Lifting cyber resilience requires a stronger national policy partnership, argues Louise Petschler GAICD. The AICD has also welcomed significant reforms with implications for securities class actions.
Cybersecurity is a top priority for directors across all sectors, a point reinforced by our recent consultations with the AICD’s Division Councils around the country. AICD’s Director Sentiment Index survey in April this year showed cybercrime moving up the list of issues “keeping directors awake at night” — alongside the ongoing impacts of the COVID-19 pandemic and second only to sustainability and long-term growth prospects.
Many of the features in this edition of Company Director explain why — to quote the Australian Cyber Security Centre — “Cybercrime is one of the most pervasive threats facing Australia, and the most significant threat in terms of overall volume and impact to individuals and businesses”.
Organisations are facing well-resourced threat actors, which can include state or state-sponsored actors. Growing ransomware attacks also pose operational and liability challenges to all sectors. As boards increase their vigilance and risk oversight on cyber, government is also considering new regulatory incentives and frameworks. Regulators, too, are adding their weight, with the Australian Securities and Investments Commission (ASIC) Corporate Plan calling out cybersecurity and supporting cyber resilience as one of four key strategic priorities for the corporate regulator.
A recent federal government discussion paper, Strengthening Australia’s cyber security regulations and incentives, has canvassed options for new regulatory cyber governance standards for large businesses in Australia. The paper considers a mandatory governance standard with compliance obligations by set time frames, and a voluntary, principles-based standard in consultation with industry — noting that a mandatory standard may be too costly and onerous.
The AICD has provided in-principle support to the concept of a voluntary governance standard. While strongly in favour of improved cyber governance, we are concerned that a mandatory standard could add complexity, cost and a compliance focus to this fast-moving space. Core directors’ duties and individual liability settings already establish a strong regulatory framework and require directors to exercise care and diligence on key risks, including critical cyber risks.
Our feedback from directors has emphasised that the national objective should be to make Australia one of the least attractive jurisdictions for cyber attacks, across both the private and public sector.
To achieve this, we need a stronger private and public cyber-resilience partnership. Clearer pathways to law enforcement support, good- practice guidance on governance, intelligence sharing and hands-on expertise for organisations that are the victims of cybercrime will be required.
A stronger national partnership will do more to build Australia’s cyber resilience than regulatory settings that focus on corporate liability or individual companies.
Access the AICD submission here.
Securities class actions and virtual AGMs
The AICD has welcomed significant reforms, passed by the federal Parliament in August, which bring better balance to liability thresholds for continuous disclosure breaches. Under the changes, directors and companies will now only be liable for continuous disclosure law breaches only where they acted with “knowledge, recklessness or negligence” with respect to updates on price-sensitive information to the market.
Importantly, Australia’s robust continuous disclosure obligations for listed companies remain in place. Companies or their officers who knowingly mislead the market, or who are reckless or negligent with respect to their obligations, will continue to face strong penalties — as they should.
The introduction of a fault-based approach is an important step for the Australian market and will bring us closer into line with comparable jurisdictions, setting a more reasonable standard for securities class actions. Over recent years, the negative impact of securities class actions has been widely felt, particularly on the cost and availability of directors and officers (D&O) insurance. Key insurance players have highlighted the government’s reforms as a positive step towards arresting that trend.
The AICD has been an active participant in public debate on the need for securities class action reform and we are pleased that progress is being made.
The legislative reforms also delivered certainty for companies on virtual AGMs, with temporary relief to 31 March 2022 to allow the holding of virtual AGMs (overriding constitution requirements for in-person meetings), distribution of meeting-related material electronically and virtual execution of documents. ASIC has also been given extended powers to issue class or individual relief, and in September, formally extended the time public companies have to hold their annual general meetings. Public companies with balance dates between 21 February and 7 July 2021 have an additional two months to hold their AGM; and public companies limited by guarantee with balance dates between 24 January and 7 April 2021 have an additional four months.
Directors should note that permanent reform, if progressed, will require companies to have the right to hold virtual or hybrid member meetings enshrined in their constitutions.
AICD regulatory reform priorities
The AICD wants fair, fit-for-purpose and modern regulations that support diligent directors in governing for growth. Our current reform priorities include:
- Modern, fit-for-purpose corporate and governance law
- Balanced director liability settings that reflect the role of the board
- NFP regulation that supports and sustains good governance outcomes
- Sustainability reporting settings that are clear, consistent and reflect stakeholder needs
Board diversity progress
In August, the AICD revealed that, for the first time, there were no ASX 200 companies with all-male boards.
The AICD regularly issues guides and research on contemporary governance practice. See some of our previous insights:
- Climate risk governance guide: The AICD has launched the Australian Chapter of the Climate Governance Initiative (CGI) , releasing a new introductory director guide in collaboration with MinterEllison. See page 50 for more on the CGI.
- Virtual AGM guidance: The AICD has updated joint guidance with the Governance Institute of Australia, the Law Council of Australia and the Australasian Investor Relations Association on virtual AGMs, electronic communications and electronic signatures
- Sexual Harassment in the Workplace: Building on our recent Director Tool, the AICD has commissioned a new report from Clayton Utz — a practical roadmap on board-level and legal considerations to establish a complainant-centric response and strengthen prevention.
Already a member?
Login to view this content