Key Risk Areas for Businesses in Australia to Focus On When Developing Crisis Management Frameworks

Complex global and local challenges continue to require businesses to maintain a robust approach to crisis management in Australia, with a focus on adaptability, compliance and resilience.

Businesses are presented with unique issues while operating in an increasingly digital Australian society and navigating a regional and global landscape with more stringent environmental obligations due to climate change impacts. This operating environment also has a regulatory overlay with governments, who are responding by increasing their focus on corporate and director breaches, as well as by establishing new regulatory frameworks to improve the governance and management of crisis risks.

Within these digital and natural environments, recent trends and developments have led businesses in Australia to focus on:

• cybersecurity and data protection;
• environmental regulatory enforcement under state and territory laws; and
• ESG and greenwashing.

These are expected to remain strong areas of focus for businesses in Australia in 2025.

Cybersecurity and data protection

Cybersecurity has ranked as the top concern for Australian businesses in recent years. This is not surprising given:

• increasing regulatory expectations and obligations on companies to ensure that their governance and management of cyber-risks is robust;
• the volume of personal and other confidential information held by organisations (increasing with artificial intelligence adoption);
• the increased sophistication of threats;
• reliance on third parties; and
• an active class-action environment.

These factors mean that cybersecurity and data protection will remain key risks – and areas of focus – for Australian businesses. The risk of regulatory enforcement action following a major cybersecurity incident is material. To date, companies have faced enforcement action under privacy laws, as well as sector-specific laws and regulations (ie, prudential standards for banks and insurers, financial services licensees and telecommunications providers).

The Australian Securities and Investments Commission (ASIC) stated that it is actively investigating breaches of directors’ duties for failing to take reasonable steps to prepare for a cyber-attack. Recent reforms increase the scope and risk of actions against companies.

Privacy reforms

The Privacy and Other Legislation Amendment Act 2024 (Cth) (the “Amendment Act”) was introduced into law in 2024, as part of modernising Australia’s privacy laws. Certain amendments are now in force, with others to take effect later this year. The reforms follow 2022 amendments to the Privacy Act 1988 (Cth) (the “Privacy Act”), which increased the penalties for breaches of the Privacy Act for serious interferences with privacy to AUD50 million or more.

The Amendment Act expands the privacy regulator’s powers and raises the bar for data security and privacy practices. The obligation to take “reasonable steps” to protect personal information is clarified as including organisational steps, as well as technical measures. This provides a more explicit basis for potential enforcement action where there is inappropriate governance, emphasising the importance of appropriate oversight and involvement of the board in privacy and cybersecurity risk management.

A new tiered civil penalty regime for Privacy Act breaches gives the privacy regulator a more flexible toolkit, as well as the ability to obtain enforcement outcomes and fines without commencing court proceedings.

Cybersecurity reforms

A suite of reforms strengthening cybersecurity laws in Australia were also passed in 2024 to enhance the security of critical assets and to gain a better understanding of the impact on business of cyber-attacks, with a view to enabling the government to better mitigate risks across the economy and to formulate future responses.

In the context of cyber-extortion attacks, the Cyber Security Act 2024 (Cth) means that businesses should consider reflecting the following in incident response plans:

• mandatory obligations to report information about cyber extortion payments (details of the payment process and threat actor communications), where reporting thresholds are met. While information protected by privilege does not need to be disclosed and reported information is subject to limited use by government, the protections leave open the possibility that information can be used in a criminal prosecution of a company; and
• the government’s enhanced powers to intervene in critical infrastructure cyber-incidents.

The government has also introduced enhanced obligations for critical infrastructure. Amendments to the Security of Critical Infrastructure Act 2018 (Cth) include:

• the expansion of obligations to data storage assets;
• enhanced powers to require entities to vary critical infrastructure risk management plans;
• enhanced information-sharing criteria; and
• security and notification obligations for critical telecommunications assets.

Environmental regulatory enforcement

As communities, organisations and governments maintain a focus on climate change impacts and related environmental issues, businesses in Australia are faced with an increased regulation of environmental impacts under state and territory laws. This includes an increased risk of enforcement action with regard to business-as-usual operations or in connection with an environmental crisis or legal non-compliance.

