Directors' legal responsibilities

The first job of the board is to create the conditions for the company to innovate and thrive, writes Professor Pamela Hanrahan in her new release, Directors’ Legal Responsibilities: A handbook for Australian boards. In this edited extract, Hanrahan outlines the legal environment for a number of contemporary board challenges arising from the current context. 

Within this broader framework of responsibilities, boards have oversight of a range of complex current issues, including executive remuneration, cyber resilience and data governance, and climate resilience. These are areas of material financial and non-financial risks for companies that raise both legal and ethical considerations. Different boards will approach these issues differently, but the choices made should always be informed, including by investors’ and regulators’ expectations and community standards.

Executive remuneration

The ASX Corporate Governance Council’s Principle 8 in the CGPR is that listed entities should “remunerate fairly and responsibly”. A listed entity “should pay director remuneration sufficient to attract and retain high-quality directors and design its executive remuneration to attract, retain and motivate high- quality senior executives and to align their interests with the creation of value for security holders and with the entity’s values and risk appetite”.

This section deals with the role and responsibilities of the board in designing and implementing variable remuneration structures for executives and staff. Remuneration design is a specialist task often undertaken by consultants and is a matter on which institutional shareholders and other stakeholders have an important perspective. Where remuneration is structured to incentivise particular outcomes in the business, boards should ensure the behaviour produced is aligned to the company’s values and responsibilities (including legal responsibilities), not just financial performance.

The Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry (2019) by Justice Kenneth Hayne AC QC, found that poorly designed remuneration arrangements were a significant factor in unlawful and unethical conduct among financial institutions. Chapter 6 of its Final Report deals with “culture, governance and remuneration” and there is a lengthy discussion of the impact of poorly designed variable remuneration arrangements on behaviour by executives, managers and front-line staff.

The Commissioner said:

When remuneration arrangements are designed or implemented in a way that sees executives rewarded with large bonuses despite their poor management of risks, those remuneration arrangements increase the likelihood that the entity will engage in misconduct, or conduct that falls below what the community expects. By contrast, when remuneration arrangements are designed and implemented in a way that properly takes into account the way that executives have managed risks — including compliance risk, conduct risk and regulatory risk — those remuneration arrangements will decrease the likelihood that the entity will engage in misconduct, or conduct falling below community standards and expectations... an entity’s remuneration arrangements, especially variable remuneration programs, tell staff what the entity rewards and what the entity values. (at p347)

Commissioner Hayne was concerned with remuneration in financial institutions; he analysed questions of design and implementation of remuneration schemes against the background of the Financial Stability Board’s Principles for Sound Compensation Practices (2009) and the work of the Sedgwick Review (2017) into product sales commissions and product-based payments in retail banking in Australia. Remuneration in Australian financial institutions is now governed by APRA’s Prudential Standard CPS 511: Remuneration (2021) which comes into effect in 2023. Among other things, CPS 511 includes requirements relating to “malus” and “clawback” which adjust the variable remuneration payable in certain circumstances, including “for adverse risk and conduct outcomes, based on clearly defined risk criteria”. “Malus” refers to an adjustment to reduce the value of all or part of deferred variable remuneration before it has vested; “clawback” means the recovery of an amount corresponding to some or all variable remuneration subject to recovery paid or vested to a person.

The need to pay close attention to the effect of remuneration design and implementation on conduct and compliance risk is not confined to financial institutions. In 2019, ASIC conducted a review of remuneration governance practices in 21 large listed companies; this led to the release of ASIC INFO 245: Board Oversight of Executive Variable Pay Decisions (March 2021). ASIC recommended that “good governance practices to support a board’s executive pay decisions assist the diligent and independent oversight that directors bring to these decisions”. It concluded that outcomes can be enhanced by being guided by frameworks and processes that result in the active, timely and consistent exercise of discretion; being made with the benefit of structured and contextual information from unbiased sources; being made with the benefit of arrangements to manage conflicts of interest; and being transparently made and communicated.

