Top 5 compliance risks for Australian businesses that may lead to D&O claims
2024 has so far presented significant challenges for Australian Boards and their Directors. Board members and company executives face increasing liability risks in various scenarios, including inadequate responses to economic pressures, geopolitical issues, the implementation of innovative technologies like Generative Artificial Intelligence (GenAI), and environmental, social, and governance (ESG) challenges.
Directors’ and Officers’ (D&O) Liability insurance policies are designed to safeguard the personal assets of directors and officers by providing indemnity for losses resulting from claims arising from a ‘wrongful act’ committed while fulfilling their duties with the required care and diligence.
In this article, we review the top 5 compliance risks for Australian businesses that may trigger claims under these policies:
1. Environmental Liability
Directors and Officers could be held personally liable for environmental damage caused by their company’s activities. Greenwashing has become an enforcement priority for regulators, with ASIC issuing several infringement notices and enforcement proceedings including recent cases against Mercer Superannuation and Vanguard Australia for alleged greenwashing. See our article here for further details.
Mandatory ESG & sustainability reporting obligations commences as of 1 July 2024, highlighting continuing disclosure risks for companies and directors. It will mark a profound change in corporate reporting and impose additional obligations on directors with regard to climate change risk. Boards will have to ensure management has developed an appropriate climate governance strategy, including metrics, targets, transition planning and risk management. It is clear these reforms will require a significant capability uplift inside companies and on boards. Also, advisors and auditors will play a crucial role in ensuring that climate disclosures are accurate, effective and meet the standards.
In addition to claims against companies and governments, the general trend towards using litigation as a tool to address climate change suggests that directors also face the risk of allegations that they have breached their duty to act with due care and diligence in corporate decision-making relating to emissions, climate impacts and the adequacy of disclosure made to the market in relation to climate change-related risks.
2. Insolvent Trading
Under section 588G of the Corporations Act 2001 (Cth), directors can be held personally liable if they allow their company to incur debts while it is insolvent, or if there are reasonable grounds for suspecting insolvency. Insolvency appointments inevitably lead to an increase in litigation against directors for breach of director duties and insolvent trading, claims around voidable transactions (especially against unsecured creditors who have received payment for their goods or services), and shareholder and bondholder litigation. Such litigations have been on the rise during 2024.
ASIC’s latest insolvency data for the nine-month period from 1 July 2023 to 31 March 2024 shows an increase in the number of Australian companies failing. During this period, 7,742 companies entered external administration, a 36.2% increase on the previous corresponding nine-month period ending 31 March 2023. Out of these external administrations, construction (2,142), and accommodation and food services industries (1,174) represented the greatest number of company failures, accounting for nearly 27.7% and 15.2% respectively. With only one month remaining of this financial year, it’s expected that the number of companies entering external administration by 30 June 2024 will exceed 10,000, a level not seen since the 2012–2013 financial year.
Source: ASIC Insolvency Statistics
3. Privacy and Data Breaches
The increasing emphasis on data protection and privacy laws means that directors and officers may face personal liability if their company breaches these laws. Failure to address cybersecurity risks or comply with disclosure and reporting requirements could constitute a breach of directors’ duties. ASIC is prepared to take action against directors who do not adopt adequate measures, viewing such failure as a lack of care and diligence, as mandated by section 180 of the Corporations Act 2001 (Cth).
From late 2022 through 2023, several high-profile data breaches affecting millions of customers led to regulatory investigations. In response, the Australian Government enacted new privacy legislation, significantly increasing penalties for privacy breaches and enhancing the powers of the Office of the Information Commissioner (OAIC). Penalties were raised from a maximum of A$2.2 million to the greater of A$50 million, three times the benefit of the contravention, or, if the benefit cannot be determined, 30 per cent of the company’s domestic turnover.
