We welcome commentary articles from the governance community. Should you wish to submit an article, please limit it to no more than 1500 words, including a 100 word bio, together with a suitable professional photo in high-res. Please contact us via email at [email protected].
If you have a scholarly piece you would like to publish though the Enterprise Governance eJournal, please see the Enterprise Governance eJournal instructions page for full information on how to submit a manuscript.
DIRECTOR IDENTIFICATION NUMBER
The introduction of the Director Identification Number (DIN) dates back to the final report of the Productivity Commission titled Business Set-up, Transfer and Closure which was issued in September 2015, where in support of recommendation 15.6 it noted its confidence that:
“the introduction of a DIN would likely be of significant net benefit to the community as a whole.”
The first announcement regarding the introduction of the DIN was made on Tuesday, 12 September 2017 by the Minister for Revenue and Financial Services, the Hon. Kelly O’Dwyer MP, when announcing that the Government was taking action to crack down on illegal phoenixing activity and to ensure those involved faced tougher penalties.
Fast forward to Wednesday, 4 December 2019 when the Treasury Laws Amendment (Registries Modernisation and Other Measures) Bill 2019 was introduced to the House of Representatives and subsequently on Thursday, 13 February 2020 to the Senate where after due discussion the legislation was finally passed by both Houses on Saturday, 12 June 2020 and received Royal Assent on Tuesday, 22 June 2020.
The new law, contained in Schedule 2, amends the Corporations Act 2001 (Cth), herein after referred to as the Corporations Act, and the Corporations (Aboriginal and Torres Strait Islander) Act 2006 (Cth), herein after referred to as the CATSI Act, to introduce the DIN requirement. It sets out:
- the persons to which the new requirement applies;
- the obligations associated with the new requirement;
- how the new requirement is administered; and
- the consequences of contravening the new law.
As outlined by the Government back in September 2017 the new law has been designed to assist regulators to better detect, deter and disrupt phoenixing.
The Explanatory Memorandum to the Treasury Laws Amendment (Registries Modernisation and Other Measures) Bill 2019 describes phoenixing as follows:
“Phoenixing occurs when the controllers of a company deliberately avoid paying liabilities by shutting down an indebted company and transferring its assets to another company. This impacts on creditors who fail to receive payments for goods and services, employees through lost wages and/or superannuation entitlements and the general public through lost revenue to the Government. The total cost of phoenixing to the Australian economy is estimated to be between $2.9 billion and $5.1 billion annually.”
The Australian Tax Office has produced an excellent short document titled “Illegal Phoenix Activity” which can be found on its website or by typing the title into a browser.
About Director Identification Numbers
A DIN is a unique 15-digit identification number allocated to a director, or someone who intends to become a director and that once issued will be kept by that individual forever, even if they cease to be a director.
A DIN must be applied for personally as an individual will need to verify their identity and as such no one individual can apply for another. According to the Explanatory Memorandum it is not intended that an individual’s DIN will ever be re-issued to someone else or that one person will ever be issued with more than one DIN.
Applications are made through the Australia Business Registry Services (ABRS) via a number of channels, which are described later in this paper, and there is no cost for application, although authorised tax agents can help to understand the new requirements.
If an individual becomes a director, or an alternate director, of a company or other registered Australian body, which is governed by the Corporations Act there are transitional requirements as to when applications for a DIN must be made and these are as follows:
- If appointed a director on or before 31 October 2021 then the date for application must be before 30 November 2022;
- If appointed a director between 1 November 2021 and 4 April 2022 then the date for application must be within 28 days of appointment; or
- If appointed from 5 April 2022 then the date for application must be before the appointment is made.
If an individual becomes a director, or an alternate director, of a company which is governed by the CATSI Act there are transitional requirements as to when applications for a DIN must be made and these are as follows:
- If appointed on or before 31 October 2021 then the date for application must be by 30 November 2023; or
- If appointed from 1 November 2022 then the date for application must be made from 1 November 2022.
If an individual is a sole trader, a company secretary but not a director or acting as an external administrator of a company, there is no need to apply for a DIN.
There are civil, up to 5,000 penalty units (currently $1.11 million) and criminal penalties (currently up to 12 months imprisonment) for directors that fail to apply for a DIN within the applicable time frame as well as deliberately providing false identity information when applying for a DIN. In addition, there are civil and criminal penalties for providing a false DIN to a Government body or relevant body corporate, or intentionally applying for more than one DIN.
As to privacy, a company holding a director’s DIN must ensure that it is kept in accordance with their legal obligations and as such is securely stored. Furthermore, until subsequently determined a DIN will not be searchable by the public and the ABRS is not authorised to disclose a directors DIN without their consent.
Applying for a DIN
Applications for a DIN opened on Monday, 1 November 2021.
The ABRS has provided four ways that a DIN can be applied for and they are the following:
- Online application;
- Phone application;
- Paper application – applicants within Australia; and
- Paper application – applicants outside Australia.
The fastest way to apply for a DIN is to do so online.
To complete the online application the following information is needed to verify an individual’s identity:
- A MyGovID, with either a standard or strong identity strength. Please note, MyGovID is a different service from MyGov. To set-up a MyGovID, go to the following webpage: www.mygovid.gov.au
- An individual Australian Tax File Number, while this is not needed it does speed up the process, if available;
- Residential address as held by the Australian Tax Office; and
- Answers to two questions based on details known by the ABRS such as from the following documents, to verify an individual’s identity:
- Bank account details;
- Notice of Assessment from the Australian Taxation Office;
- Superannuation account details;
- Dividend statement;
- Centrelink payment summary; or
- Pay-As-You-Go payment summary.
To apply by phone, an individual will need the following:
- An individual Australian Tax File Number, while this is not needed it does speed up the process, if available;
- Residential address as held by the Australian Tax Office;
- Answers to two questions based on details known by the ABRS about the individual; and
- Two Australian identity documents – one primary and one secondary where the primary documents might include the following:
- Australian full birth certificate, as a primary document;
- Australian passport, as a primary document;
- Australian citizenship certificate, as a primary document;
- Medicare card, as a secondary document; and
- Australian driver’s licence or learner’s permit as a secondary document.
To complete a paper application for applicants within Australia in addition to the information requested on the application form, the applicant will need to provide certified copies of one primary and two secondary identity documents which documents are basically the same as those needed for a phone application.
To complete a paper application for applicants outside Australia in addition to the information requested on the application form, the applicant will need to provide certified copies of one primary and one secondary identity documents which as primary documents might include an individual’s full birth certificate and foreign passport and for secondary documents might include a national photo identification card and a foreign government identification.
Outside Australia either a notary public or staff at an Australian Embassy, High Commission or Consulate, including those consulates headed by Australian honorary consuls must certify that in the presence of the foreign director that each copy of the document is a true and correct copy of the original document.
Should a director’s personal information change then they can amend their DIN with ABRS online. In addition, directors must notify the companies of which they are a director within seven days of such a change. In the case of a director of a CATSI company this term is 14 days.
Following the above timeframe a company then has 28 days to notify the Australian Securities and Investments Commission of any such change.
DIN’s were introduced by the Government in an effort to curtail the activity described as phoenixing and legislation to this effect was passed by both Houses of the Australian Parliament on Saturday, 12 June 2020 and received Royal Assent on Tuesday, 22 June 2020.
All directors, or alternate directors, of a company or other registered Australian body, which is governed by the Corporations Act, must obtain a DIN and there are transitional arrangements with regard to registration with the ABRS.
Furthermore, all directors, or alternate directors, of a company which is governed by the CATSI must obtain a DIN and there are transitional arrangements with regard to registration with the ABRS.
A DIN is a unique 15 digit identification number allocated to a director, or someone who intends to become a director, and that once issued will be kept by that individual forever, even if they cease to be a director.
There are both civil penalties for directors that fail to apply for a DIN within the applicable time frame or for those individuals who provide false information in an application for a DIN or who apply for multiple DINs.
The ARBS has provided a number of alternatives to apply for a DIN and for full details go to their website.
