Cyber resilience is top of mind for listed company boards, given the threat environment. The AICD continues to intensify our focus with both a policy and practice lens.
The Australian Cyber Security Centre (ACSC) – part of the Commonwealth’s Defence Signals Directorate – in a recent report placed the economy-wide losses from cybercrime at more than $33bn, with ransomware attacks up 15 per cent in the year to 30 June 2021. The ACSC received more than 67,500 reports of cybercrime last financial year, a 13 per cent increase year on year. Critically, the ACSC highlighted that no sector was immune from cybercrime, with the pandemic creating new threats for many organisations.
On the policy front, in response to the Commonwealth’s recent regulatory consultation on strengthening Australia’s cyber resilience, the AICD strongly opposed a new mandatory cyber governance standard or the introduction of a new cyber duty for directors. In our AICD submission, we noted the potential for duplication of existing director obligations. It is critical that policy settings are proportionate and avoid regulatory obligations which may be counterproductive. This is particularly the case when the risk which businesses are trying to mitigate stems from activities of criminal and state actors with the resources to target large firms and small businesses alike, as individual opportunities or for their role in the national economy or supply chains. In the AICD’s view, the focus needs to be on how industry and government work together to build the cyber resilience of our nation.
The AICD did provide in-principle support for a voluntary standard that would be co-designed with industry and aimed at supporting boards to approach these complex issues with more confidence. We are engaging with senior officials on the government’s proposals and are encouraged by the response to date.
From a practice perspective, we are exploring opportunities to partner with Government and other cyber experts around expanded AICD member access to expert content and resources to support cyber governance capability. The AICD has also made submissions on the Security Legislation Amendment (Critical Infrastructure) Bill 2020 currently before Parliament, that significantly expands the range of critical infrastructure sectors covered.
The AICD has called for more expansive immunity provisions for directors and officers following directions under the legislation, noting the range of new sectors and potential corporate structures. We support the Law Council of Australia’s proposal that immunity provisions be modelled on those provided in the Banking Act 1959.
Supporting boardroom practice, the AICD has recently refreshed and relaunched our online course, The Board’s Role in Cyber, aimed at experienced directors, with case studies facilitated by experts.
Insolvency safe harbour review
The Government has commenced a review of the insolvent trading safe harbour provisions that were legislated in 2017. The safe harbour provides directors with a form of defence or exception to personal liability for debts incurred in circumstances of insolvency, subject to certain conditions. The review will consider whether the safe harbour is achieving its policy aim to “drive cultural change amongst company directors by encouraging them to keep control of their company, engage early with possible insolvency and take reasonable risks to facilitate the company’s recovery.”
The AICD was closely involved in the 2017 reform and strongly supports its continued application. Feedback from directors and stakeholders shows that the safe harbour is working to provide directors with breathing space to work through financial difficulties when the circumstances allow for recovery, and ultimately preserve greater value for creditors, employees and shareholders than would have been the case under a potentially premature formal insolvency.
While we continue to support the existing safe harbour, there is further opportunity for reform. Consistent with our previous submission with the Business Council of Australia and the Turnaround Management Association to the Treasurer, we will continue to prosecute the case for the lifting of the liability threshold for insolvent trading to be closer to the more balanced, wrongful trading approach of the UK. The exposure of Australian directors to insolvent trading liability is amongst the highest in the world. A recent article provides a comparative analysis of Australia’s director liability settings.
Business Judgment Rule
In recent weeks, the AICD has released commissioned research from Allens Linklaters exploring the protection of Australia’s Business Judgment Rule, compared with similar provisions in peer jurisdictions. The research confirms that Australia’s business judgment rule is more narrow and ultimately of less utility than equivalent laws overseas. The AICD is considering a fresh case for reform of Australia’s narrow business judgment rule. The research will contribute to the AICD’s case for holistic review of Commonwealth and State director liability laws.
Already a member?
Login to view this content