The results are in: Cyber resilience must be a boardroom issue
Nearly half of New Zealand businesses faced a cyberattack last year, but too many boards still underestimate the risk.
KORDIA
Boardroom Premium
Directors’ duties and escalating risk: lessons from ASIC v Bekier
An Australian court ruling highlights directors’ obligations when serious risks emerge, with important implications for New Zealand boards.
In an extensive judgment released earlier this month in ASIC v Bekier – a case brought by the Australian Securities and Investments Commission (ASIC) – the Federal Court of Australia firmly restated what is expected of directors and other officers of a company when serious risks emerge. New Zealand boards should pay close attention, as it may set a precedent that New Zealand courts could follow.
The case in brief
The Star Entertainment Group Limited operates a casino business in Sydney. Star’s largest junket customer engaged in suspicious conduct at the casino, including potential money laundering.
Separately, misleading information was provided to Star’s bank about the use of certain cards for gambling purposes. Star’s CEO (and managing director) and company secretary knew, or ought reasonably to have known, of the serious risks posed to the company, but did not inform the board and did not otherwise take appropriate steps to address the issues.
The Federal Court found that the CEO and the company secretary breached their duties of care and diligence under section 180(1) of the Corporations Act 2001. Claims against the non-executive directors were dismissed.
Key principles from the decision:
-
- Directors are required to take reasonable steps to place themselves in a position to guide and monitor the management of the company. They are entitled to rely on information and advice from management unless they know, or ought to know, facts that make reliance unreasonable.
- In this case, the Court drew a distinction between executive and non-executive directors. Some of the key points:
- Executive directors should take all reasonable steps to ensure the board is informed of matters exposing the company to legal, financial or reputational risk, or which create risk of breach of legal obligations. In this case, it was not sufficient for the company secretary to simply tell the CEO about the risks to the company – she was required to ensure the other board members were also apprised of the risks.
- Non-executive directors are not required to be involved in the affairs of the company at an operational level and are entitled to rely on management to a greater extent than executive directors, but that reliance is not unlimited. Here, management’s reporting understated the severity of the issues, with the result that the non-executive directors did not have sufficient knowledge of the issues. The Court held that these directors had not breached their duties, but was critical of the overall level of board engagement.
- While the Court distinguished between executive and non-executive directors in this case, this is not a bright-line distinction and will not necessarily apply in every case. Whether any particular director has breached their duties depends on what a reasonable director, in the specific circumstances and with that director’s responsibilities, would have done.
- The ‘business judgment rule’ (where a director makes an informed decision in good faith for a proper purpose) protects directors who have actually exercised judgement. A decision not to act can qualify, but only if the director has consciously considered the issues and made an active choice.
- It is not necessary to show that the company contravened the Corporations Act to establish a breach of directors’ duties, although a contravention may be relevant. Rather, the assessment requires balancing the foreseeable risk of harm to the company against the benefits reasonably expected to flow from the director’s conduct. This is a prospective, contextual assessment.
- While AI can assist governance processes, it is not a substitute for a director’s own judgement.
Why this matters for New Zealand
New Zealand courts regularly look to developments in Australian corporate law when interpreting directors’ duties under the Companies Act 1993. Bekier could become an influential reference point.
One of the leading New Zealand authorities on directors’ duties is the Mainzeal case, where the Supreme Court held directors liable for breach of their duties and emphasised the importance of maintaining a clear-eyed view of a company’s position.
Bekier reinforces the same principle from an escalation perspective – management and executive directors must ensure the board has an accurate picture of the risks the company faces, not a sanitised one.
The timing is significant. The Law Commission is currently reviewing directors’ duties, with a report expected in 2027. Bekier may inform that review, particularly around escalation obligations, the flow of information between management and the board, and the implications of AI.
Three questions every board should ask
-
- Are your escalation frameworks adequate? Compliance and legal risks must reach the board in a form that clearly conveys their seriousness and signals when urgent attention is required.
- Is your board reporting accurate and complete? Management reporting that understates risks does not protect directors.
- Do you have a policy on AI in the boardroom? If directors are using AI tools, that practice should be acknowledged, governed and documented. Unstructured AI use in governance is unlikely to satisfy a director’s duty of care.
New Zealand companies should treat Bekier as a prompt to review their governance frameworks now, ahead of regulatory scrutiny and the Law Commission’s forthcoming report.
Selina Tie and Faiz Charania also contributed to this article.
The views expressed are those of the author and do not necessarily reflect the views of
the Institute of Directors.
the Institute of Directors.
Related content