Cybersecurity and digital governance

Other key issues for contemporary boards include cybersecurity and digital governance. Cybersecurity describes how a company protects its systems and information from misuse by people inside or outside the business. Digital or data governance refers to the way data held by the company, including about individuals, is analysed and used — including through artificial intelligence (AI) — to make decisions affecting others.

Cyber resilience

In ASIC v RI Advice Group Pty Ltd (2022), Justice Helen Rofe defined cybersecurity as “the ability of an organisation to protect and defend the use of cyberspace from attacks” and cyber resilience as “the ability to anticipate, withstand, recover from and adapt to adverse conditions, stresses, attacks or compromises on systems that use or are enabled by cyber sources”. (at [57])

Cyber attacks are common. Companies should take appropriate steps to secure their systems (cybersecurity risk mitigation) and have in place adequate arrangements to deal with them should they occur (incident response planning).

Government and industry warnings to businesses about cybersecurity are often framed according to the technical mechanisms used to execute cyber attacks. These include malware, ransomware, phishing, spoofing, spyware, Trojans, viruses, denial of service (DoS) and distributed denial of service (DDoS) attacks. These can result in unauthorised access to customer, employee and other third-party information (confidentiality breach); unauthorised access to proprietary information (confidentiality breach); withholding of access to systems, devices, infrastructure or data (availability breach); and other intentional infliction of damage to systems, devices, infrastructure or data (integrity breach). They may be committed by state or non-state actors.

Confidentiality breaches involving third-party information are covered by the Privacy Act 1988 (Cth). Australian Privacy Principle (APP) 11 requires all entities covered by the Privacy Act to take reasonable steps to protect personal information that they hold from misuse, interference and loss, and from unauthorised access, modification or disclosure. APP 1 also requires entities to take reasonable steps to implement practices, procedures and systems that will ensure compliance with the APPs. The Office of the Australian Information Commissioner (OAIC) has said that:

...cybersecurity is recognised as a necessary privacy protection and key consideration for entities taking “reasonable steps” under APP 11. There is an expectation that in complying with APP 11, businesses will actively monitor their cyber risk environment for emerging threats and take reasonable steps to protect personal information by mitigating those risks. This responsibility is not static and scales proportionately to the volume and type of personal information held by an entity. Where the volume or sensitivity of personal information held by an entity increases, so too will the expectations placed upon the entity to protect that information. (OAIC 2019 at [7]).

From 2018, entities covered by the Privacy Act have been required by law to notify both the OAIC and individuals at risk of serious harm in the event of a “notifiable data breach” (NDB).

As with other material risks to the company, boards should be aware of and monitor the systems and processes used to manage the risk of cyber attack that could result in confidentiality, availability or integrity breaches. This requires directors to stay abreast of emerging practices in cybersecurity, such as the “Essential Eight” developed by the Australian Cyber Security Centre (ACSC), to understand and monitor the company’s risk management arrangements. The ACSC recommends that organisations ‘implement eight essential mitigation strategies’ from the ACSC’s Strategies to Mitigate Cyber Security Incidents (2010, revised 2017) “as a baseline”. The mitigation strategies are application control, patching applications, configuring Microsoft Office macro settings, user application hardening, restricting administrative privileges, patching operating systems, multi-factor authentication and regular backups. The ACSC also produces the Information Security Manual (ISM, revised December 2021) for technical staff. This includes a series of cybersecurity principles grouped into four key activities: govern (identifying and managing security risks); protect (implementing security controls to reduce security risks); detect (detecting and understanding cybersecurity events); and respond (responding to and recovering from cybersecurity incidents).

Cybersecurity arrangements that are implemented must be consistent with relevant legislation including the Privacy Act, Archives Act 1983 (Cth) and Telecommunications (Interception and Access) Act 1979 (Cth).