Dr Stephen van der Mye
Honorary Adjunct Professor
Faculty of Law
This document is part of a series prepared by the Faculty of Law at Bond University primarily for students in the Master of Laws in Enterprise Governance degree. This document nor any other in the series should be construed as providing legal or any other form of professional advice on which business decisions might be made.
While reasonable care has been taken in the preparation of this document the Faculty of Law at Bond University does not make any express or implied representations or warranties as to its completeness and always recommends that independent legal advice be obtained on any matters relating to the processes around the governance of enterprises.
To the extent permitted by law the Faculty of Law at Bond University excludes all liability for any loss or damage arising out of the use of this document.
Dr Stephen van der Mye | Honorary Adjunct Professor | Bond University
29 July 2021
On 19 January 2021 the World Economic Forum (WEF) released the 16ᵗʰ Edition of its “Global Risks Report”, referred to as the “Insight Report” which was prepared in partnership with Marsh McLennan, SK Group and Zurich Insurance Group.
The foundation of the report rests on the survey results completed by over 650 members of the WEF’s diverse leadership community. This survey referred to as the “Global Risks Perception Survey”, rests on asking members to rank their top concerns in terms of likelihood and impact.
Figure 1, of the report, titled “Global Risks Horizon” the results for short-term risks (0 to 2
years) and described as those having a “Clear and Present Danger”, which expressed as a percentage of respondents, were as follows:
1. Infectious diseases 58.0%
2. Livelihood crises 55.1%
3. Extreme weather events 52.7%
4. Cybersecurity failure 39.0%
5. Digital inequality 38.3%
Figure 1 also gives the results for medium-term risks (3 to 5 years) described as “Knock-on
Effects”, which expressed as a percentage of respondents, were as follows:
1. Asset bubble burst 53.3%
2. IT infrastructure breakdown 53.3%
3. Price instability 52.9%
4. Commodity shocks 52.7%
5. Debt crises 52.3%
6. Interstate relations fracture 50.7%
7. Interstate conflict 49.5%
8. Cybersecurity failure 49.0%
9. Tech governance failure 48.1%
10. Resource geopoliticalisation 47.9%
Figure 4.1, of the report, details the significant number of cyberattacks over the period 2006 to 2020 and here the countries include:
1. United States of America 156
2. United Kingdom 47
3. India 23
4. Germany 21
5. South Korea 18
6. Australia 16
In commenting on these numbers the report makes it clear that the next decade is likely to see more frequent and impactful disinformation on issues of geopolitical importance such as elections, humanitarian crises, public health, security and cultural issues. Furthermore, the report comments that the future is likely to see more states and non-state like engage in more dangerous cyberattacks, and these attacks will become more sophisticated.
The purpose of this paper is to consider several recent cybersecurity attacks, also called ransomware attacks, in particular those on Colonial Pipeline Company JBS S.A. and the recent broad-based attack on international businesses, and the role of directors in protecting their enterprises from such events.
For information, set-out in Appendix A are a number of definitions used in the WEF’s “Global Risks Report” and also in the WEF’s “Principles for Board Governance of Cyber Risk” also referred to as an “Insight Report” which was released in March 2021.
As indicated above, respondents to the survey rated cybersecurity failure as a high-level concern for them over the next two year period and in the number eight position over the period of three to five years and Australia is ranked sixth in the number of significant cyberattacks in the period 2006 to 2020.
However, the number of cyberattacks is likely to be much higher than reported as enterprises
whether they be businesses, governments and/or government-owned corporations or not-for-profit enterprises have a natural reluctance to disclose when they have been the subject of such an attack for obvious reasons.
The nature of cyberattacks has also changed over the years from incidents which were largely related to the introduction of malicious software, known as malware, onto a personal computer device, thereby infecting the computer, as a result of the user opening an attachment to an e-mail sent from an unknown source and the sender subsequently demanding mostly a small payment to neutralise the malware. Today’s cyberattacks have advanced to the theft of data and/or encryption of data for which a decryption tool is needed and payment is made in cryptocurrency.
At the present time cyberattacks are generally linked to organisations, known as Advanced
Persistent Threat Actors (APT’s), operating in autocratic regimes such as China, North Korea and Russia. These attacks by ATP’s are directed through servers based in the countries they are attacking and are aimed at critical infrastructure, such as those related to energy, financial and healthcare services, food production and distribution.
The real threat now is to the supply chain, in two forms, an attack on the means to deliver, and more problematic attacks on the delivery of software (e.g. Kayesa and SolarWinds). The latter type of supply chain attack has more far reaching consequences than the former, though both can have very serious impacts.
The rise of such attacks has been made possible largely by the ease of ransom payments through cryptocurrencies, initially Bitcoin but now other forms of virtual currency, and the incidence of workers undertaking their employment activities from home as a result of their employers having to deal with COVID-19.
In many ways the organisations launching cyberattacks today are little more than “pirates” like those that operated during the “Golden Age of Piracy” from about 1650 to about 1720. During this period, but especially from 1650 to 1680 (known as the Buccaneering Period) the early English Governors of Jamaica freely granted “Letters of Marque” to those who would go out and attack galleons travelling back to Spain loaded with gold.
A “Letter of Marque” was a government licence that authorised a private person to attack and
capture vessels of a nation at war with the issuer and the private person was granted immunity from any penalty. Of the many famous pirates there was perhaps none more famous than Sir Francis Drake who Queen Elizabeth 1 referred to as “my pirate”.
Today those organising ransomware attacks include ones coming from under such names as DarkSide and REvil who are believed to be located either inside Russia or inside a satellite-state of Russia. To-date, neither of these organisations have been prevented from carrying out their activities or faced any form of prosecution and so in fact they have the modern day equivalent of a “Letter of Marque”.
Simply, they are “pirates” sailing the “cyber seas” rather than the “blue seas”.
At the recent meeting between President Joe Biden of the United States of America (United States) and President Vladimir Putin of Russia held on Wednesday, 16 June 2021 the former gave the latter a list of 16 areas, mostly in critical infrastructure, that are “off limits” for cyber-attacks. Such an action by President Biden gives credence to the theory that the Russian state is harbouring cyber criminal’s intent on disrupting the workings of democratic states.
Colonial Pipeline Company
Colonial Pipeline Company (CPC) is an integrated common carrier that delivers liquid petroleum products, including gasoline, kerosene, diesel, home-heating oil and jet fuel to cities, airports and military installations throughout the Southeast, Mid-Atlantic and Northeast of the United States.
The company owns and operates the largest volume refined liquid petroleum products pipeline in the United States delivering about 100 million barrels of fuels per day. CPC’s pipeline system spans 5,500 miles and transports fuels from Houston, Texas to Linden, New Jersey and on the way connects to approximately 270 marketing terminals located near major production centres throughout the above named regions.
The events leading up to CPC paying over US$4.4 million to end a cyberattack were as follows:
• On 29 April 2021 hackers gained entry into the administrative networks of the company through a Virtual Private Network (VPN) account used by employees to gain access to the company’s computer network.
The VPN account did not use multi-factor authentication, a basic cyber security tool, so the
hackers could breach the network using just a compromised username and password.
• On 7 May 2021 hackers gained control of more than 100 gigabytes of information from the company and at 5.00am posted a ransom note on the company’s Information Technology (IT) system, which was seen by an employee in the control room, seeking payment in cryptocurrency for a decryption tool.
At the time there was no way of knowing whether the hackers had penetrated CPC’s Operational Technology (OT) system i.e. the system that operated the pipeline, or only the IT system. To minimise risk to the operation of the pipeline at 6.10am the entire pipeline was shut down, for safety and other reasons, affecting 45% of the east coast’s fuel supply, driving up petrol prices and sparking shortages at filling stations. On the night of 7 May 2021 the company paid a ransom of US$4.4 million, being 75 bitcoins, and subsequently received the decryption tool although this fact was not known until 19 May 20212.
• On 12 May 2021 the company re-started operations and the pipeline returned to full capacity on 17 May 2021.