Australia has a complex environment protection legal system, which is primarily governed by federal and state and territory laws. At a federal level, the Environment Protection and Biodiversity Conservation Act 1999 (Cth) is the overarching regulatory vehicle for the protection of biodiversity in Australia. At a state and territory level, each jurisdiction has its own legislation that governs:

• the primary environment protection framework for that jurisdiction, which regulates most business activities being carried out in Australia; and
• the investigation and enforcement powers of an Environment Protection Authority (EPA) or equivalent for that jurisdiction.

This framework comprises numerous pieces of legislation, regulations, guidelines and other instruments, creating a legal patchwork that businesses must safely navigate, particularly at the start of a crisis. Within this context, the Australian environmental regulatory enforcement landscape continues to see sustained action by state and territory agencies for environment-related issues, including:

• a co-operative, multi-agency approach to the early investigation of issues relating to environmental incidents and non-compliances in key jurisdictions such as New South Wales (NSW) and Victoria;
• an expansion of investigation and enforcement powers for EPAs, including harsher penalties for breaches of environmental laws; and
• the pursuit of Australian and overseas-based corporate directors for breaches of environment protection laws.

Multi-agency approach to investigations

Generally, statutory obligations require certain environmental issues to be reported to the EPA (or equivalent) in each state or territory jurisdiction, in addition to other government agencies (eg, health, fire and other emergency services). At a time of crisis, this type of legal reporting obligation ensures that there may be more than one government agency involved in the investigation of that issue – examples of which include the following.

• A multi-agency investigation in NSW (which included the NSW EPA) was undertaken following the significant discovery of asbestos in mulch in numerous public locations across Sydney, including schools, hospitals, and transportation facilities. The extensive investigations resulted in several clean-up and prevention notices being issued, as well as a suite of prosecutions against three corporations and a director that are yet to be determined.
• The Victorian EPA led an unannounced multi-agency investigation into businesses in the meat and livestock industry in Echuca and, in 2024, the EPA was successful in the prosecution of the director of a related corporation.

These case studies show a willingness by EPAs to involve other agencies in responding to environmental issues, even if it is ultimately the EPA that will undertake the prosecution. This is increasingly playing out at an early investigation stage, as the relevant EPA and other agencies appear to take a co-ordinated approach to statutory requests for information, site inspections, interviews, and other preliminary steps.

During an environmental crisis, a multi-agency regulatory approach can result in additional issues arising from the original environmental issue owing to the spotlight on different parts of a business by various regulators. Businesses must be mindful of this risk when responding to a crisis and be ready to address issues that may not appear to be at the core of the environmental issue, such as consumer, contractual and safety matters.

The multi-agency approach also has a higher risk of increased regulatory burden after a crisis event. By way of example, a variation of existing environmental licence conditions is an approach that regulators typically adopt to impose new obligations requiring wide-ranging action by the licence holder (eg, mandatory audits). This potential post-crisis requirement also carries a material risk that other issues in the business will be identified and reported to the relevant regulator.

Expanded regulatory investigation and enforcement powers

Various Australian jurisdictions have introduced reforms to strengthen investigation and enforcement powers of EPAs (or equivalent) and now impose higher penalties for environmental offences. Examples of such reforms include the following.

• Major changes to the environment protection regime in NSW commenced in April 2024, doubling maximum penalties for environmental crime (with some maximum penalties now AUD10 million for corporations and AUD2 million for individuals) and substantially expanding the investigatory powers of the NSW EPA. New investigatory powers for the NSW EPA include the power to issue public “name and shame” warning statements about poor environmental practices and performers, as well as oral or written “preliminary investigation notices” that require recipients to assist investigations by the NSW EPA at their own cost. Notably, the results of a preliminary investigation could be used by the NSW EPA in prosecuting the person to whom it is issued.
• New environmental laws in Queensland commenced in June 2024, introducing a broader range of enforcement options for regulators, along with stronger penalties. The new laws include:
1. the power to issue “environmental enforcement orders” to compel improvements to on-site activities causing unacceptable environmental harm; and
2. a “general environmental duty” (GED) that requires a person to take reasonably practicable action to prevent or minimise material or serious environmental harm (similar to the GED in Victoria).