ASIC’s Cyber Pulse Survey conducted in November 2023 revealed that many boards are unprepared for cyber-attacks, despite the significant financial and reputational damage incurred by companies like Optus, Medibank, Latitude Financial, and DP World due to such attacks. The survey found that 44 per cent of companies do not manage third-party or supply chain risks, 58 per cent have limited capability to adequately protect confidential information, a third lack a cyber incident response plan, and one in five have not adopted a cybersecurity standard. With a weighted average participant cyber maturity score of 1.66 (on a scale of 0 to 4), the results indicate that organisations are reactive rather than proactive in managing their cybersecurity.
Source: ASIC Cyber Pulse Survey 2023
4. GenAI and the use of innovative technologies
Given increasing trends in AI use globally, understanding the technology and its impacts on the organisation and the boardroom falls directly within the remit of a directors’ obligations to exercise due care, skill, and diligence in discharging their duties.
Source: Allianz Global Investors – Generative AI Tech Talk February 2023
Failure by directors to fulfill their statutory duties and mitigate potential harms from AI systems used by their companies can expose the company to legal liability. The ‘stepping stones’ principle may impose personal liability on directors if the company breaches a law or fails to manage compliance risks, and the director does not implement adequate measures to govern and manage these risks. Personal liability can be established without proof of direct involvement in the breach.
This possibility of personal liability for AI-related harm is supported by current enforcement trends, as illustrated in ASIC v RI Advice Group [2022] FCA 496 see our article here, where a director was held personally liable for failing to prevent a foreseeable cyber security risk, constituting an indirect breach of directors’ duties.
Appropriate AI governance can, if done correctly, accelerate the growth of a company’s uptake and ability to benefit from AI solutions, and ensure directors and officers meet their obligations under the Corporations Act.
Below is a list of key activities that directors should consider to effectively oversee the implementation of a sound AI corporate governance framework within their company:
- Know what AI is within your organisation through understanding the specific type of AI technology captured within the parameters of your business
- Know your compliance obligations imposed by relevant laws and regulations including Privacy Act, Surveillance Devices Act 2004 (Cth), Intellectual Property (IP) rights and Australian Consumer Law (ACL)
- Establish an appropriate AI governance framework in line with best practice AI risk management frameworks such as:
- ISO/IEC 38507:2022 Information technology - Governance of IT Governance implications of the use of artificial intelligence by organisations
- ISO/IEC 23894:2023 -Information technology Artificial intelligence -Guidance on risk management; and
- Microsoft Responsible AI Standards
- Embed Ongoing assurance monitoring of AI. As outlined in ASIC v RI Advice, there is an ongoing obligation to review and update the existing governance framework on a regular basis
5. Legal & Regulatory Compliance
According to Director Sentiment Index survey conducted by Australian Institute of Company Directors (AICD) in April 2024, legal & regulatory compliance is ranked amongst the top issues that keep directors awake at night. Regulatory changes can be unduly complex and ambiguous which may result in costly measures at business level and impose non-compliance risks to directors at personal levels. These risks are including, but not limited to, non-compliance with:
- Director duties under the Corporations Act 2001;
- Financial reporting obligations and risk of misrepresentations;
- Competition and Consumer Act 2010;
- Work Health & Safety (WHS) legislation; and
- Employment laws such as unfair dismissal, discrimination or harassment.
Directors can protect themselves by:
- Exercising and showing due diligence in fulfilling their roles (demonstrate obligations are identified and responsibilities allocated);
- Having a proper basis for believing that regulatory requirements are attended to by appropriate people (e.g. reporting, auditing and accountability); and
- Having an understanding of applicable laws and regulatory requirements to be able to do this.
Coverage considerations
Bellrock recommends that boards seek guidance from external experts on the extent to which they are appropriately prepared to address the abovementioned risks to their businesses.
Bellrock has a panel of experts who can assist boards and their directors ensure they have the right D&O policy coverage for their business. We consider an independent maturity assessment by a third-party expert will assist directors and companies in procuring appropriate, adequate, and competitively priced directors’ and officers’ liability coverage.
For more information about D&O insurance, contact our team via the form below.