• On 7 June 2021 the Department of Justice announced that it had managed to recover 64
of the 75 bitcoins paid to the attackers. While not saying how this was achieved it is believed
that the address of the hackers “digital wallet” was identified and after obtaining a court order
the Federal Bureau of Investigation (FBI) had the digital key needed to open the wallet.
Appearing before the Senate Committee on Homeland Security and Government Affairs on 8 June 2021 Joseph Blount, the Chief Executive of CPC said, “the decision to pay the ransom was made by the company itself and was made a day after discovering malware on its systems”, and furthermore said:
“We had no choice at the time. It was absolutely the right thing to do. At that time, we had no
idea who was attacking us and what their motives were”’.
Of interest to directors is the recent comments by Senator Ron Wyden, Democrat Senator from Oregon, who has said:
“The shutdown of the Colonial Pipeline by cyber-criminals highlights a massive problem - many of the companies running our critical infrastructure have left their systems vulnerable to hackers through dangerously negligent cybersecurity”.
“Congress must take action to hold critical infrastructure companies accountable and force them to secure their computer systems”.
Furthermore, on 15 June 2021 Sonya Procter the Assistant Administrator for Surface Operations of the Transportation Security Administration (TSA), which is responsible for the physical security as well as the cybersecurity of the United States interstate gas and oil pipeline system, testified during a hearing held by two House Homeland Security Committee subcommittees that:
“We are continuing to develop additional measures for pipeline companies, and we are now developing a second security directive which would have the force of a regulation”.
The second directive is expected to require oil and gas firms to install additional risk mitigation measures and would demand specific security assessments.
If the prospect of having the government issuing orders about how companies are to manage their cybersecurity functions is not threat enough, then the prospect of lawsuits from stakeholders, although difficult to sustain, should certainly make directors sit-up and take notice.
On 18 May 2021 the United States District Court for the Northern District of Georgia received two Class Action Complaints as follows:
1. Ramon Dickerson, a North Carolina resident, makes claim that the gasoline he purchased during the shutdown cost more than it would have been but for the pipeline’s shutdown.
2. EZ Mart 1 LLC, a two pump station in Wilmington, North Carolina, which buys its fuel from a distributor that’s supplied by CPC, makes claim that it lost sales due to the pipeline shutdown.
Paragraphs 4 and 5 of the Introduction to Dickerson’s Class Action Complaint against CDPQ Partners, L.P. et al makes the following points:
“As a result of the Defendant’s failure to properly secure the Colonial Pipeline’s critical
infrastructure - leaving it subjected to potential ransomware attacks like the one that took place on May 7, 2021 - there have been catastrophic effects for consumers and other end- users of gasoline up and down the east coast”.
“The Defendant’s unlawfully deficient data security has injured millions of customers in the form of higher gas prices, and gasoline shortages that exist/existed, due to Colonial’s decision to effectively turn-off the pipeline. As a result, the plaintiff brings this action in order to redeem
the injuries caused to them and the members of the proposed Class due to the defendant’s conduct”.
JBS is a Brazilian company classified as a global diversified protein company, producing factory processed beef, chicken and pork, and also selling by-products from the processing of these meats. The company has more than US$50 billion in annual sales. JBS holds the following positions with regard to its operations:
• it is the leading beef producer in the world with operations in Australia, Canada
and the United States;
• it is the majority shareholder of Pilgrims, the leading poultry producer in the world with operations in Mexico, Puerto Rico, the United Kingdom and the United States;
• it is the second largest pork producer in the world with operations in Australia, Brazil, the United Kingdom and the United States;
• it is a leading producer of lamb with operations in Australia; and
• it is said to employ 150,000 personnel worldwide and up to 7,000 in Australia.
JBS Foods Australia is the country’s largest meat and food processing company with 47 facilities across the country including abattoirs, feedlots and meat processing plants and is the owner of Primo, Australia’s largest provider of ham, bacon, salami and deli meats.
JBS was the subject of a cybersecurity attack late in May 2021 and the events leading up to the company making a payment to end the attack were as follows:
• On 30 May 2021 JBS USA determined that it was the target of an organised cybersecurity attack, affecting some of the servers supporting its North American IT systems;
• Initially it was thought that the attack was the work of animal or environmental activists but the FBI determined that is was the work of the cybercriminal gang REvil, which also goes under the name of Sodinokibi, operating out of Russia or a satellite state of Russia;
• As a result of the attack the operations of JBS Foods, largely in Australia, Canada and those of JPS USA came to a “grinding halt”. The company’s sites in Mexico and the United Kingdom were not affected;
• Over the next few days the employees of JBS Foods and JBS USA became the “meat in
the sandwich” as 7,000 workers across its Australian operations and up to 3,000 workers in Canada and the United States were stood down; and
• In early June 2021 JBS USA paid the attackers US$11.0 million in bitcoin. It has been said that this payment was actually made after the company’s operations had been restored.
Andre Noguerra the Chief Executive Officer of JBS USA was quoted, in the United States press, regarding the ransom payment:
“This was a very difficult decision to make for our company and for me personally”.
“However, we felt this decision had to be made to protect any potential risk for our customers”.
On 11 June 2021 it was reported in the United States press that Carolyn Maloney the Chairwoman of the House Oversight and Reform Committee, following up on the attack, demanded that JBS provide documents and other information by 24 June 2021 relating to the attack, including any details about when the company first discovered the intrusion and any communication between employees and executives and the attackers. At this time no further information is available on the company’s response.
Recent Ransomware Attack
On 2 July 2021 a major ransomware attack occurred when cyber criminals broke into Kaseya, a Miami-based IT firm, and used their access to breach some of its clients systems, setting off a chain reaction that quickly paralysed the computers of hundreds of firms worldwide. For
information, Kaseya, a Managed Service Provider (MSP), develops software used to remotely manage a company’s IT networks and devices and provides its services to around 40,000 businesses world-wide.
The attack was particularly well-timed as it occurred late on the Friday of the long-weekend in the United States when staff were leaving to begin celebrations for Independence Day.
The attack has been described by Huntress Labs, one of the first to reveal the attack, as a “supply chain” attack in that the attacker breached Kasey’s software, infected its clients through an up-date, and got access to thousands of businesses through other MSP’s. For example, Sweden’s Coop supermarket chain was among the indirect victims, with its cash registers paralysed when its IT subcontractor Visma Esscom was hit by the attack with most of its 800 stores still closed three days later.
On 4 July 2021 the REvil cyber-crime gang, counted among the cyber-criminal world’s most prolific extortionists, acknowledged through a post on Happy Blog, a site on the dark web previously associated with the group, that it was behind the attack and said it had “infected more than a million systems”. Active since April 2019 REvil provides ransomware-as-a- service meaning it develops network-paralysing software and leases it to “so-called” affiliates who infect targets and earn the lion’s share of ransoms.
The Australian Cyber Security Centre (ACSC) which sits within the Australian Signals Directorate says on its website under the heading “Kaseya VSA Supply-Chain Ransomware Attack” that the attack had spread to local firms. This has been confirmed by Kaseya who have confirmed that five Australian MSP’s were affected in the attack which hit a number of the company’s on premise customers.
In its first yearly review the ACSC showed it responded to 1,786 cybersecurity incidents between June 2020 and May 2021 which was three times higher than the previous corresponding period. Furthermore, the yearly review indicated that last year attacks cost the economy up to $3.5 billion.
In delivering the review Andy Penn, the Chairman of the ACSC noted that there was still not enough awareness of cyber-risks, especially among small and medium-sized enterprises, as well as individuals, although some were improving their resilience.
In a further note posted on Happy Blog, REvil again claimed responsibility for the attack, and that the ransomware group would publically release a decryption tool online “so everyone will be able to recover from the attack in less than an hour” if they were handed US$70 million in bitcoin. However, it is understood that the group have been willing to discuss deals with individual businesses from US$ 50,000 upwards.
Division 4 of Part 2D.1 of the Corporations Act 2001 (Cth) (hereinafter referred to as the
Corporations Act) deals with the Powers of Directors and section 198A, which is a Replaceable rule (under section 135), deals with the matter as follows:
• Subsection 198A (1) states that the business of a company is to be managed by or
under the direction of the directors.
