The winter edition of our Above Board quarterly update covers these recent developments in corporate governance and board oversight:
- Enforcement proceedings against Medibank for failing to take reasonable steps to protect members’ personal information from cyberattack have boards and management teams re-examining their oversight responsibilities for cybersecurity.
- ASX has amended its continuous disclosure guidance to include examples about when to disclose cyber breaches to the market.
- The Commonwealth Government has tabled the findings of a review recommending winding back some changes to the continuous disclosure laws that were introduced during the COVID-19 pandemic.
- The failed shareholder class actions against Commonwealth Bank of Australia over its market disclosures concerning AUSTRAC investigations into alleged AML compliance failures provides some guidance for companies wondering when to disclose information about regulatory investigations.
- Legislation for mandatory climate-related financial disclosure in annual reports has cleared the parliamentary committee stage.
- The ASX Corporate Governance Council’s first round of consultation on a new edition of its Corporate Governance Principles and Recommendations, including controversial proposals relating to board composition, has closed.
- The Commonwealth Attorney-General is consulting on draft guidance to help corporations implement adequate procedures to prevent their associates from committing foreign bribery.
- The office of Anti-Slavery Commissioner has been established, with funding to work with businesses to address the risk of modern slavery practices in their operations and supply chains.
- Two company directors have been convicted in Western Australia for failing to obtain a Director Identification Number.
- The Australian Institute of Company Directors has updated its Not-for-Profit Governance Principles.
Robust governance is the key to every successful, sustainable and resilient business. Our specialist Board Advisory & Governance team works closely with boards and senior management in understanding stakeholder expectations and meeting contemporary governance standards.
Cybersecurity concerns for boards and senior management
The Australian Information Commissioner announced in June that it had filed civil penalty proceedings against Medibank Private Limited in relation to its October 2022 data breach. The Commissioner alleges that the company seriously interfered with the privacy of 9.7 million Australians by failing to take reasonable steps between March 2021 and October 2022 to protect their personal information from unauthorised access or disclosure. John Keeves discusses the governance implications of the Commissioner’s case in his Insight, ‘Corporate governance implications of Medibank enforcement proceedings’.
The Commissioner intends that the proceedings “should serve as a wakeup call to Australian organisations to invest in their digital defences to meet the challenges of an evolving cyber landscape. Organisations have an ethical as well as legal duty to protect the personal information they are entrusted with and a responsibility to keep it safe.”
We discuss the responsibilities of boards and senior management for cybersecurity governance in a previous Insight. The board’s role is to understand the threat environment, set the risk appetite, ensure adequate resources are allocated to the task, and then (either directly or through a sub-committee) monitor and oversee the development, maintenance, and implementation of suitable systems and processes for cyber defence, incident response and recovery, and cyber resilience.
Given the serious consequences that can follow for an unprepared company that is the victim of a cyberattack, directors and officers need to be aware of their personal duties to take reasonable care to protect the company from the foreseeable risk of harm to its interests, by exercising effective oversight of the risk-management framework.
New ASX guidance for disclosing cyber breaches
A listed entity that experiences a cyber breach must decide quickly whether it needs to disclose that fact to the market. ASX Limited has provided additional guidance on disclosing cyber breaches in Guidance Note 8 on Continuous Disclosure with effect from 27 May 2024.
We discuss this further in our article, ‘Continuous disclosure: new data breach example added to ASX Guidance Note 8’. It provides high-level guidance to ASX-listed entities on when disclosure may be required in connection with a data breach, and what might need to be disclosed. This requires consideration of the nature and extent of the data breach, its materiality, and confidentiality issues.
ASX suggests that it may be prudent to issue a release when OAIC and affected individuals are notified, to ensure that continuous disclosure obligations are met.
The key trigger for disclosure is materiality, and this may be hard to determine when a data breach response situation is rapidly changing. ASX suggests the possible use of a trading halt to provide time to prepare an appropriate announcement.