In ASIC v RI Advice Group Pty Ltd, the failure by an Australian financial services licensee to manage cyber risks appropriately was held to have contravened its statutory duty to do all things necessary to ensure that the financial services covered by its licence were provided efficiently and fairly. It failed to ensure that adequate cybersecurity measures were in place and/or adequately implemented. It also contravened its statutory obligation to have adequate risk management systems, by failing to implement adequate cybersecurity and cyber resilience measures and exposing its clients to an unacceptable level of risk.

As Justice Rofe observed:

Risks relating to cybersecurity, and the controls that can be deployed to address such risks evolve over time. As financial services are increasingly conducted using digital and computer technology, cybersecurity risk has also increased. Cybersecurity risk forms a significant risk connected with the conduct of the business and provision of financial services. It is not possible to reduce cybersecurity risk to zero, but it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls to an acceptable level. (at [58])

Special requirements for cybersecurity exist in some sectors. For APRA-regulated entities, Prudential Standard CPS 234: Information Security (July 2019) provides that an APRA-regulated entity must:

...clearly define the information security-related roles and responsibilities of the board, senior management, governing bodies and individuals; maintain an information security capability commensurate with the size and extent of threats to its information assets, and which enables the continued sound operation of the entity; implement controls to protect its information assets commensurate with the criticality and sensitivity of those information assets, and undertake systematic testing and assurance regarding the effectiveness of those controls; and notify APRA of material information security incidents.

Data governance

Data governance recognises the value and risks that data science can create. Data science allows for companies (and other entities, such as governments and regulators) to extract useful non-obvious patterns from large amounts of data, utilising algorithms (“if this, then that”) to analyse the data and produce insights that can be acted upon.

The use of data science (including AI) has grown significantly this decade, driven by a combination of more data (including from digitisation of existing information and new data created by social media, IoT devices, location tracking and other new uses), more sophisticated algorithms, and more and faster computer processing capacity. Its use carries with it legal and ethical risks that, like other risks, must be identified and managed.

The privacy laws regulate the use to which information about individuals (including customers and employees) can be put. The OAIC’s Guide to Data Analytics and the Australian Privacy Principles (2018) explains how the following principles apply to data analytics: open and transparent management of information (APP 1); collection of personal information, and dealing with unsolicited personal information (APPs 3 and 4); notice of the collection of information (APP 5); use or disclosure of information (APP 6); direct marketing (APP 7); cross-border disclosure of personal information (APP 8); quality of personal information (APP 10); and security of personal information (APP 11).

Privacy and other risks associated with the use of AI in decision-making are discussed by the Office of the Victorian Information Commissioner (OVIC) in Artificial Intelligence and Privacy: Issues and Challenges (2018).

The OVIC defines AI as “a sub-field of computer science with the goal of creating programs that can perform tasks generally performed by humans. These tasks can be considered intelligent, and include visual and audio perception, learning and adapting, reasoning, pattern recognition and decision-making”. It describes AI as “an umbrella term to describe a collection of related techniques and technologies including machine learning, predictive analytics, natural language processing and robotics”. (at 3)

Business, NFPs and government may use AI for assisted decision-making or automated decision- making across a range of domains. For example, for several years, data-matching for automated decision- making was used by the Australian government as part of its failed Centrelink income compliance program (known as “robodebt”).

In a class action settlement in favour of citizens wrongly the subject of automated debt recovery actions under the program, Justice Bernard Murphy in Prygodicz v Commonwealth of Australia (No 2) (2021) described it as “a shameful chapter in the administration of the Commonwealth social security system and a massive failure of public administration”. (at [5])

Robodebt illustrates the importance of proper (human) oversight of automated decision-making.

The use of data science, including AI, can challenge the established norms of privacy, built around the three pillars of the collection limitation (that collection of personal information should be limited to only what is necessary; personal information should only be collected by lawful and fair means; and where appropriate, should be collected with the knowledge and consent of the individual), the purpose specification (that the purpose of collecting personal information should be specified to the individual at the time of collection) and the use limitation (that personal information should only be used or disclosed for the purpose for which it was collected, unless there is consent or legal authority to do otherwise).

