Key Risk Areas for Businesses in Australia to Focus On When Developing Crisis Management Frameworks
Complex global and local challenges continue to require businesses to maintain a robust approach to crisis management in Australia, with a focus on adaptability, compliance and resilience.
Businesses are presented with unique issues while operating in an increasingly digital Australian society and navigating a regional and global landscape with more stringent environmental obligations due to climate change impacts. This operating environment also has a regulatory overlay with governments, who are responding by increasing their focus on corporate and director breaches, as well as by establishing new regulatory frameworks to improve the governance and management of crisis risks.
Within these digital and natural environments, recent trends and developments have led businesses in Australia to focus on:
These are expected to remain strong areas of focus for businesses in Australia in 2025.
Cybersecurity and data protection
Cybersecurity has ranked as the top concern for Australian businesses in recent years. This is not surprising given:
These factors mean that cybersecurity and data protection will remain key risks – and areas of focus – for Australian businesses. The risk of regulatory enforcement action following a major cybersecurity incident is material. To date, companies have faced enforcement action under privacy laws, as well as sector-specific laws and regulations (ie, prudential standards for banks and insurers, financial services licensees and telecommunications providers).
The Australian Securities and Investments Commission (ASIC) stated that it is actively investigating breaches of directors’ duties for failing to take reasonable steps to prepare for a cyber-attack. Recent reforms increase the scope and risk of actions against companies.
Privacy reforms
The Privacy and Other Legislation Amendment Act 2024 (Cth) (the “Amendment Act”) was introduced into law in 2024, as part of modernising Australia’s privacy laws. Certain amendments are now in force, with others to take effect later this year. The reforms follow 2022 amendments to the Privacy Act 1988 (Cth) (the “Privacy Act”), which increased the penalties for breaches of the Privacy Act for serious interferences with privacy to AUD50 million or more.
The Amendment Act expands the privacy regulator’s powers and raises the bar for data security and privacy practices. The obligation to take “reasonable steps” to protect personal information is clarified as including organisational steps, as well as technical measures. This provides a more explicit basis for potential enforcement action where there is inappropriate governance, emphasising the importance of appropriate oversight and involvement of the board in privacy and cybersecurity risk management.
A new tiered civil penalty regime for Privacy Act breaches gives the privacy regulator a more flexible toolkit, as well as the ability to obtain enforcement outcomes and fines without commencing court proceedings.
Cybersecurity reforms
A suite of reforms strengthening cybersecurity laws in Australia were also passed in 2024 to enhance the security of critical assets and to gain a better understanding of the impact on business of cyber-attacks, with a view to enabling the government to better mitigate risks across the economy and to formulate future responses.
In the context of cyber-extortion attacks, the Cyber Security Act 2024 (Cth) means that businesses should consider reflecting the following in incident response plans:
The government has also introduced enhanced obligations for critical infrastructure. Amendments to the Security of Critical Infrastructure Act 2018 (Cth) include:
Environmental regulatory enforcement
As communities, organisations and governments maintain a focus on climate change impacts and related environmental issues, businesses in Australia are faced with an increased regulation of environmental impacts under state and territory laws. This includes an increased risk of enforcement action with regard to business-as-usual operations or in connection with an environmental crisis or legal non-compliance.
Australia has a complex environment protection legal system, which is primarily governed by federal and state and territory laws. At a federal level, the Environment Protection and Biodiversity Conservation Act 1999 (Cth) is the overarching regulatory vehicle for the protection of biodiversity in Australia. At a state and territory level, each jurisdiction has its own legislation that governs:
This framework comprises numerous pieces of legislation, regulations, guidelines and other instruments, creating a legal patchwork that businesses must safely navigate, particularly at the start of a crisis. Within this context, the Australian environmental regulatory enforcement landscape continues to see sustained action by state and territory agencies for environment-related issues, including:
Multi-agency approach to investigations
Generally, statutory obligations require certain environmental issues to be reported to the EPA (or equivalent) in each state or territory jurisdiction, in addition to other government agencies (eg, health, fire and other emergency services). At a time of crisis, this type of legal reporting obligation ensures that there may be more than one government agency involved in the investigation of that issue – examples of which include the following.