Proposed changes affecting fault elements in continuous disclosure
At the height of the COVID-19 pandemic, Australia’s continuous disclosure laws were amended to limit some forms of liability for continuous disclosure breaches to conduct that involved fault – that is, to a negligent, reckless or intentional breaches. The amendments meant that disclosing entities could not be sued for civil claims for compensation (including class actions) or civil penalty proceedings by ASIC, unless knowledge, recklessness or negligence on the part of the entity could be established.
The legislation provided for it to be reviewed to determine whether the amendments should be reversed, or allowed to stand. The outcome of that review, which was tabled in Parliament in May, is discussed in our earlier article.
The review did not recommend removing the fault elements for civil claims arising out of continuous disclosure breaches by listed entities. It found there was no evidence that meritorious class actions had been hampered by the new regime requiring proof of fault for a civil claim to succeed.
However, it did recommend removal of the fault elements for civil penalty proceedings undertaken by ASIC, finding that the requirement to show fault may have hampered ASIC’s enforcement activity.
It is not yet clear whether, and if so when, the Government will act on the review’s recommendations.
Moves towards mandatory climate-related financial disclosure
Legislation requiring large and medium businesses to include climate-related financial disclosure in their annual reports has passed the parliamentary committee stage.
If it is enacted, the Treasury Laws Amendment (Financial Market Infrastructure and Other Measures) Bill 2024 (Cth) will be implemented in stages, beginning with very large business from 2025 and extending by 2028 to all companies (listed or unlisted) that lodge an annual report and that meet two of three criteria related to size. These are consolidated: (1) revenue of $50 million or more; (2) gross assets of $25 million or more; (3) 100 or more employees. It will also apply to public investment trusts and funds with $5 billion or more in consolidated assets and other entities registered under the National Greenhouse and Energy Reporting Act 2007 (Cth).
We have summarised the dissenting comments in the Senate Economic Legislation Committee’s report in our earlier article. These suggest some pressure points remain to be resolved in debate, including the application of the law to medium-sized enterprises, the requirement to report scope 3 emissions, and the modified liability arrangements that will apply for the first three years of the regime.
Disclosing compliance problems and regulatory investigations
In an important development of the continuous disclosure jurisprudence, the Federal Court dismissed a class action by CBA shareholders in May. The case turned in part on whether the Commonwealth Bank of Australia Limited had breached the continuous disclosure laws between 2014 and 2017 by not informing the market of problems with its anti-money laundering compliance systems. Those problems eventually led to enforcement proceedings by AUSTRAC, resulting in a $700 million civil penalty being imposed on the bank in 2018.
The applicants alleged that the bank should have provided specific information to the market, the particulars of which were set out in the pleadings. The trial judge held that the applicants had an onus to plead, completely, the information that ought to have been disclosed under LR3.1. However, his Honour found a number of deficiencies in the pleaded expression of the information, such that his Honour was not satisfied that ASX Listing Rule 3.1 required the Bank to disclose that information to the ASX in any of its pleaded forms.
His Honour discussed the law and ASX guidance on disclosure, emphasising that incomplete, premature or unqualified disclosure would have breached the law. The decision is discussed in our Insight, ‘Disclosing regulatory investigations to the market: failed CBA shareholder class actions point the way’. This decision is useful for listed entities considering whether, and if so when and in what form, they need to disclose potential compliance failures or regulatory investigations to the market.
Consultation on changes to the ASX Corporate Governance Principles and Recommendations
The ASX Corporate Governance Council (CGC) has conducted a first round of consultations on proposed revisions to its Corporate Governance Principles and Recommendations. The consultation is the first step in revising the eight core governance principles and 35 general and three entity-specific recommendations currently contained in the fourth edition which was published in February 2019.
The ASX CGC, formed in 2002, comprises 19 member organisations; its task is to arrive at a consensus view about investors’ reasonable expectations as to the governance of ASX-listed entities. Listed entities are required to report against the framework on an “if not, why not” basis.