Boards should reflect on these matters when AI techniques are used in business decision-making (including decision-making affecting customers, employees and other stakeholders). The OVIC said:

Taken together, the purpose specification, collection limitation and use limitation principles are significantly challenged by AI. Mass data collection, often by means that are not obvious to individuals; vague or misleading collection notices; and an assumption that people are more comfortable with the secondary use of their information than they actually are, lead to a situation in which the current understanding of information privacy through these principles may no longer be effective. (at p11)

Two key decisions

To assist directors’ legal literacy, Professor Hanrahan neatly summarises the facts and significance of 10 important Australian legal cases that have helped to shape and clarify contemporary law regarding directors’ duties. Several of the cases involved multiple court proceedings arising from the same or related events. We present extracts from the two most recent.

Case study 1: Storm Financial (2020)

These proceedings arose out of events preceding the collapse, during the GFC, of financial advice business Storm Financial Ltd. The company offered financial advice to some retail clients that, ASIC argued, was inconsistent with its obligations under the (then) financial services laws.

Emmanuel and Julie Cassimatis were the owners and executive directors of Storm Financial (there were also non-executive directors on the board). They exercised a high degree of control over the company and the implementation of the “Storm model” of advice that was at the heart of ASIC concerns.

ASIC successfully brought civil penalty proceedings against Mr and Mrs Cassimatis for breach of the statutory duty of care. Their breach of duty was in failing to take reasonable steps to address the foreseeable risk of harm to Storm Financial, as a company, of providing financial advice otherwise than in accordance with the law, including potential harm resulting from future regulatory action by ASIC.

The case is significant for what it says about the public/private nature of the directors’ duty of care. As sole owners of Storm Financial, Mr and Mrs Cassimatis did not want to pursue any action or remedy in respect of the negligent conduct. It was not proved that Storm Financial had contravened the financial services laws, or that (as a company) it had suffered loss as a result of the negligence of the defendants (the business having collapsed during the GFC before ASIC considered or took any regulatory action against it).

The finding that, by breaching their duty of care to the company, the executive directors had engaged in conduct punishable by an enforcement action brought by the regulator in the public interest confirms the public nature of the Australian duty.

Another interesting dimension of the case concerns the relationship between the directors’ duty of care in relation to corporate compliance failures, and their different forms of involvement liability, including in the judgment of Justice Steven Rares (dissenting).

Case study 2: Prime Trust (2018)

The Prime Trust proceedings were concerned with whether directors had contravened their duties in relation to amendments made to the constitution of an unlisted registered managed investment scheme. The managed investment scheme, known as the Prime Retirement and Aged Care Property Trust, was operated by its responsible entity, Australian Property Custodian Holdings Ltd (APCH). Interests associated with one of the directors (Bill Lewski) owned all the shares in APCH — he was described as the “driving force” behind the venture. The other directors at the relevant time were Michael Wooldridge, Mark Butler, Kim Jaques and Peter Clarke.

In August 2006, the APCH board resolved to lodge an amended constitution for the trust with ASIC. If the amendments were valid, their effect would have been to introduce, without any corresponding benefit to the members of the scheme, very substantial new fees payable to the responsible entity. This included a $33 million fee payable if the scheme were successfully listed on the ASX (between one and two-thirds of the entire capital expected to be raised). That fee was payable from the assets of the scheme to the responsible entity — and from there to the Lewski interests.

The law for managed investment schemes requires that any amendment to a scheme constitution that adversely affects the interests of its members must be approved by the members before it is made. This did not occur. The primary judge found that the responsible entity and the directors had contravened numerous provisions of the Corporations Act 2001 (Cth), including, in broad terms, duties of care and skill, duties of loyalty, duties not to make improper use of a position, and duties of compliance in relation to the amendment. The decision of Justice Bernard Murphy was upheld by the High Court (other than against Clarke, where ASIC did not press its case).

The case is significant because of its explanation of the responsibilities of directors in conflicted transactions, the duties of directors of trustee companies, and how boards obtain and consider legal advice.