• Subsection 198A (2) states that the directors may exercise all the powers of the
company except any powers that this Act or the company’s constitution (if any) requires the company to exercise in general meeting.
These requirements apply to not only listed public companies but also to unlisted public companies and proprietary companies. In addition, requirements such as these generally also apply to any number of enterprises either through alternative legislation or through an approved constitution.
Besides sections 198A (1) and 198A (2) of the Corporations Act other requirements of directors, as they apply to ensuring the compliance of their enterprise with a range of laws/administrative judgments, regulations/rules, codes/specifications/standards and contractual agreements, are contained in both their fiduciary duties and their statutory obligations to the company.
A director owes duties to the enterprise as a result of common law i.e. judge made law, the
Corporations Act and any employment contract he or she has with the company. Obviously, these duties can overlap to a certain extent as described below.
A director assumes a responsibility to act for the benefit of others, and therefore his or her
relationship with the company is a fiduciary one.
Under the common law, directors have a duty to:
• act in good faith, and exercise their discretion in what they consider to be the best interests of the company as a whole and not for a collateral purpose;
• not to act for an improper purpose, that is not to exercise their powers to obtain some private advantage or for any purpose for which the power was not granted;
• maintain, as a board, any discretions, they have and not to limit themselves in the future from acting in the best interests of the company;
• avoid conflicts of interests, that is not to enter into engagements in which a director has a personal interest conflicting, or possibly conflicting, with the interests of the company; and
• act with care and diligence, meaning that directors apply their minds to considering the overall position of the company. Directors cannot hide behind ignorance of the company’s
affairs but must treat information put before them and consider what other information they might require in their decision-making.
In addition to these fiduciary duties, directors are subject, for example, to the tort of
negligence, in that directors owe a common law duty of care to the company.
The statutory duties of directors contained in Division 1 of Part 2D.1 of the Corporations Act
apply in addition to the common law director’s duties set-out above, although the two are broadly consistent.
Under the Corporations Act, contained in sections 180 to section 184, directors are required to:
• act with a degree of care and diligence, which a reasonable person would exercise if he or she were a director in the company’s circumstances and had the same responsibilities of that director;
• act in good faith in the best interests of the company, and for a proper purpose; and
• not improperly use information or their position, to gain an advantage for themselves or someone else or to cause detriment to the company.
Please note, sections 180 (Care and diligence), 181 (Good faith), 182 (Use of position), and 183 (Use of information) of the Corporations Act only carry civil obligations while section 184 of the Corporations Act (Good faith, Use of position and Use of information) carries criminal offences.
Beside the above duties directors, although not officers, have an obligation under subsection 588G of the Corporations Act to prevent insolvent trading by the company and of course there are other obligations including those dealing with the proper keeping of records amongst others.
With all of the above it is important to note that the court takes into account the company’s
circumstances and the individual director’s responsibilities within the company. Whilst the scope of a director’s duty depends on the circumstances, all directors are required to
satisfy some core, non-delegable, minimum standards of care, skill and diligence, which include, to:
• become familiar with the fundamentals of the business and operations of the company;
• keep informed and make appropriate inquiries about the company’s activities;
• generally guide and monitor the company’s activities;
• maintain familiarity with the financial status of the company;
• have a reasonably informed opinion of the company’s financial capacity and solvency;
• carefully review, and apply their own minds to any financial report and directors’
report the company is required to prepare under the Corporations Act.
So one may ask what does all this have to do with the current spate of ransomware attacks on businesses and the answer is quite simple.
It is that the directors are responsible for the direction and management of the company, including overseeing the identification and mitigation of operational risks, and as such are vitally connected to ensuring the company has in place all the means available to it to ensure it is protected from attacks by cyber criminals.
Information and cybersecurity has two sub-sets namely the technical set and the governance, risk and compliance set. Communicating the technical side to those who have responsibility for governance, risk and compliance needs to be carried out in a manner that directors appreciate and understand.
From their side directors need to ensure that management have in place appropriate business continuity plans and crisis management plans to deal with the fall-out from cybersecurity failures.
At the present time the Australian government has put forward a proposal to make directors pay if an enterprise is a victim of a cyberattack and does not have proper protection in place.
To Pay or not to Pay, That is the Question
From the outset it should be understood that ransomware attacks are primarily motivated by profit and this point has been stated by DarkSide who say they do not want to penalise society although that is not always the case when cyber criminals attack the IT systems of hospitals and schools.
With this in mind the primary strategy for directors to address the risk of ransomware attacks is to ensure the enterprise has the best and latest security measures, in terms of technology, to combat an attack as well as ensuring all employees are educated about the risk of cyber security failures and their role in preventing them.
However, what if a cyber-criminal gang gains access to a company’s IT systems do the directors make a positive decision to allow the company to meet the demands of the attackers and pay over, generally, an amount in the form of virtual currency such as Bitcoin or do they not.
As a matter of principle most, if not all, enterprises and their directors would be loath to pay a
ransom and the directors would relate to the comments from the late British Prime Minister Margaret Thatcher, also The Baroness Thatcher:
“Give in to the terrorist and you breed more terrorism”.
However, as we have seen within a short period of time CPC and JBS paid-out US$ 81 million in Bitcoin and evidence suggests this amount is just a drop in the proverbial “cyber- sea”.
So, in not paying the ransom what considerations need to be taken into account? They might be:
• An enterprise will not receive a decryption code that will allow its systems to be returned to normal and these systems and any captured data will be lost forever meaning a long and costly re-build and/or the enterprise going bankrupt in the process;
• The criminals will make it known, if customers and suppliers do not already know, that an enterprise’s systems have been hacked and their information could/might be available for sale to interested parties. Besides this fact there is also the “reputational risk” that an enterprise, and its directors, would suffer from third parties knowing the weaknesses in an enterprise’s control systems;
• If the enterprise is a listed public company there is the distinct possibility/probability that an announcement needs to be made to satisfy continuing disclosure obligations under various stock exchange “listing rules” and this may have a negative impact on the enterprise’s share price raising the ire of investors as to the weaknesses of management.
Finally not paying might lead cyber criminals to shift their focus on to those enterprises least
able to deal with downtime such as hospitals, water-treatment plants and energy providers despite what the cyber criminals say about only being in it for the money and not wanting to burden society.
In paying the ransom what considerations need to be taken into account? They might be:
• The payment of a ransom can lead to complacency with regard to cybersecurity such that enterprises do not seek out the latest technical solutions nor do they educate their employees appropriately.
• While the ransomware attackers may release a decryption code there is no guarantee that the code does not include some other form of malware which restricts the release of IT systems and associated data until a further ransom is paid.
• The payment of a ransom allows the attackers to use the proceeds to further develop their malware into more sophisticated forms thereby placing them one-step ahead of the game. It may also allow the attackers to move into other areas of crime such as child exploitation, human-trafficking and terrorism.
• The payment of a ransom may mean that an enterprise is relieved of the cost and time-delay in having to re-build its IT systems from scratch.
So what is the position of the insurers with regard to an enterprise paying a ransom? It appears that in the United States, at least, they are quite comfortable for their clients to pay the ransom, on a confidential basis, and then claim the payment back against their policy so long as the appropriate clauses are contained in the policy. The policy will, of course, contain an “excess” clause and the insurer will ensure the premium for the policy increases in subsequent years to pay for the claim or those clauses contained in the policy as they relate to cyberattacks will, on renewal of the policy, be either modified or removed.
In considering whether to pay a ransomware attacker the key issue for any enterprise and its
director’s should be to seek legal advice as to whether the payment amounts to a criminal offence.