These case studies show a willingness by EPAs to involve other agencies in responding to environmental issues, even if it is ultimately the EPA that will undertake the prosecution. This is increasingly playing out at an early investigation stage, as the relevant EPA and other agencies appear to take a co-ordinated approach to statutory requests for information, site inspections, interviews, and other preliminary steps.
During an environmental crisis, a multi-agency regulatory approach can result in additional issues arising from the original environmental issue owing to the spotlight on different parts of a business by various regulators. Businesses must be mindful of this risk when responding to a crisis and be ready to address issues that may not appear to be at the core of the environmental issue, such as consumer, contractual and safety matters.
The multi-agency approach also has a higher risk of increased regulatory burden after a crisis event. By way of example, a variation of existing environmental licence conditions is an approach that regulators typically adopt to impose new obligations requiring wide-ranging action by the licence holder (eg, mandatory audits). This potential post-crisis requirement also carries a material risk that other issues in the business will be identified and reported to the relevant regulator.
Expanded regulatory investigation and enforcement powers
Various Australian jurisdictions have introduced reforms to strengthen investigation and enforcement powers of EPAs (or equivalent) and now impose higher penalties for environmental offences. Examples of such reforms include the following.
Notably, NSW’s environment protection reforms were a direct response to a significant asbestos in mulch crisis in 2024, which saw various public locations in Sydney closed during the investigation and remediation stages.
More frequent investigations and prosecutions of local and overseas company directors
Prosecution of corporate management under Australian environment protection legislation is not new. Each state and territory has some form of framework that allows for directors, officers and persons involved in the management of a corporation to be held liable for actions of the corporation.
What is significant is that the frequency with which corporate management is prosecuted under these legislations has generally increased over time. This is particularly apparent in NSW and Victoria, which have comparably more active EPAs than other Australian jurisdictions. As indicated in the NSW EPA’s annual reports and in the Victorian EPA’s register of court proceedings, the number of director prosecutions for environmental offences committed by a corporation has increased:
Recently, the Victorian EPA has also attempted to investigate and serve overseas-based directors in connection with a potential environmental prosecution. While the charges against the corporation and its directors were ultimately not pursued, this demonstrates the regulator’s willingness to take extraterritorial action relating to material environmental issues in circumstances where directors are based overseas.
This presents an emerging regulatory risk after an environmental crisis for businesses that have both local and overseas directors, officers, or other persons in senior management. If this prosecution trend continues, regulators may increasingly rely on the extraterritorial application of existing legislative provisions when carrying out initial investigations and seeking to remedy an environmental issue. By way of example, the Protection of the Environment Operations Act 1997 (NSW) currently allows for a person to be issued with a regulatory notice (eg, preliminary investigation notices or clean-up notices) even if the person is outside of NSW, so long as the relevant matter or thing affects the environment of NSW.
ESG and greenwashing
Australia has had the second-highest number of documented climate litigation proceedings globally, second only to the USA. Australia has a developed litigation landscape and has significant reserves of traditional energy sources such as coal, oil and gas. These factors have made it a fast-moving and higher-risk jurisdiction in climate-related litigation.
Australian companies are operating within a landscape of increased regulatory surveillance, as the major Australian regulators have continued to target greenwashing as an enforcement priority and recent decisions in favour of regulators have crystallised the threat of action for greenwashing and the significant pecuniary penalties that can come with it.
In 2023, the Federal Senate established an inquiry into greenwashing by Australian companies. The inquiry investigated the environmental and sustainability claims made by Australian companies, the impact of greenwashing, and legislative options to protect consumers from greenwashing. The committee was due to report by 28 March 2025.
As Australia comes to the end of its first major cycle of climate-related litigation, what follows is a snapshot of the key trends that have emerged to date, including relevant examples.
Misleading and deceptive conduct: climate change disclosures and companies’ products
Regulators have adapted existing and established causes of action for misleading and deceptive conduct to prevent greenwashing. Both ASIC and the Australian Competition and Consumer Commission (ACCC) have identified greenwashing as an enforcement priority. To date, ASIC has been the more active, having issued 17 greenwashing-related infringement notices and three civil penalties proceedings.