Notably, NSW’s environment protection reforms were a direct response to a significant asbestos in mulch crisis in 2024, which saw various public locations in Sydney closed during the investigation and remediation stages.

More frequent investigations and prosecutions of local and overseas company directors

Prosecution of corporate management under Australian environment protection legislation is not new. Each state and territory has some form of framework that allows for directors, officers and persons involved in the management of a corporation to be held liable for actions of the corporation.

What is significant is that the frequency with which corporate management is prosecuted under these legislations has generally increased over time. This is particularly apparent in NSW and Victoria, which have comparably more active EPAs than other Australian jurisdictions. As indicated in the NSW EPA’s annual reports and in the Victorian EPA’s register of court proceedings, the number of director prosecutions for environmental offences committed by a corporation has increased:

• for NSW, from no prosecutions (financial year (FY) 2021–22) to six prosecutions (FY 2023–24); and
• for Victoria, from three prosecutions (FY 2021–22) to 12 prosecutions (FY 2023–24).

Recently, the Victorian EPA has also attempted to investigate and serve overseas-based directors in connection with a potential environmental prosecution. While the charges against the corporation and its directors were ultimately not pursued, this demonstrates the regulator’s willingness to take extraterritorial action relating to material environmental issues in circumstances where directors are based overseas.

This presents an emerging regulatory risk after an environmental crisis for businesses that have both local and overseas directors, officers, or other persons in senior management. If this prosecution trend continues, regulators may increasingly rely on the extraterritorial application of existing legislative provisions when carrying out initial investigations and seeking to remedy an environmental issue. By way of example, the Protection of the Environment Operations Act 1997 (NSW) currently allows for a person to be issued with a regulatory notice (eg, preliminary investigation notices or clean-up notices) even if the person is outside of NSW, so long as the relevant matter or thing affects the environment of NSW.

ESG and greenwashing

Australia has had the second-highest number of documented climate litigation proceedings globally, second only to the USA. Australia has a developed litigation landscape and has significant reserves of traditional energy sources such as coal, oil and gas. These factors have made it a fast-moving and higher-risk jurisdiction in climate-related litigation.

Australian companies are operating within a landscape of increased regulatory surveillance, as the major Australian regulators have continued to target greenwashing as an enforcement priority and recent decisions in favour of regulators have crystallised the threat of action for greenwashing and the significant pecuniary penalties that can come with it.

In 2023, the Federal Senate established an inquiry into greenwashing by Australian companies. The inquiry investigated the environmental and sustainability claims made by Australian companies, the impact of greenwashing, and legislative options to protect consumers from greenwashing. The committee is due to report by 5 August 2025.

As Australia comes to the end of its first major cycle of climate-related litigation, what follows is a snapshot of the key trends that have emerged to date, including relevant examples.

Misleading and deceptive conduct: climate change disclosures and companies’ products

Regulators have adapted existing and established causes of action for misleading and deceptive conduct to prevent greenwashing. Both ASIC and the Australian Competition and Consumer Commission (ACCC) have identified greenwashing as an enforcement priority. To date, ASIC has been the more active, having issued 17 greenwashing-related infringement notices and three civil penalties proceedings.

Representations that have attracted regulators’ attention have tended to:

• be lacking in balance;
• use broad or vague terminology or use absolute statements that are unqualified and devoid of context; and
• use overly positive environmental imagery.

Misleading and deceptive conduct claims have tended to focus either on companies’ climate-related disclosures and emissions reduction targets or on product claims companies have made. The latter type of proceeding has tended to cluster around hot-button terminology such as “carbon neutral” or “sustainable”. By way of example, in April 2024, the ACCC commenced its first-ever greenwashing proceeding against Clorox Australia Pty Ltd (“Clorox”) for misleading or deceptive conduct in relation to claims that its Glad-branded garbage bags were “made using 50% ocean plastic”. The ACCC alleged that these products were made from plastic collected from communities in Indonesia up to 50 kilometres from the shoreline and that Clorox had deprived consumers of the opportunity to make informed purchasing decisions. In February 2025, Clorox agreed to pay a penalty of AUD8.25 million, which remains subject to court approval.

