Above Board: Board Advisory and Governance Update – Summer 2024-2025

Australia’s new climate-related financial disclosure laws commenced on 18 September 2024. Many entities and groups that currently prepare and lodge annual reports in Australia will be required to include a sustainability report that contains the information required by the sustainability standard AASB S2 Climate-related Disclosures. These new record-keeping and reporting requirements commence for very large entities in the first financial year that commences after 1 January 2025 and will be phased in for other captured entities and groups by the first financial year that commences after 1 July 2027. When fully implemented, it will cover all reporting entities or groups that meet at least two out of three criteria related to size (consolidated gross FY revenue of $50 million, consolidated gross assets at EOFY of $25 million, and 100 or more employees at EOFY), are covered by the NGER scheme, or are investment and superannuation funds with assets of and above $5 billion. 

AASB explains that the regime is intended to provide useful information to primary users of general-purpose financial reports about climate-related risks and opportunities that could reasonably be expected to affect a captured entity’s cash flows, access to finance or cost of capital over the short, medium or long term. The main climate-related financial disclosure requirements relate to governance, strategy, risk management, and metrics and targets, and include information about scenario analysis and Scope 1, Scope 2 and Scope 3 greenhouse gas emissions.

Requirements for audit and assurance will be introduced progressively. A directors’ declaration adopting the sustainability report will be required, albeit in modified form for financial years commencing before 18 September 2027.

The new laws will significantly impact governance of climate-related risks and opportunities in captured entities and for other entities in their value chains or to which they provide finance. They also extend directors’ and officers’ personal legal duties in relation to information disclosed, as explained in our recent article, ‘Climate-related financial disclosure: what directors and officers need to know’. 

ASIC released its Consultation Paper 380: Sustainability Reporting in November and is taking feedback until 19 December 2024 on how its regulatory guidance can best support implementation of the new regime.

In a landmark development, a new Cyber Security Act 2024 was passed by Parliament and received Royal assent on 29 November 2024.

The Act will impose a new cyber ransom payment reporting obligation on businesses operating in Australia with a turnover of over $3 million, within 72 hours of the payment being made. While the Government decided not to outlaw all ransom payments, Australian companies (and their directors and senior managers) need to tread carefully when it comes to cyber ransom payments, due to the possible application of anti-money laundering and terrorism financing laws as well as sanctions laws. 

The Act provides for limited use and limited admissibility of information provided to the Government, both under the ransom payment reporting obligations and also for information provided voluntarily to the Cyber Coordinator (an officer in the Department of Home Affairs). The policy objective is to encourage business to share information with the Government for the benefit of the wider community, but time will tell whether the measures go far enough to encourage disclosure. For one thing, the extensive use and on-disclosure within Government permitted by the Act may well be inconsistent with legal privilege being maintained over any privileged material provided to Government. The Government decided not to make it abundantly clear that privilege would not be waived by a voluntary disclosure.

The Act also provides for standard for IoT devices and establishes a Cyber Incident Review Board, which will do what it says on the label.

Accompanying legislation also makes important amendments to the Security of Critical Infrastructure Act 2018 (Cth) and the Freedom of Information Act 1982 (Cth), in the latter case ensuring that information provided to the Cyber Coordinator will not be subject to disclosure under FOI. However, information provided to the Cyber Coordinator and disseminated within the Government could still be obtained through subpoenas – the presumptive inadmissibility of the information due to the provisions of the Cyber Security Act would not mean that information should be disclosed under a subpoena.

The new Act, as far as it goes, is an important policy measure in the battle with cyber crime. The provision for review of the Act after three years (one of the recommendations of the Parliamentary Joint Committee on Intelligence and Security that actually resulted in an amendment to the legislation) will be important to ensure that it is (and remains) fit for purpose.

Boards should ensure that management reviews cyber incident protocols and procedures to have regard to the provisions of the Act, and may wish to review policies on payment of cyber ransoms in light of the new reporting obligation.

