Crisis Management 2025

AUSTRALIA Trends and Developments Contributed by: Peter Briggs, Christine Wong, Mark Smyth and Tom Dougherty, Herbert Smith Freehills

Key Risk Areas for Businesses in Australia to Focus On When Developing Crisis Management Frameworks Complex global and local challenges contin- ue to require businesses to maintain a robust approach to crisis management in Australia, with a focus on adaptability, compliance and resil- ience. Businesses are presented with unique issues while operating in an increasingly digital Austral- ian society and navigating a regional and global landscape with more stringent environmental obligations due to climate change impacts. This operating environment also has a regulatory overlay with governments, who are respond- ing by increasing their focus on corporate and director breaches, as well as by establishing new regulatory frameworks to improve the govern- ance and management of crisis risks. Within these digital and natural environments, recent trends and developments have led busi- nesses in Australia to focus on: • cybersecurity and data protection; • environmental regulatory enforcement under state and territory laws; and • ESG and greenwashing. These are expected to remain strong areas of focus for businesses in Australia in 2025. Cybersecurity and data protection Cybersecurity has ranked as the top concern for Australian businesses in recent years. This is not surprising given: • increasing regulatory expectations and obli- gations on companies to ensure that their governance and management of cyber-risks is robust;

• the volume of personal and other confidential information held by organisations (increasing with artificial intelligence adoption); • the increased sophistication of threats; • reliance on third parties; and • an active class-action environment. These factors mean that cybersecurity and data protection will remain key risks – and areas of focus – for Australian businesses. The risk of regulatory enforcement action following a major cybersecurity incident is material. To date, com- panies have faced enforcement action under pri- vacy laws, as well as sector-specific laws and regulations (ie, prudential standards for banks and insurers, financial services licensees and telecommunications providers). The Australian Securities and Investments Com- mission (ASIC) stated that it is actively investi- gating breaches of directors’ duties for failing to take reasonable steps to prepare for a cyber- attack. Recent reforms increase the scope and risk of actions against companies. Privacy reforms The Privacy and Other Legislation Amendment Act 2024 (Cth) (the “Amendment Act” ) was intro- duced into law in 2024, as part of modernising Australia’s privacy laws. Certain amendments are now in force, with others to take effect later this year. The reforms follow 2022 amendments to the Privacy Act 1988 (Cth) (the “Privacy Act” ), which increased the penalties for breaches of the Privacy Act for serious interferences with privacy to AUD50 million or more. The Amendment Act expands the privacy regu- lator’s powers and raises the bar for data secu- rity and privacy practices. The obligation to take “reasonable steps” to protect personal informa- tion is clarified as including organisational steps,

CHAMBERS.COM