The most relevant offences, which could apply to all Australian enterprises irrespective of the
sector in which they operate are contained in Division 400 – “Money Laundering” of the Criminal Code Act 1995 (Cth), herein after referred to as the Criminal Code) and in particular section 400.3 “Dealing in the proceeds of crime etc – money or property worth $1,000,000 on more” which states:
(1) A person is guilty of an offence if:
(a) The person deals with money or other property, and
(i) The money or property is, and the person believes it to be, proceeds of crime,
(ii) The person intends that the money or property will become an instrument of crime, and
(iii) At the time of dealing, the value of the money and the property is $1,000,000 or more.
Penalty: Imprisonment for 25 years or 1,500 penalty units or both.
(2) and (3) of section 400.3 deal with whether the person is reckless or negligent as to the fact that the money or property is proceeds of crime or the fact that it will become an instrument of crime (as the case requires).
Penalties for (2) and (3) are imprisonment for 12 years or 720 penalty points or both and
imprisonment for 5 years or 300 penalty points or both respectively
A cybercriminal demanding payment from a ransomware attack will have committed one or more offences as set out in section 400.3 and it would be expected that they would use some of the proceeds to deliver further attacks. Obviously, the enterprise paying the cyber criminals will have no knowledge as to what the payment will be used for but there is an “undeniable risk” that the payment might be used for any number of other criminal activities.
So, in theory, a victim of a cyber-crime could be accused of a criminal offence just by paying the ransom. However, one defence that may be available to an enterprise and its director’s is the defence of Duress under Division 10 “Circumstances involving external factors” of the Criminal Code. Section 10.2 Duress states that:
(1) A person is not criminally responsible for an offence if he or she carries out the conduct
constituting the offense under duress.
(2) A person carries out conduct under duress only if he or she is reasonably believes that:
(a) A threat has been made that will be carried out unless an offence is committed, and
(b) There is no reasonable way that the threat can be rendered ineffective, and
(c) The conduct is a reasonable response to the threat.
(3) The section does not apply if the threat is made by or on behalf of a person with whom the
person under duress is voluntarily associating for the purpose of carrying out conduct of the kind actually carried out.
The availability of the defence will depend on the circumstances confronting the enterprise making a ransom payment but let us assume that the cyber criminals are demanding a payment to release a decryption code then the payment would be the relevant offence to which the defence under duress would apply. However, it would need to be proved that there was no other way that by making the payment the threat could be neutralised and furthermore that payment was a reasonable response to nullifying the threat.
Principles for Board Governance of Cyber Risk
In March 2021 the WEF released a document titled “Principles for Board Governance of Cyber Risk” referred to as the “Insight Report” which was prepared in collaboration with PwC.
At the beginning of this report results are provided from a survey conducted by the National
Association of Corporate Directors (NACD) in the United States which indicates that 60.5% of board directors identified cybersecurity as a “very important” or “important” area for improvement over the next 12 months.
Given that this survey was conducted before the March 2021 release date of the report it is fair to say that if the survey was conducted after the recent cybersecurity attacks then the response would have been much higher than 60.5%.
The report also contains the results of a NACD survey conducted over the period 2020 to 2021 titled “Trends and Priorities of the American Boardroom” which sought to identify the five trends likely to have the greatest effect on a company over the next 12 months and the results were as follows:
1. Increased pace of digital transformation 49.9%
2. Ensuring a safe working environment 49.3%
3. Growing business-model disruptions 42.3%
4. Changing cybersecurity threats 38.9%
5. Increased competition for talent 38.3%
Again if this this survey was conducted after the recent cybersecurity attacks then the responses may well have been different.
The Preface of this report states:
“The growth of our global digital footprint has ensured that cybersecurity will remain a priority
for business leaders for years to come”.
“As a result of a rapidly changing cyber-threat landscape and proliferating regulations, it has
become clear that boards, especially, need stronger foundations to govern cyber risks effectively”.
As an overview, the Principles for Board Governance of Cyber-Risk report have been designed for corporate directors to increase their understanding of cyber-risk, provide guidance as they set cybersecurity strategy and act as a reference for director interactions, as they more fully embrace their role with regard to cyber-risk, with stakeholders across their
business and their sector on the issue of cybersecurity.
The report outlines six globally applicable principles, together with key considerations for the
board, designed to support board oversight of a cyber-resilient organisation while driving
strategic goals and they are as follows;
1. Cybersecurity is a strategic business enabler
Dealing with cyber-risk is no different than dealing with any other form of risk that businesses
face and effectively dealing with that risk can not only preserve value but also open up
opportunities to create value.
Key considerations for the board include:
• Hardwire cyber-risk considerations and strategic-decision-making process. Including
the adoption of cyber-risk as a recurring item for future board meetings.
• View each major digital transformation initiative through the lens of cyber-risk.
• Determine which board committee should have primary oversight of cyber- risk issues.
• Analyse cybersecurity issues with respect to their strategic implications and as a part of enterprise risk, additionally, analyse business strategy and business model considerations
with respect to cybersecurity issues.
• Ask executives to identify opportunities to use cybersecurity as a market differentiator /business driver.
In a survey of more than 400 global companies, conducted by PwC in Q4 2020, 62% of board member respondents reported making significant progress in improving customer trust in the past three years as a result of strengthened cybersecurity practices.
2. Understand the economic drivers and impact of cyber risk
Either entering new markets with existing products or services or introducing new products and services to existing markets can be an economically attractive decision(s) for the business but against this needs to be weighed the possible exposure to a variety of cyber-risks that could, if not identified and managed, be costly for the business.
Key considerations for the board include:
• Review and approve the organisation’s cyber-risk appetite or tolerance, in the
context of the company’s risk profile and strategic goals by ensuring management has:
a) Defined cyber-risk appetite levels in financial terms to inform decision- making and develop key metrics to measure overall cyber-risk management performance.
b) Implemented a programme that seeks to identify cyber-risk scenarios that align with the
organisation’s risk profile and establish a risk appetite.
c) Provided the board with detailed rationales for the organisation’s determination of
materiality of risk, including cyber-risk, based on an indication of the risk’s reputational,
customer, financial and other relevant impacts as part of its regular risk-management monitoring framework.
• Instruct management to construct a consistent framework, using industry- accepted
quantification models, for calculating the potential economic impact and likelihood of
• Require continuous examination of comparative measurements and metrics for
cyber-risk. Industry accepted frameworks and reporting can guide data- driver decisions, aligning risk appetite with organisational goals and strategies.
• Base cyber-risk management decisions on the potential impact and likelihood of risk
events and functional loss or exposure.
3. Align cyber-risk management with business needs
A business’s needs for example, with reference to growth, could encompass organic growth or growth through merger and acquisition, amongst other means, in each of these cases cyber-risk can be managed through the traditional means of avoidance, acceptance, mitigation or transfer.
Key considerations for the board include:
• Critically review the organisation’s business strategy and drivers (e.g. digital growth) in context of their cyber-risk implications.
• Require management (i.e. the entire C-suite) to report to the board on the cybersecurity implications of their activities, including cyber risks, risk ownership and alignment to the enterprise risk-management programme, while not neglecting to cover how decisions on
cyber-risk are tracked.
• Require management to report to the board with well-developed written and tested plans (for roles in the overall plan) to counter adverse cyber events.
• Require management to integrate cyber-risk analysis into significant business decisions (e.g. launching a new product or publishing a new app) along with effective assurances of the information’s quality and comprehensiveness.
• Require management to provide the board with road maps on how the company makes
determinations of risk materiality that inform regulatory obligations.
4. Ensure organisational design supports cybersecurity
Cybersecurity needs to be addressed on an enterprise-wide basis and as such, where appropriate, individuals need to be identified, such as the Chief Risk Officer, the Chief Technology Officer, General Counsel and/or Company Secretary and the Chief Financial Officer, and given responsibility for the identification for cyber-risk and the authority to raise matters with the board.
Key considerations for the board include:
• Review the organisational structure to ensure that the cybersecurity function is
adequately represented across the business, internal groups and leadership.
• Understand the basis for, and challenge the assignment of, important roles.
• Set expectations that cybersecurity and cyber-risk functions are to receive adequate
staffing and funding and monitor the efficacy of these determinations.