In other cyber security news, the Australian Institute of Company Directors released Version 2 of its Cyber Security Governance Principles in late November, now covering emerging issues such as data governance, digital supply chain risks and cyber incident response and recovery. The Principles can be accessed here: Cyber Security Governance Principles | Version 2. 

The new Aged Care Act 2024 (Cth), which came into effect in early December, imposes new duties on “responsible persons” of aged care providers, including their directors and other officers. Section 180 of the Act imposes an affirmative duty on them to exercise “due diligence” to ensure that the provider complies with its duty to ensure, so far as reasonably practicable, that the conduct of the provider does not cause adverse effects to the health and safety of clients. 

Due diligence includes taking reasonable steps to understand the requirements applicable to providers, to understand the nature of the services delivered and the risks involved, and to ensure the provider has and uses appropriate resources and processes to identify, track and manage those risks. 

The new duty is similar to that which applies under work health and safety legislation and in the regulatory regime for heavy vehicles; it is interesting that the Government has decided to extend this approach to the human services sector. A “serious” failure by a responsible person to exercise due diligence can result in a civil penalty of up to $49,500 or if the conduct results in the death of, serious injury to or illness of a client, up to $165,000. This applies even if the provider is a not-for-profit and the director is a volunteer. 

We were pleased to advise the Australian Institute of Company Directors (AICD) on its submissions to Government on the design of the new directors’ duty. A copy of our advice on the new duty is available on the AICD’s website. 

ASIC has announced its enforcement priorities for 2025, with a focus on financial markets, greenwashing and misleading conduct involving ESG, and protecting consumers from financial harm. The enforcement priorities reflect key issues and risks that ASIC considers to be of most concern, and where it will direct its resources and expertise – and should be top of mind for boards and directors, particularly those in the superannuation and insurance sectors. They are:

• insider trading;
• greenwashing and misleading conduct involving ESG claims;
• misconduct exploiting superannuation savings, member service failures in the superannuation sector and failures by insurers to deal fairly and in good faith with customers (like the recent action against Cbus alleging systematic claims handling failures);
• licensee failures to have adequate cyber security protections;
• auditor misconduct (ASIC recently launched a surveillance program focused on auditor independence);
• unscrupulous property investment schemes, debt management and collection misconduct and used car finance sold to vulnerable consumers;
• business models designed to avoid consumer credit protections; and
• misconduct impacting small businesses and their creditors.

To support its work in upholding the integrity of financial markets, ASIC has also established a new dedicated team to target market misconduct and strengthen its investigation and prosecution of insider trading – which remains an enduring enforcement priority, together with continuous disclosure breaches, governance and directors’ failures and new or emerging conduct risks within the financial system.

In regulatory proceedings against a private vocational education and training provider for unconscionable conduct in breach of the Australian Consumer Law, the High Court has confirmed that the former chief executive officer and, through him, the listed parent company were “involved” in the provider’s contravention. This is an important reminder that individuals who are implicated in corporate wrongdoing can be held liable alongside the company if their involvement crosses the legal threshold.

That threshold requires two things. First, the individual must have intentionally participated in conduct that implicates or involves them in the primary contravention. That is, they must have assented to or become associated with the conduct that amounts to the primary contravention. They must also have knowledge of the essential facts constituting the contravention. In this case, it required the ACCC to show that the individual knew all the facts and circumstances that made what was done unconscionable. But this does not mean that they must “recognise” the conduct as unconscionable or know or intend that what was done would breach the law. The ACCC did not have to show that they knew that the conduct was exploitative or otherwise had the character that made it against conscience.

The case is Productivity Partners Pty Ltd (trading as Captain Cook College) v ACCC [2024] HCA 27; it is also noteworthy for its application of the principle of “systems intentionality” to the company’s conduct. Systems intentionality is discussed in the recent BLS Report podcast, ‘The Culpable Corporate Mind’. 