Activists have also sought to use increased regulatory attention on greenwashing to achieve their goals. A recent example was the Environmental Defenders Office asking the ACCC on behalf of Climate Integrity to investigate whether Qantas’ “fly carbon neutral” product was misleading or deceptive and in breach of the Australian Consumer Law.

Misleading and deceptive conduct: claims against financial institutions

Large investment and superannuation funds have been the subject of all three ASIC climate litigation proceedings. ASIC has been particularly alert to representations about “ESG-positive” investment screening. Proceedings brought against Vanguard Investments Australia (“Vanguard”), Mercer Superannuation (“Mercer”) and Active Super have focused on claims of this nature. The Vanguard and Mercer proceedings resulted in significant penalties.

In September 2024, Vanguard was ordered by the Federal Court of Australia to pay a penalty of AUD12.9 million – the highest yet ordered in Australia for greenwashing. ASIC alleged that Vanguard had engaged in misleading or deceptive conduct and made false or misleading representations about the ESG-related exclusionary screening it applied to investments in an “ethically conscious” fund. Vanguard admitted much of the alleged conduct.

This decision came a month after the court ordered a AUD11.3 million penalty against Mercer (which had been agreed between the parties). The court held that Mercer had misled members of its Sustainable Plus fund by claiming that the fund excluded companies that were involved in carbon-intensive fossil fuels, despite heavily investing in 15 stocks in this sector. The penalty was set on the basis that Mercer’s contraventions were serious and arose from its failures to implement sufficient systems to ensure the accuracy of its claims.

In the Active Super case, ASIC alleged misleading or deceptive conduct against Active Super for directly and indirectly investing in securities the company had represented were eliminated or restricted by its fund. Once again, the court found in favour of ASIC, noting the language used in Active Super’s representations was unequivocal. At the time of writing, the appropriate penalty has not yet been determined by the court.

Continued importance of crisis frameworks

In a complex regulatory environment, up-to-date and robust crisis management and prevention frameworks are a crucial tool for businesses to ensure they are meeting their obligations and safeguarding their operations. Businesses should consider developing detailed frameworks to respond to common incident types, including the targeting of specific assets in cyber-incidents.

In September 2024, the Australian government published a revised Australian Government Crisis Management Framework (AGCMF), which outlines how the Australian government responds to various types of crises including natural disasters, cyber-incidents, pandemics, and terrorism. The revised AGCMF sets out a crisis continuum of prevention, preparedness, response and recovery, and establishes oversight arrangements to continuously improve the framework. For the private sector, this provides a useful blueprint for establishing an appropriate framework to prevent and manage cyber, greenwashing, environmental and other crises.

Specifically, board and executive decision-making frameworks should account for the complex set of considerations involved in preparing for and managing a crisis, including:

• policies and practices that encourage good corporate governance, a culture of diligence and openness, and clear reporting lines during a crisis;
• the extent of due diligence to be undertaken by directors, officers and managers with regard to corporate actions, including a policy and training structure that maintains an appropriate awareness of environment protection laws;
• compliance with the ACCC’s “Making Environmental Claims: A Guide for Business”, ASIC’s Information Sheet 271 (“How to avoid greenwashing when offering or promoting sustainability-related products”) and the Ad Standards’ Australian Association of National Advertiser Environmental Claims Code in environmental and sustainability claims;
• whether to pay a ransom during a cyber-incident (including considerations such as directors’ duties, reputational matters, and the legality of payment); and
• for businesses with in-house counsel or legal teams, a policy and training structure that emphasises the importance of responding appropriately to regulatory investigations following a crisis (including the need to maintain integrity of investigations and preserve evidence).

In addition, businesses should consider preparing privilege protocols in advance, to manage privilege in the context of responding to a cyber-, environmental or other type of incident. This can be complex, particularly in relation to environmental or forensic IT reports – with recent decisions scrutinising whether such reports are for the dominant purpose of legal advice.

Finally, it is critical to test the efficacy of crisis management frameworks and plans, and to ensure that they are reviewed and updated to respond to future events and legislative reform.