Seven questions about your Board's cyber oversight
The assessment is designed to answer the questions that matter most when Board oversight is examined:
Is responsibility for cyber governance clearly assigned and understood across the Board, its committees, and the executive?
Does the Board receive reporting that is decision-relevant, comprehensible, and traceable to source?
Are cyber risk decisions deliberate, recorded, and explainable, including risk acceptance and tolerance decisions?
Can governance conclusions be supported by documented evidence, not just management assurance?
Are critical operations defined, tolerances approved, and resilience tested with Board visibility?
Are material third-party dependencies identified, governed, and visible to the Board where material reliance exists?
Can the Board demonstrate it is appropriately informed to challenge cyber risk oversight as conditions change?
These questions are grounded in Australian legal, regulatory, and prudential expectations for Board oversight. The assessment tests whether your Board can answer them with evidence.
What the Board receives
At the conclusion of the engagement, ARC Nexus delivers Board-ready outputs designed for governance decision-making, not technical consumption.
A domain-by-domain assessment of governance oversight. Each domain is rated independently. There is no composite score. Strengths and gaps are visible, not averaged.
The most material governance observations, each anchored to documented evidence, with the governance implication stated and limitations disclosed.
Disclosing what was not examined, what evidence was unavailable, and where confidence in conclusions is bounded. Where evidence was requested but not provided, that is stated explicitly.
Specific governance questions the Board or Committee should put to management, and the evidence or assurance that would address each oversight gap identified.
Every conclusion is conservative by default. Where evidence supports more than one assessment, the lower assessment is applied. Ratings are elevated only when evidence clearly supports the higher level.
Engagements begin with a confidential 30-minute briefing and are governed by defined scope, independence, evidence handling, and reporting controls before assessment work begins.
What this assessment does not do
This is not a maturity assessment. It does not produce a composite score, a single organisational rating, or a traffic light dashboard. Maturity scoring implies developmental progression and can create false comfort about the state of governance oversight.
ARC Nexus does not assess operational implementation or certify technical control effectiveness. The assessment does not constitute legal advice, compliance certification, or regulatory clearance.
The standard is defensibility: whether the Board can demonstrate that reasonable oversight was exercised, challenged, documented, and periodically reassessed.
A methodology built for scrutiny
Every ARC Nexus engagement applies three integrated layers simultaneously. Board oversight exposure exists across all three. A review that addresses only one layer leaves defensibility gaps.
Governance Oversight Layer
Board-level oversight assessed across 16 controlled governance domains covering accountability, reporting integrity, assurance, crisis decision governance, third-party dependency, risk appetite, capability, culture, investment, governance continuity, regulatory monitoring, disclosure, Board capability, data governance, AI governance, and post-quantum cryptographic readiness.
Risk Lifecycle Layer
Governance coverage tested for lifecycle completeness against NIST CSF 2.0 functions: Govern, Identify, Protect, Detect, Respond, Recover. This alignment is used to ensure lifecycle completeness, not to assert compliance certification.
Regulatory Overlay Layer
Governance evidence tested against fiduciary and regulatory expectations, including directors' duties under ss 180 to 183 of the Corporations Act, APRA CPS 234, CPS 230, the Security of Critical Infrastructure Act, the Privacy Act, and disclosure obligations.
16 cyber governance domains
The assessment is built on a 16-domain governance model. Domains in scope are assessed independently. No finding is left unmapped.
All 16 domains are assessed from a cyber governance perspective, focused on how the Board discharges its cyber governance duties.
Evidence-led, not assumption-led
ARC Nexus does not rely on management assurance or self-reported governance posture. Every finding must be anchored to a documented artefact or a recorded evidence gap. Where a finding cannot be supported by evidence, it is not made.
Evidence quality is formally assessed. Documentation alone cannot support the highest levels of defensibility. Advancement beyond foundational ratings requires evidence of sustained oversight behaviour, not just the existence of policies and frameworks.
Where evidence is unavailable, incomplete, or stale, the limitation is disclosed and the assessment is adjusted accordingly. The assessment states what was examined, what was found, and where confidence ends.
Where oversight relies solely on internal management reporting without independent validation or assurance, the Board's ability to demonstrate defensible oversight is necessarily constrained.
Grounded in the regulatory environment Boards operate in
The ARC Nexus methodology is anchored in directors' duties under the Corporations Act, regulatory expectations from APRA, ASIC, and the Australian Cyber Security Centre, and Board governance guidance from the Australian Institute of Company Directors.
Recent judicial authority, including ASIC v FIIG Securities Limited [2026] FCA 92, has reinforced expectations on the adequacy of cyber risk management, governance oversight, and Board-level accountability. These decisions confirm that cyber governance is not an emerging risk. It is a present obligation.
ARC Nexus does not provide legal advice. The assessment provides a governance evidencing standard focused on whether oversight can be demonstrated under scrutiny. It is not a substitute for legal counsel.