• Inspire a cybersecurity culture and encourage collaboration between the cybersecurity function and stakeholders relating to, and accountable for, cyber risk at various levels (e.g. compliance, privacy etc).
• Ensure an accountable officer has authority and responsibility to coordinate cyber-risk strategy throughout the organisation and that the organisation has a comprehensive plan
for data governance.
In a survey of more than 400 global companies, conducted by PwC in Q4 2020, 44% of board member respondents stated that their organisations have made significant progress over the past three years in improving employee experiences with the cyber function.
5. Incorporate cybersecurity expertise into board governance
A key consideration for the board is do they seek to appoint a member with cyber-risk or
cybersecurity expertise or do they seek to engage outside expertise as and when required? Good cases can be made in favour of each option and in the end the decision most likely comes down to the nature and size of the business and its exposure to cyber-risk.
Key considerations for the board include:
• Build relationships with internal stakeholders who can provide expertise to provide
strategic cybersecurity decisions, up to and including ensuring cyber expertise is represented on the board.
• Partake in opportunities to increase board directors’ base level of knowledge on cyber-risk.
• Seek out third-party advisers and assessors – who report to the board regularly – to ensure effective oversight of management.
• Consider periodic audits, reviews of cybersecurity strength and benchmarking by
independent third parties.
• Carry out regular sessions with the board to update the group on recent cyber
incidents, trends, vulnerabilities and risk predictions. Use external third parties, to ensure
accuracy and competence. where necessary,
6. Encourage systemic resilience and collaboration
The systemic implications of cyber-risk can be seen with the recent supply-chain attack on Kayesa by REvil which spread across the world and affected thousands of businesses. Resistance against such attacks can only come about through collective action by governments and companies both public and private to ensure the overall resilience of the interconnected networks.
Key considerations for the board include:
• Develop a 360-degree view of the organisation’s risk and resiliency posture to operate as a socially responsible party in the broader environment in which the business operates.
• Develop peer networks, including other board members, to share best governance practices across institutional boundaries.
• Ensure management has plans for effective collaboration, especially with the public sector, on improving cyber resilience.
• Ensure that management takes into account risks stemming from the broader industry
connections (e.g. third parties, vendors and partners).
• Encourage management participation in industry groups and knowledge and information-sharing platforms.
In conclusion the report states that:
“Board directors should adopt the consensus principles described in this report to form the basis of an effective cyber-risk governance regime”.
The purpose of this paper has been:
1. To highlight the recently reported data from the WEF Global Risks Report regarding the level of risk that its members attach to the matter of cybersecurity failure.
2. To give some background details about the recent ransomware attacks on CPC, JBS Foods and the most recent broad-based attacks on international businesses.
3. To refresh the minds of those reading this paper about the duties and responsibilities of
directors as to their critical role in managing a company and their obligations regarding
4. To give consideration as to the positives and negatives of paying ransom demands from cyber criminals and the defences likely to be available to enterprises and their directors should a ransom payment be made.
5. To highlight the six important principles contained in the WEF’s report “Principles for Board
Governance of Cyber Risk”.
Ransomware attacks by cyber criminals on the computer systems of all enterprises, including those of corporates, be they for profit or not-for-profit, and governments, be they governing bodies or business agencies, are becoming more frequent and more destructive.
Members of boards of directors are in the “firing line” if they have not taken all the necessary
steps to ensure their computer systems are secure from such attacks thereby protecting themselves from legal action by customers, suppliers and any other aggrieved stakeholder groups.
Board Members need to engage with their management teams to ensure all that can be done is being done and the steps need to be well documented.
In speaking at a virtual meeting of the National Press Club on Thursday, 15 July 2021 its Chairman, Andy Penn, said:
“Breaking open a locked door takes a lot of effort, climbing in through an open window does not”.
Board and Board of Directors:
Corporate fiduciaries responsible for overseeing management strategy, as well as the identification and planned response to enterprise-wide risks affecting a company and its value to stakeholders and shareholders.
A dimension of cyber-risk management, representing the ability of systems and organisations to develop and execute long-term strategies to withstand cyber events, an organisation’s ability to sustainably, maintain, build and deliver intended business outcomes despite adverse cyber events.
Probable loss event that materialises when a cyber event affects an asset of value and results in a material impact on the organisation. Cyber risk can be measured as the probable frequency and the probable impact of a loss event.
The set of activities that protect networks, devices and data from unauthorised access or criminal use and the practice of ensuring confidentiality, integrity and the availability of information and the proper delivery of services.
Failure of Cybersecurity Measures:
Business, government and household cybersecurity infrastructure and/or measures are outstripped or rendered obsolete by increasingly sophisticated and frequent cybercrimes, resulting in economic disruption, financial loss, geopolitical tensions and/or social instability.
An uncertain event that, if it occurs, can cause significant negative impact for several countries or industries within 10 years.
Dr Stephen van der Mye
Honorary Adjunct Professor
Faculty of Law
Bond University, Queensland, 4229
This document is part of a series prepared by the Faculty of Law at Bond University. This document nor any other in the series should be construed as providing legal or any other form of professional advice on which business decisions might be made.
While reasonable care has been taken in the preparation of this document neither the Faculty of Law at Bond University or the author make any express or implied representations or warranties as to its completeness and always recommend that independent legal advice be obtained on any matters relating to the processes around the governance of enterprises.
To the extent permitted by law the Faculty of Law at Bond University and the author exclude all liability for any loss or damage arising out of the use of this document.
9 April 2021
The exoneration of Westpac Banking Corporation’s (Westpac) senior management by regulators leaves more questions than answers and appears to have watered down “accountability” under Banking Executive Accountability Regime (BEAR). Last year Westpac settled a record-breaking AU$1.3 billion civil penalty suit with the Australian Transaction Reports and Analysis Centre (AUSTRAC) for 23 million breaches of the anti-money laundering laws and its failure to have proper compliance and risk procedures in place. The state of play is that no one is accountable at Westpac for the serious compliance and risk failures. Where does this leave BEAR in the future?
Operating an illegal money transfer platform
On 20 November 2019, AUSTRAC issued a statement of claim against Westpac identifying 23 million breaches of the Anti-Money Laundering and Counter Terrorism Financing Act 2006 (Cth) (the Act). Westpac since 2013 had failed to address serious money laundering and terror financing risks, that had been known for some time within the organisation and also implemented a non-approved money transaction platform (“Litepay”) that by passed reporting requirements to AUSTRAC in breach of the Act.
The AUSTRAC statement of claim clearly identifies breathtaking systemic failures and risks within Westpac, including the failure to conduct risk assessment on its AML/CFT programs, failure to have appropriate procedures and policies in place, the use of “Litepay” enabled transactions on Westpac accounts to be conducted with high-risk correspondent banks in high-risk jurisdictions including countries that were on the sanctions list, such as Democratic Republic of Congo, Iraq, Lebanon, Libya, Ukraine and Zimbabwe.
Following the scandal, the Australian Prudential Regulation Authority (APRA) announced that it has closed its investigation into whether Westpac breached the Banking Act 1959 assessing if senior management should be held liable for the risk and compliance failures under the new BEAR. Likewise, the Australian Securities and Investments Commission (ASIC) “wrote off” it’s investigation in relation to contraventions under the Corporation Act.
The consequence of this catastrophic AML failure was that money for child prostitution, slave labour, child slavery and organised crime was allowed to move freely through Westpac accounts, under the noses of APRA, ASIC and AUSTRAC since 2013. Yet not one Westpac executive will be held accountable. One has to question: how can this possibly be the right answer by the regulators?
No Visibility – by Senior Executives and the Board
Westpac had limited or no visibility over the source of funds deposited into Westpac accounts and there was no caps or limits on the volume of cross-border transactions. Westpac had allowed, through the use of the Litepay platform to deliberately reduced payment transparency to AUSTRAC. Westpac Senior Management in 2013 introduced Litepay so as to save fees on money transitions that would normally go Swift arrangements. Westpac executives never though to obtain approval from AUSTRAC to use the platform.