Representations that have attracted regulators’ attention have tended to:
Misleading and deceptive conduct claims have tended to focus either on companies’ climate-related disclosures and emissions reduction targets or on product claims companies have made. The latter type of proceeding has tended to cluster around hot-button terminology such as “carbon neutral” or “sustainable”. By way of example, in April 2024, the ACCC commenced its first-ever greenwashing proceeding against Clorox Australia Pty Ltd (“Clorox”) for misleading or deceptive conduct in relation to claims that its Glad-branded garbage bags were “made using 50% ocean plastic”. The ACCC alleged that these products were made from plastic collected from communities in Indonesia up to 50 kilometres from the shoreline and that Clorox had deprived consumers of the opportunity to make informed purchasing decisions. In February 2025, Clorox agreed to pay a penalty of AUD8.25 million, which remains subject to court approval.
Activists have also sought to use increased regulatory attention on greenwashing to achieve their goals. A recent example was the Environmental Defenders Office asking the ACCC on behalf of Climate Integrity to investigate whether Qantas’ “fly carbon neutral” product was misleading or deceptive and in breach of the Australian Consumer Law.
Misleading and deceptive conduct: claims against financial institutions
Large investment and superannuation funds have been the subject of all three ASIC climate litigation proceedings. ASIC has been particularly alert to representations about “ESG-positive” investment screening. Proceedings brought against Vanguard Investments Australia (“Vanguard”), Mercer Superannuation (“Mercer”) and Active Super have focused on claims of this nature. The Vanguard and Mercer proceedings resulted in significant penalties.
In September 2024, Vanguard was ordered by the Federal Court of Australia to pay a penalty of AUD12.9 million – the highest yet ordered in Australia for greenwashing. ASIC alleged that Vanguard had engaged in misleading or deceptive conduct and made false or misleading representations about the ESG-related exclusionary screening it applied to investments in an “ethically conscious” fund. Vanguard admitted much of the alleged conduct.
This decision came a month after the court ordered a AUD11.3 million penalty against Mercer (which had been agreed between the parties). The court held that Mercer had misled members of its Sustainable Plus fund by claiming that the fund excluded companies that were involved in carbon-intensive fossil fuels, despite heavily investing in 15 stocks in this sector. The penalty was set on the basis that Mercer’s contraventions were serious and arose from its failures to implement sufficient systems to ensure the accuracy of its claims.
In the Active Super case, ASIC alleged misleading or deceptive conduct against Active Super for directly and indirectly investing in securities the company had represented were eliminated or restricted by its fund. Once again, the court found in favour of ASIC, noting the language used in Active Super’s representations was unequivocal. At the time of writing, the appropriate penalty has not yet been determined by the court.
Continued importance of crisis frameworks
In a complex regulatory environment, up-to-date and robust crisis management and prevention frameworks are a crucial tool for businesses to ensure they are meeting their obligations and safeguarding their operations. Businesses should consider developing detailed frameworks to respond to common incident types, including the targeting of specific assets in cyber-incidents.
In September 2024, the Australian government published a revised Australian Government Crisis Management Framework (AGCMF), which outlines how the Australian government responds to various types of crises including natural disasters, cyber-incidents, pandemics, and terrorism. The revised AGCMF sets out a crisis continuum of prevention, preparedness, response and recovery, and establishes oversight arrangements to continuously improve the framework. For the private sector, this provides a useful blueprint for establishing an appropriate framework to prevent and manage cyber, greenwashing, environmental and other crises.
Specifically, board and executive decision-making frameworks should account for the complex set of considerations involved in preparing for and managing a crisis, including:
In addition, businesses should consider preparing privilege protocols in advance, to manage privilege in the context of responding to a cyber-, environmental or other type of incident. This can be complex, particularly in relation to environmental or forensic IT reports – with recent decisions scrutinising whether such reports are for the dominant purpose of legal advice.
Finally, it is critical to test the efficacy of crisis management frameworks and plans, and to ensure that they are reviewed and updated to respond to future events and legislative reform.
ANZ Tower
161 Castlereagh Street
Sydney
NSW 2000
Australia
+61 292 255 000
+61 293 224 000
www.herbertsmithfreehills.com