The new year starts with major reform agendas in climate reporting and cyber security, writes Louise Petschler GAICD. Revised governance principles for listed companies and NFPs are also on the way.
National Cyber Strategy
The Australian Government released it’s 2023 – 2030 Australian Cyber Security Strategy in late 2023, setting out a national roadmap for Australia to be a world leader in cyber security by 2030.
The strategy sets out plans for action and regulation to drive six national cyber shields: strong businesses & citizens; safe technology; world-class threat sharing and blocking; protected critical infrastructure; sovereign capabilities and resilient region and global leadership.
Effective cyber governance and cyber security are top of mind concerns for Australian boards. Over the past year the AICD has engaged extensively with government and the Minister’s Cyber Security Expert Advisory Board, to bring directors’ perspectives forward and contribute to the strategy.
We were pleased to see many issues raised by the AICD and other stakeholders considered in the new strategy, including a focus on collaboration and partnership with industry, threat sharing and support for small businesses and NFPs, amongst others.
A substantial regulatory agenda will support the new strategy with consultation on legislative change now underway. Importantly, government is not proposing additional or overlapping new duties for directors or prescriptive new governance standards.
The legislative proposals fall into two categories: a new stand-alone cyber security law to bring key obligations together and address regulatory gaps; and a strengthening of the Security of Critical Infrastructure Act 2018 (SOCI Act).
Current proposals include:
A mandatory ransomware reporting regime to apply to businesses with $10 million annual revenue, but no new prohibition on ransom payments (reflecting complex issues at play).
A single national reporting portal for cyber incidents.
A limited use provision for information provided to the Australian Signals Directorate and the National Cyber Security Coordinator in a cyber incident, to reduce legal risks and incentivise open and early engagement by organisations dealing with live threats
A new Cyber Incident Review to conduct ‘lessons-learned’ reviews of major cyber incidents.
Amendments to the SOCI Act to expand its application and provide the Minister with additional directions powers. These measures are largely aimed at responding to significant national cyber and data incidents over the past 18 months.
The Department of Home Affairs recently released a new publication, Overview of Cyber Security Obligations for Corporate Leaders. This is a useful reference for directors and management to read in conjunction with the AICD-CSCRC Cyber Security Governance Principles.
We welcome feedback on the strategy and legislative proposals via policy@aicd.com.au.
ASX Corporate Governance Principles under review
The AICD is a long-standing member of the ASX Corporate Governance Council, which oversees the ASX Corporate Governance Principles & Recommendations.
All listed companies in Australia are required to consider and report on their adoption of the Principles & Recommendations on an “if not, why not” basis.
The ASX Principles are under review with a consultation draft to be released in early 2024.
Key areas in focus include stakeholder engagement, oversight of audit and assurance, sustainability, cyber security, data protection and AI, diversity, and business continuity. The Council will also seek to improve the navigability of the Principles in its revised edition.
The AICD will be providing a submission informed by engagement with members, including AICD’s Policy Committees. We welcome member views on release of the draft, at policy@aicd.com.au.
AICD’s FY24 Regulatory Priorities
The AICD advocates for fair, fit-for-purpose and modern regulations that support diligent directors in governing for growth.
Our FY24 reform priorities include:
Targeted cyber policies that lift national resilience
Balanced policy setting that supports high-quality market disclosures and practice
NFP regulation that promotes financial sustainability
Coordinated and proportionate regulation.
NFP Blueprint & Updated AICD Principles
As part of its focus on charities and not-for-profit organisations (NFPs), the Australian Government is developing an NFP Development Blueprint.
The AICD has long advocated for promoting sound NFP governance practices, reducing the regulatory burden on NFPs and charities, and incentivising sector innovation and efficiency. We contributed to the government’s consultation on the Blueprint in late 2023 recommending:
Comprehensive review of governance duties and regulatory frameworks, including harmonisation of fundraising laws, at the Commonwealth and State level.
Stability in NFP funding arrangements.
Targeted support for NFPs to strengthen governance, cyber resilience and digital capabilities.
The NFP sector is a key focus of the AICD’s policy leadership work, with a majority of our members involved in the governance of NFPs.
Over coming months the AICD will be releasing a refreshed edition of our landmark NFP Governance Principles, with a focus on practical case studies and updated contemporary governance practice.
Climate reporting
2024 is expected to be a landmark year for climate governance and reporting in Australia.
In January, the federal government released its highly anticipated exposure draft legislation for Australia’s mandatory climate reporting regime. The exposure draft is largely consistent with earlier Treasury proposals but for some technical amendments. If enacted under the proposed timeline, large entities and heavy emitters will begin being disclosing for the reporting period commencing 1 July 2024 – though feedback is being sought on a deferred start date of 1 January 2025.
This first cohort would include the ASX 200, followed by all entities that disclose under Chapter 2M of the Corporations Act in size-based cohorts from July 2026 and July 2027. While charities registered with the Australian Charities and Not-for-Profits Commission (ACNC) are exempt from reporting, NFPs incorporated under the Corporations Act and that meet the relevant size-thresholds will be included in the regime.
Government has however responded to concerns raised by the AICD and others about the regulatory burden for smaller entities. It is proposed that Group 3 entities (that meet two of three criteria: 1) over 100 employees; 2) $25 million+ in consolidated gross assets; 3) $50 million+ consolidated annual revenue) will be required to report only where they face material climate-related risks or opportunities. What is deemed material in this context will be assessed in line with the Australian Sustainability Standards which remain under consultation.
Under the new regime companies will be required to disclose their current and anticipated climate-related risks over the short, medium and long term. Obviously, reporting on climate related risks and transitions is complex and scenario based, with long timeframes and variable assumptions.
The nature of forward-looking climate statements heightens liability risks faced by Australian directors providing sign off on corporate disclosures, given unique aspects of Australian law.
Importantly,. the government has retained its proposed three-year period of regulator-only enforcement for misleading or deceptive conduct or similar claims in respect of scope 3 emissions and select forward-looking disclosures.
The AICD was a strong proponent for this transitional relief. In our view, it is a sensible measure that will support more comprehensive and high-quality disclosures on a best endeavours basis, without excessive risks of private litigation.
The AICD is engaging closely with government on key aspects of the Exposure Draft, including its commencement, application to smaller entities and the regulator-only enforcement period. Consultation remains open until 9 February 2023.
Supporting Australian directors and AICD members on climate governance and preparing for climate reporting is a priority for the AICD.
Our Director’s Guide to Mandatory Climate Reporting provides practical steps to help boards prepare for the new regime.
We are supporting directors with climate governance training, launching an e-learning module Introduction to Climate Governance, available free to AICD members. A more comprehensive AICD live course will also launch later in coming months.
Extensive climate resources, free webinars and guides are available via the AICD’s Climate Governance Initiative website.
Practice resources — supporting good governance
Examples of the AICD’s contemporary governance practice resources for members:
Cyber Governance
- Developed by the AICD and the Cyber Security Cooperative Research Centre, these practical principles guide boards on good practice in cyber governance, including key questions and governance red flags.
Effective Board Minutes
- AICD's joint statement and practice guide, prepared with the Governance Institute, provides clear guidance on best practice and key considerations in board minutes.
Ethics in the Boardroom
- Developed with the Ethics Centre, this guide provides a framework for boards on ethical decision making
- AICD members can also access the AICD’s free online ethics course
Latest news
Already a member?
Login to view this content