We were pleased to act for the ACCC in this important case, which is explained in our article, ‘High Court clarifies principles governing unconscionable conduct and accessorial liability’ and discussed in the December edition of Company Director magazine. 

The Federal Court recently considered whether reliance by a director on external legal advice was honest and reasonable, and therefore a defence to an alleged breach of the duty of care and diligence. Directors are entitled to rely on information or professional or expert advice given by certain third parties (including professional advisors on matters without their professional competence) provided that the reliance is made in good faith and after having made an independent assessment of the information or advice, having regard to the director’s knowledge of the company, and the complexity of its structure and operations.

In ASIC v Ryan [2024] FCA 1267, the Federal Court found that a director’s reliance on external legal advice was reasonable, because the advice was provided by a professional advisor in relation to matters that the director believed on reasonable grounds to be within its professional competence; and the director relied on the advice in good faith after making an independent assessment of the advice, which involved the director reading the advice carefully and satisfying himself that the background assumptions (on which the advice was based) were accurate and complete.

In reaching this conclusion, the Court (effectively) dismissed concerns raised about the advice – including as to the accuracy of the background assumptions and its scope.

Importantly, in circumstances where directors seek to rely on external advice, they must apply their skill, judgement and knowledge to appropriately scrutinise and assess the advice, and should seek further clarification or correction of incorrect assumptions or factual statements as needed in order to ensure that their reliance is made in good faith.

We were pleased to act for ASIC in this matter. 

ASIC Chair Joe Longo has called out the crippling complexity of Australian corporate and financial services law and announced his intention to convene a Simplification Consultative Group made up of consumer advocates, business leaders and directors and industry groups. The group will be asked to identify how ASIC can more efficiently and more effectively administer the law and “how the levers and guidance available to ASIC can be more helpful.”

This follows the Australian Law Reform Commission’s findings that “Corporations and financial services legislation has become unnecessarily complex. Regulated entities incur unnecessary costs when complying with their obligations. Consumers find it difficult to identify their rights. Lawyers struggle to advise their clients with sufficient certainty. Judges have become all too familiar with confronting the ‘usual labyrinthine provisions of the Corporations Act’.”

The initiative is welcome but ASIC’s capacity to stem the tide of regulatory complexity on its own may be limited. It is clear that a systematic program of legislative reform supported by experts, and a firm commitment by the Parliament to follow its own rules on policy impact analysis and best practice consultation for future law reform, are required. 

The AICD has commissioned a legal opinion by Michael Hodge KC and Sonia Tame and issued a practice statement focusing on the standard of care required by directors to meet their duty of care and diligence in the context of overseeing a company’s regulatory compliance obligations.

The opinion highlights that directors do not have a duty to guarantee compliance with all regulatory obligations or to eliminate all risks – rather, directors must be familiar with the commercial fundamentals of the business and understand the key compliance obligations and risks to which the company is subject, and must be in a position to monitor those risks (including by regular attendance and participation at board meetings). Directors risk breaching their duty of care and diligence if they fail to take appropriate action when there is a foreseeable risk of serious harm to the company, such as a substantial threat to the business model or loss of a key operating licence.

The practice statement provides guidance for effective monitoring and oversight of regulatory compliance – highlighting the need to remain alert to, and act on, red flags and to challenge management appropriately.

Organisations rely on systems to operate effectively – to build competitive advantage, maintain operations and avoid adverse outcomes. Properly functioning systems are essential if organisations are to avoid an otherwise inevitable drift to disorder. This is as true for corporate governance systems as it is for other organisational systems. In his practical article, ‘Corporate governance, defence in depth and the Swiss Cheese Model of incident causation’, Partner Jonathan Cheyne introduces the famous Swiss Cheese Model of incident causation – which is widely applied in many other domains – and highlights the insights the model provides for those interested in building and maintaining strong corporate governance systems and more resilient organisations.