In Using Litepay, Westpac did not know the organiser, purpose of the payment, beneficiary, or jurisdiction of the origin of the funds. There were not appropriate assessments of the risks in using this service. Since 2013, Westpac also failed under the Act to carry out regular assessments of ML/TF risks. “Westpac did not regularly assess the adequacy of each correspondent bank controls and internal AML/CTF compliance practices,” the statement of claim of AUSTRAC says.
In June last 2020, APRA delegated its enforcement powers under the Banking Act to ASIC that was conducting its own investigation into whether the conduct giving rise to the Westpac allegations, amounted to contraventions of the Corporations Law. After completing the investigation, ASIC announced in late December 2020 that it didn’t intend to take any enforcement against the bank or any individuals.
APRA then commenced its own investigation in December 2019 to consider whether there had been any breaches under BEAR or its prudential requirements. APRA has now closed its investigations. Despite the seriousness of the allegations, both regulators closed their investigations in record time – less than six months each.
Westpac remains subject to a Court Enforceable Undertaking (CEU) to improve its compliance and risk governance and also was required to hold AU$1 billion of operational risk capital.
Analysis - The fallout
Following the AUSTRAC allegations, CEO and Managing Director, Brian Hartzer, was forced to step down from his role and former Westpac Chief Financial Officer, Peter King, was appointed as interim CEO and later, into the position. However, but for Hartzer, no one appears to have been asked to step down because of the AML scandal. Certainly, no one has been held accountable for the serious 23 million breaches of the Act and the litany of compliance failures. Only Hartzer “fell on his sword,” although he was not there when the Litepay was implemented and was not provided any information about the serious compliance failures by his executive team until AUSTRAC struck, and then it was too late.
The compliance failures and contraventions of the law is described in the 47-page AUSTRAC statement of claim, set out serious failure after failure. In particular, there were no reviews conducted by senior management or independent reviews provided by the board since 2013. “By February 2018, group audit concluded that the management control was ‘unsatisfactory’ with respect to Westpac’s program. Group audit noted that the Part A program had not been subject to independent review for several years, noting that the last review conducted in September 2013 was not an independent review,” AUSTRAC’s statement of claim states.
Since 20 November 2013, Westpac had failed to carry out regular assessments of the risk its AML program and the risks it faced using the “Litepay” platform. For example, the statement of claim states, “Westpac did not assess the impact of known higher ML/TF risks upon the banking services provided by Westpac to the correspondent banks”.
It was only in the final hour that Westpac Senior management appear to acknowledge that they needed to do a full overhaul of their AML program and that there were serious issues at hand. On 2 February 2019, the Westpac board approved a Financial Crime Strategic Plan which was approved on 2 March 2019. In formulating this plan, Westpac identified four factors that impacted upon its risk management capability including: “A lack of clear ownership for some capabilities, a lack of standardised processing mapping, and a lack of end-to-end review of ML/TF risk and controls,” stated AUSTRAC’s statement of claim.
In essence, Westpac’s senior management and Board presided over a total systemic failure of one of the most important Departments within the bank and failed to appropriately identify, mitigate and manage ML/TF risks. By Westpac’s own admission, there was a complete failure of accountability within the organisation to address ML/TF risks which were the responsibility of the board and senior management.
The lost BEAR
The BEAR regime was introduced in February 2018, a year before Westpac’s serious misdemeanours were exposed by AUSTRAC. This exposure was to the complete surprise of APRA and ASIC who apparently had no idea there were fundamental AML issues within one of their four major institutions in Australia. Senior Management and the Board had not made relevant disclosures of the serious of the matters until late in the day.
Section 37C(a) of the Banking Act (which includes the BEAR amendments) requires banks to “conduct their business with honesty and integrity and with due skill, care, and diligence.” Also, in that section, that the bank and senior management must take steps to do business to “prevent matters from arising”. Section 37C sets out the accountability obligations, and Section 37CB, defines what taking ‘reasonable steps means’, which includes having appropriate governance, control and risk management and appropriate procedures for identifying mediating problems as they arise.
The only fair conclusion that can be reached, was that Westpac senior management and board members had no comprehension of the extent of breaches occurring because there were no reviews or appropriate processes to monitor the illegal platform the Bank had implemented in 2013 to avoid SWIFT fees when processing international transfers. In all the circumstances, can executives and the board with the litany of serious breaches of the law have “conduct their business with honesty and integrity and with due skill, care, and diligence?”
No evidence of breaching the Banking Act
Well, apparently luckily for Westpac, according to APRA Deputy Chair, John Lonsdale, “The investigation has not found evidence of breaches of the Banking Act.” Mr Lonsdale then goes on to refer to the fact that there is an enforceable undertaking in place with Westpac, which conveniently side steps the issue of Senior Management accountability. APRA gave no reasons for its decision.
Once can only wonder how such a conclusion could possibly be right given the circumstances and wording of Section 37C(a)! It also begs the question, how can APRA (or ASIC in considering directors duties under the Corporations law) possibly find that Westpac did not operate with due skill and care and diligence, given the 47 pages of serious misdemeanours that AUSTRAC has gone to great lengths to expose and Westpac accepted?
The APRA conclusion means that not one individual at Westpac will be held accountable, even though several board members are still serving and the current CEO, was the Chief Financial Officer when these serious 23 million breaches of the law took place. Only Mr Hartzer, the former CEO has lost his position, even though he was not at Westpac when the illegal platform was implemented. How can this be applying BEAR for the purpose it was intended?
Accountability watered down – going forward
After Westpac it means that very few financial Institutions will be held accountable under BEAR.
If this case does not come under the BEAR regime, then what does?
The APRA decision on Westpac has left BEAR ineffective and another questionable rule. A clever advocate who will no doubt be defending another financial institution in future in a BEAR action may say, “there is an EU in place, no further action required.” This may remind you of a time before the Royal Commission – has anything changed?
9 April 2021
Reputational issues for persons and entities alike have always been important, even in the time of Shakespeare. Othello uttered, in despair, the words “Reputation, reputation, reputation! Oh, I have lost my reputation! I have lost the immortal part of myself, and what remains is bestial.” The importance of reputation is certainly alive and well in the corporate world today, with the spotlight on this issue intensifying for most companies.
This intensity has arisen as a result of a number of factors. The stakeholders who are interested in a company’s activities are now more diverse – expanding from the traditional base of shareholders and investors to include customers, suppliers, business commentators, employees, community and special interest groups to name a few. The beliefs of society has changed (and will continue to change), with companies now being expected to proactively manage their ESG issues (Environmental Social & Governance) and be socially responsible corporate citizens. Additionally, stakeholders are now better informed, better organised and better connected in the digital age in which we live, and are able to effectively voice their concerns about the conduct of a company very quickly (go ‘viral’) and to a very large audience.
A number of regulators are now requiring companies to take more of a proactive approach in relation to the management of ESG issues. For example, the ASX Corporate Governance Principles (4th edition) note that listed companies should disclose whether they have any material exposure to ESG risks and, if so, how it manages or intends to manage those risks. The ASIC has also updated two Regulatory Guides (RG228 and RG247) to provide guidance on climate-risk disclosure by companies. Legislation has also been introduced to mandate various standards for the corporate world, including for example, the recent introduction by the Federal Government of the Modern Slavery Act 2018; the enhancement of the whistle-blower regime in the Corporations Act to provide more avenues for whistleblowing of corporate misconduct and better protection for whistle-blowers; and Victoria and Qld have laws making wage theft (underpayment of staff) a criminal offence. So there is plenty of public scrutiny of, and interest in, corporate behaviour from many angles.