The consultation draft of the proposed fifth edition retains the eight core principles (with some wording changes) and contains 33 general and seven entity-specific recommendations. In a welcome move, it removes recommendations that duplicate existing laws, but the overall length of the commentary has increased.
The main changes proposed concern board skills, diversity and independence; disclosure of some conduct matters (including code of conduct breaches and remuneration clawback); and changing language around the relevance of stakeholder considerations.
Adequate procedures to prevent foreign bribery
Recent amendments to the Commonwealth Criminal Code, discussed in our article, ‘Combatting commercial crime – Australia’s new foreign bribery reforms’, created the offence of “failure to prevent” for corporations whose associates engage in foreign bribery.
The key changes made by the Crimes Legislation Amendment (Combatting Foreign Bribery) Act 2024 (Cth) will commence in September 2024. They include a new s 70.5A of the Criminal Code Act 1995 (Cth) which creates a new offence, committed by the corporation, where an associate of the corporation has committed bribery for the profit or gain of the corporation. However, a corporation is not liable if it can prove it had “adequate procedures” in place designed to prevent its associates from committing foreign bribery. This puts the burden on the corporation to point to the measures in place to address the risk.
Under the legislation, the Attorney-General is required to publish guidance material on what steps corporations can take to prevent an associate – such as an employee or agent – from bribing foreign public officials. In April, the Attorney-General’s Department released draft guidelines that outline key principles for corporations to consider when implementing an effective anti-bribery compliance program. They are intended to be principles-based, rather than a checklist of compliance, and are designed to be of general application to corporations of all sizes and in all sectors.
New federal Anti-Slavery Commissioner
The Government has passed legislation to establish the office of Australia’s new federal Anti-Slavery Commissioner. A search for the inaugural Commissioner will begin shortly.
The Anti-Slavery Commissioner is intended to further strengthen work undertaken to prevent and respond to modern slavery, and help to shape the implementation of future modern slavery reforms, including those arising from review of the Modern Slavery Act 2018 (Cth). The Commissioner will, among other responsibilities, support victims and survivors, raise community awareness and help businesses address the risk of modern slavery practices in their operations and supply chains. The Government has allocated $8 million over four years in the 2023-24 Budget to support the Commissioner’s establishment and operation.
Fines for Director Identification Number (DIN) breaches
ASIC recently started taking enforcement action to ensure that directors are complying with their director identification number (DIN) obligations. The Perth Magistrates Court convicted two Western Australian directors (on 3 May 2024) for failing to comply with DIN requirements. Both directors were fined $5,000 plus costs (compared with a maximum penalty of 60 penalty units, or $18,780).
The obligations were introduced as part of a package of reforms to help address illegal phoenix activity and included, relevantly, a requirement (at s 1272C of the Corporations Act 2001 (Cth)) for “eligible officers” to hold a DIN. The DIN regime commenced operation on 1 November 2021 and required any director appointed before that date to apply for a DIN within 12 months. Since 5 April 2022, any new director must apply for a DIN before being appointed. Magistrate Crawford SM remarked in the proceedings that considerable efforts had been made by relevant government agencies to bring the accused’s attention to the DIN scheme and obtain compliance.
AICD’s updated not-for-profit governance principles
The Australian Institute of Company Directors has released the third edition of Not-for-Profit Governance Principles.
Heavily revised and simplified, the new edition sets out eight key principles of governance (reduced from 10 in the 2nd edition) and, reflecting evolving community expectations and regulation on the role of organisations in society and their broader impact, contain a new principle on sustainability.
With the directors of NFPs – from the smallest community organisations to large charities with a multinational focus – subject to the same general law duties as their commercial counterparts, the Principles are directed to providing practical guidance to those responsible for the oversight of a not-for-profit’s activities, in understanding and discharging their governance responsibilities. We discuss this further in our article, ‘Update to AICD Not-for-Profit Governance Principles’.