This is a service specifically targeted at the needs of busy non-executive directors (NEDs). We aim to give you a ‘heads-up’ on the things that matter for NEDs in the week ahead – all in two minutes or less.

In this edition, we discuss cyber security guidance published by the Australian Institute of Company Directors (AICD) and the Australian Information Security Association (AISA) and the disqualification of a director from managing corporations for 18 months in connection with insolvent trading activity. We also examine the decision of the New South Wales Court of Appeal (NSWCA) rejecting the narrow construction of the ‘fraud exception’, and the landmark Australian greenwashing case in which Mercer Superannuation (Australia) Pty Limited (Mercer) was fined $11.3 million.

In Risk Radar, we examine the need for directors to ensure they have up-to-date information technology (IT) systems in place to mitigate the risk of cyber-attacks.

Governance

AICD and AISA publish cyber security governance guidance for directors of small businesses and not-for-profits

On 1 August 2024, AICD and AISA jointly released the ‘Cyber Security Handbook for Small Business and Not-for-Profit Directors’ which provides guidance for small business and not-for-profit directors in relation to cyber security governance. Directors of small businesses and not-for-profits often have a very hands-on role, which can increase the challenges and complexity faced by those directors. This guide, therefore, aims to assist those directors in building a foundation for cyber resilience and covers: (1) what role a director serves in the ever-shifting cyber threat environment; (2) the fundamentals of cyber security; (3) how to create a culture of cyber resilience; (4) risk management; and (5) cybersecurity incident response planning. We expect a continued regulatory focus on IT and cyber-related risks as the importance of information and data management to businesses in all sectors increases with the growth and universality of artificial intelligence.

Legal

ASIC disqualifies director from managing corporations for 18 months

On 31 July 2024, ASIC announced that it had banned Ms Dominique Grubisa from managing corporations for 18 months following her involvement in the failure of two companies. This follows the decision by Jackman J of the Federal Court of Australia on 19 July 2024 ordering, amongst other things, that Ms Grubisa pay $1 million in penalties for breaches of the Australian Consumer Law and disqualifying her from managing corporations for five years. ASIC found that Ms Grubisa had also failed to meet the standards expected of a company director, engaged in insolvent trading, and failed to exercise her powers and discharge her duties as a director with the degree of care and diligence required

New South Wales Supreme Court of Appeal clarifies the ‘fraud exception’ in relation to agency-based attribution of a director’s knowledge

On 30 July 2024, the NSWSCA published the decision in Aidzan Pty Ltd (in liq) v K & A Laird (NSW) Pty Ltd (in liq) [2024] NSWCA 185, in which the NSWCA unanimously rejected the narrow application of the ‘fraud exception’ to the general rule that a director’s knowledge is directly attributed to the company where the director is acting within the scope of their authority. The NSWCA found that the preferable approach was, in effect, to take a wider view and look at the context and reason behind attributing a director’s knowledge to the company. Accordingly, in this case, where the claims were for breaches of duty and the attribution was sought to support a limitation defence that would defeat those claims, there should be no attribution. This case highlights that directors cannot try to evade their duties, exploit the general rule and shield themselves behind the corporate veil where misconduct is involved.

Federal Court of Australia orders Mercer Superannuation (Australia) to pay $11.3 million in fines for greenwashing

On 2 August 2024, the Federal Court of Australia published the decision of Horan J in which his Honour imposed $11.3 million in penalties on Mercer for making misleading statements about the sustainability of its ‘Sustainable Plus’ superannuation investment options. Justice Horan found that Mercer members who took up Mercer’s ‘Sustainable Plus’ superannuation investment options had investments in companies that Mercer’s website statements clearly said, in effect, were excluded from these options. His Honour commented that ‘[a]ny misrepresentations in relation to ESG policies or practices…undermines that confidence to the detriment of consumers and the industry’. ASIC Deputy Chair Sarah Court said 'this was ASIC’s first greenwashing case brought before the Federal Court; a landmark case both for ASIC and for the financial services industry. It demonstrates the importance of making accurate ESG claims to investors and potential investors.’

Risk Radar

Outdated IT systems: a risk compounding cyber risk itself? 

According to the AICD and the Australian Signals Directorate, the cyber-threat environment for Australian businesses has increased dramatically, with a ~23% rise in the number of cyber crimes reported. For most companies, it is a matter of ‘when’ (not ‘if’) a cyber incident will occur. There are many dimensions to an organisation’s cyber risks. On 1 August 2024, the AICD published an article warning directors of one such dimension, being the security and operational risks posed by old and outdated IT systems, which do not receive the usual security updates and bug fixes that more modern systems do. This can leave companies vulnerable to outages and cyber-attacks, which can ‘open the door to the rest of the organisation for hackers’. Old and outdated IT systems can increase the likelihood that companies are exposed to security incidents including systems being taken offline, service deliveries being disrupted and the destruction or leakage of important data – all of which can lead to the loss of public confidence. According to the AICD, directors should consider old and outdated IT systems as a high risk, and should require reporting to the board or risk committee regularly to ensure the board has adequate oversight.