Having a strong corporate reputation has lots of benefits for a company – a loyal customer base, a reliable supply chain, motivated employees as well as support by the business world and the broader community – all of which are likely to lead to higher and more sustainable earnings. The converse of this is that a company with a poor reputation will generally be underperforming and struggle to achieve financial stability and longevity. However, this risk area for companies can often be fickle – as corporate reputations can seemingly be destroyed overnight (rightly or wrongly) by a damaging event. There are many examples of this in the press, most recently the NZ Government and the adverse impact that NZ’s significant dairy industry is having on the environment; to BHP destroying around 40 significant ancient Aboriginal sites in WA to expand its Pilbara mine; to the Cambridge Analytica scandal where Facebook failed to protect the private data of over 87 million of their users. Along with the damage to the corporate brands of Australia’s banking sector through years of poor financial advice and dubious charging regimes, as well as a number of companies being flushed out for underpaying their staff (‘wage theft’). Once a corporate reputation is damaged, there is significant business interruption and cost involved, and it’s often a long road to restore that reputation. The process at that later stage will also then involve a more ‘reactive’ management of this issue, with ‘crisis management’ processes then kicking in.
So the challenge for companies is how best to manage this valuable asset. As corporate reputation is an intangible asset, it is harder to manage, let alone to quantify the financial impact of a damaged corporate reputation. In a number of recent surveys undertaken of risk managers, C-suite and board directors, the majority agree that corporate reputation is a high strategic risk and are aware of the potentially serious consequences for a company if its reputation is damaged. However, there are divergent views on how best to manage this somewhat nebulous risk.
Management of reputational risk requires a multi-faceted and proactive approach and importantly, there needs to be a focus on the longer term, rather than just having a shorter term focus on profits. In addition, companies will need to tailor the management of their ‘reputation’ to suit their particular business. So it’s a complex area and there is no easy way forward to managing reputations risk. As a starting point, there needs to be support from the top that recognises corporate reputation is a critical issue for a company, which will include ensuring that adequate resources are devoted to implementing and strengthening governance frameworks and processes to manage this risk. It is an issue that requires Board oversight and monitoring, as well as treating reputational risk as a strategic issue that is included in a company’s business planning processes. Having a constructive culture with a clear set of values that promotes ethics and compliance in the organisation is another critical component, and must be supported from the top and nurtured.
At a more operational level, companies need to spend ongoing time and money to understand their key stakeholders and their drivers. This process would include undertaking regular reviews of the types of issues that could derail a company’s corporate reputation and analysing this to understand what is likelihood of these issues arising, what are the consequences of this for the company and what actions can be taken to mitigate this (i.e., a risk management approach). Some companies are structuring remuneration packages to include a component that is linked to how effective the management of corporate reputation and ESG issues have been. It is good for a company to inform their stakeholders of their corporate strategy regarding ESG issues and what actions are being taken by the company to promote ESG issues in their business operations. However, stakeholders will hold companies to account with their published corporate position, so this reporting needs to be authentic. And if one of these ‘damaging’ issues does arise, having in place a strong crisis management plan that can be activated quickly to deal with a corporate reputation crisis is a ‘must have’.
So there are many tools in the kit that are available to manage reputation risk, but this doesn’t make this task any less challenging. A final thought – companies need to be clear, intentional and authentic about the management of their reputations.
Kiri Parr | Director, Kiri Parr Pty Ltd
9 April 2021
Queensland has been named as the preferred bid city of the 2032 Olympic Games.
Queensland’s bid is the first regional bid with the event hosted across Brisbane, Gold Coast, Sunshine Coast and beyond. It’s been described as the thrifty and creative games. The bid presumes extensive use of existing facilities with very few new facilities required and a promise of $7.4bn in economic benefits against a budget of $4.45bn.
Yet the public cry for more has already begun. Loudest amongst them is whether the Olympic Games demands a fast rail link connecting the Sunshine Coast, Brisbane and the Gold Coast.
But did you know that the Olympic Games share something in common with all mega projects, pandemics and earthquakes.
They have no average level of poor performance. You simply don’t know how bad the next earthquake is going to be and there is always a chance it could be worse than every earthquake that has gone before.
The same applies to hosting Olympic games. All Olympic games have had cost overruns, without exception. The Average cost overrun is 213% for the Summer Games.
Some of the key reasons for these overruns include the fact that the timetable for an Olympic Games is unmovable (with the notable exception of the Tokyo games but not in a good way), the host city is obliged to carry the cost overruns whilst meeting an enormous number of standards and requirements and the long planning horizon can lead to any number of unpredictable variables emerging. For more, you can read Ben Flyvberg’s paper Six Reasons Why Olympic Costs Blow Up, Over and Over.
Risk mitigation strategy Number 1 - not to host the games – has gotten away from us.
Risk Mitigation strategy Number 2 is to mitigate the risk like crazy.
There is no greater governance challenge before Queensland over the next decade than the one before the leaders responsible for hosting the Brisbane 2032 Olympic Games.
A conversation about the complexities Queensland might face hosting the games locally and how they could be addressed is a necessary start. Delivering a fast rail project on its own is fraught, can it be delivered successfully with the added pressure of an Olympics Games deadline is a particularly fraught scenario.
If the cost overrun risk of the Games is going to be mitigated, the governance model and team will need to be very skilled to manage the “go for gold” mentality and hold firm to the promise to deliver a cut-price games.
Dr David Millhouse | Honorary Adjunct Senior Research Fellow | Bond University
March 1, 2021
Raising capital is a long hard process requiring considerable time, patience and shoe leather. Many start-ups underestimate the time and financial resources to achieve a result. Many also do not comprehend that capital activities are rarely one-off activities.Read more
Dr Stephen van der Mye | Honorary Adjunct Professor, Bond University
April 23, 2020
In response to the COVID-19 pandemic, changes have been made to the Corporations Act in order to provide temporary relief for financially distressed businesses.
Co-Program Director of the Master of Laws in Enterprise Governance and Honorary Adjunct Professor Stephen Van Der Mye explains what changes have been made and how it affects financially distressed businesses..Read more
Dr Stephen van der Mye | Honorary Adjunct Professor | Bond University
April 14, 2020
On Sunday, 22 March, 2020, the Australian Federal Treasurer announced changes to the Corporations Act in order to provide temporary relief for financially distressed businesses due to the COVID-19 pandemic and its economic and social effects.
It means changes to Australia’s laws on insolvency, but it doesn’t mean it’s open slather on debts. Honorary Adjunct Professor Stephen Van Der Mye explains why.Read more
Dr Stephen van der Mye | Honorary Adjunct Professor | Bond University
October 1, 2019
The words Governance, Culture and Accountability (GCA) must have become the most used words in both the academic, business and not-for-profit sectors of Australian society in the last three years or so. Unfortunately, this has not come about through having a robust approach to these concepts but to a series of reports into a wide range of associations and enterprises which revealed a less than robust approach to these concepts.Read more
Journal Articles: Enterprise Governance eJournal
The Centre for Enterprise Governance hosts an open-access academic journal that focuses on enterprise governance law and practices for commercial, government and not-for-profit organisations. It will be of interest to lawyers, business managers, non-executive directors of commercial and not-for-profit organisations, and law and management academics and students.
Editorial Commentary - No-peer reviewed | August 13, 2020 AEST
David G Millhouse
This paper proposes three options to facilitate entrepreneurship ― to increase business capital availability, consistency in definitions, and to address the insurability of directors and officers. Read more.
Editorial Commentary - Non-peer reviewed | Vol 1. Issue 1, 2020 | February 20, 2020 AEST
David G Millhouse
Financial advice is provided throughout the investment chain. Differing interpretations of 'best interest' influence every financial advice relationship. Competency requires comprehension of the underlying best interest duties governing financial assets. Read more.
Editorial Commentary - Non-Peer reviewed | October 22, 2019 AEST
The Australian Securities and Investments Commission (ASIC) Chairman, Mr James Shipton, has “dug his heels in” and is moving forward on his experimental plan to place psychologists into board rooms, on a "voluntary basis", despite mounting criticism from regulators and behavioural experts. A similar program was used by the Dutch Central Bank and, while short-comings were evident, overall it was seen as a success. Read more...
Editorial Commentary - Non-Peer Reviewed | October 22, 2019 AEST
The burning question is that when all these issues were emerging, such as “fees for no service”, anti-money laundering, misconduct and dishonesty, why wasn’t this misconduct not exposed or elevated to senior management and boards by the compliance and risk staff within the organisations? Read more...