatly into any single risk category, and governance frameworks that are not designed to detect the overlap will miss them.

Escalating Expectations

Cybercrime remains the key issue keeping directors up at night, according to the AICD's most recent Director Sentiment Index survey, with more than half of Australian directors reporting that the risk of cyberattacks is directly influencing their board's risk appetite.

Regulatory expectations are moving in the same direction. High-profile cyber incidents and data breaches affected millions of Australians in 2024, tarnishing the reputations of some of the country's largest organisations and prompting regulators to intensify their scrutiny of board-level practices.

ASIC's increased focus on directors' oversight obligations reinforces the point. Boards that cannot demonstrate active and informed oversight of fraud and insider risk are exposed, not just operationally, but legally and reputationally.

What Robust Governance Actually Looks Like

The AICD's governance guidance makes clear that effective board oversight requires more than policy documentation. Boards need to keep a close eye on mission-critical risks, and if directors know there is a problem and management keeps putting the board off, that is very high risk.

Applied to fraud and insider threat, this means boards should be asking management direct and specific questions. Not whether a fraud policy exists, but whether it is being tested, whether it is detecting anything, and whether the organisation has the investigation capability to respond when something is found.

Practically, robust governance in this area requires several things working together:

1. Clear frameworks that define how fraud, misconduct, and insider threats are identified, escalated, and investigated.
2. Independent investigation capability that sits outside the normal management chain, so that internal matters can be handled without compromising the integrity of the process.
3. A board that is willing to commission investigations when warranted and to receive findings without filtering by management.
   

The Investigation Capability Problem

Many Australian organisations discover, often too late, that they lack the capability to properly investigate a serious internal matter. Internal HR and legal teams are rarely equipped for complex fraud investigations or matters involving financial crime, cyber-enabled misconduct, or sophisticated insider activity.

This is not a reflection on those teams. It is a structural gap that most organisations have not needed to address until they suddenly do. By that point, evidence may have been compromised, timelines lost, and the organisation's ability to pursue recovery or disciplinary action significantly diminished.

Boards that are serious about this risk need to ensure their organisations have access to specialist investigation and intelligence capability before an incident occurs, not after.

Questions Boards Should Be Asking

Drawing on the AICD's framework for meaningful board oversight, directors overseeing fraud and insider threat risk should be comfortable asking management the following:

• What controls exist to detect unusual access, transactions, or behaviour by internal actors? When were they last independently tested?
• Does the organisation have a clearly defined and documented process for responding to a suspected fraud or misconduct matter? Who owns it and who is accountable?
• What independent investigation capability does the organisation have access to for serious or sensitive matters? Has that capability ever been used or tested?
• How are investigation findings reported to the board and what happens when findings implicate senior management?



If the answers to these questions are uncertain or vague, the governance framework has a gap worth addressing.

Conclusion

The AICD's guidance on cyber governance, risk oversight, and directors' duties all point in the same direction. Boards are expected to engage meaningfully with serious risk, ask hard questions of management, and ensure the organisation has the capability to respond when something goes wrong.



Fraud and insider threats are serious risks. They are also manageable ones, provided governance frameworks are designed with enough rigour, and the right investigation capability is in place when it matters.

Governance in Practice

Organisations seeking to assess their current AI governance position and develop a structured remediation pathway can engage Khanterin Partners and its specialist advisors. Khanterin Partners offers AI Governance Readiness Assessments, providing organisations with a diagnostic of shadow AI exposure, regulatory compliance gaps, and governance maturity across the three regulatory tracks, privacy, competition, and national security considerations. The assessment identifies specific remediation priorities and provides guidance on implementation sequencing to move organisations from vulnerability to resilience ahead of the December 2026 Privacy Act deadline.

Bibliography

Australian Institute of Company Directors, Cyber Security Governance Principles (Version 2, November 2024) https://www.aicd.com.au/content/dam/aicd/pdf/tools-resources/director-tools/board/cyber-security-governance-principles-web3.pdf

Australian Institute of Company Directors, Governing Through a Cyber Crisis: Cyber Incident Response and Recovery for Australian Directors (February 2024) https://www.aicd.com.au/risk-management/framework/cyber-security/governing-through-a-cyber-crisis-cyber-incident-response-and-recovery-for-australian-directors.html

Australian Institute of Company Directors, Governance Resource Highlights 2024 (December 2024) https://www.aicd.com.au/good-governance/organisational-strategy/long-term-strategic-plan/governance-resource-highlights-2024.html

Australian Institute of Company Directors, Regulatory Compliance in 2024 (December 2023) https://www.aicd.com.au/regulatory-compliance/regulations/regulatory-compliance-in-2024.html

Australian Institute of Company Directors, Summary of Insights from the Australian Governance Summit 2024 (2024) https://www.aicd.com.au/good-governance/summary-of-insights-from-the-australian-governance-summit-2024.html

Australian Institute of Company Directors and Australian Signals Directorate, Cyber Security Priorities for Boards of Directors 2025-26 (2025) https://www.aicd.com.au/risk-management/framework/cyber-security/cyber-security-priorities-for-boards-of-directors-2025-26.html