D&O professionals series: Celia Wright

WTW’s Financial, Executive & Professional Risks (FINEX) Practice collaborates with professionals throughout the directors’ and officers’ (D&O) liability insurance industry to gain perspective into the many facets of our business. In our “D&O Professionals Series,” we feature professionals from various corners of the industry, from executive D&O underwriters to securities litigators to coverage counsel and others. Our objective is to discuss how ever-changing conditions in the broader economy and in business have impacted D&O risk, securities litigation and our industry more broadly.

In this edition, we feature Celia Wright, Principal of Gilchrist Connell, a leading Australian insurance sector law firm.

WTW: What do you consider to be the emerging risks for directors and officers?

Climate, cyber and AI are at the forefront of the emerging risks facing leaders of businesses and not-for-profits in Australia.

Climate related risks manifest in different ways. For example:

Mandatory climate reporting commenced in Australia from 1 January 2025 in stages. Initially, the requirements will apply to large companies, with it applying more broadly from 1 July 2027. Companies will have a limited 3 year immunity from certain private claims (but not regulatory action), however, this is unlikely to offer much comfort.
The Australian Competition and Consumer Commission has been asked to investigate claims of carbon neutral flying by a major Australian airline. A complaint was lodged in October 2024 by research and advocacy group, Climate Integrity and the Environmental Defenders Office. This follows a greenwashing decision against an airline in the Dutch Courts in March 2024 and is consistent with the increased global scrutiny on airlines, as major emitters.
The Australian Securities and Investments Commission (ASIC) had its first successful greenwashing case against a retail superannuation fund, resulting in a penalty of AU$11.3M. Judgment is pending in two other ASIC ‘greenwashing’ proceedings.
In an example of private litigants using the legal processes to promote environmental issues, a shareholder of a major Australian bank filed a preliminary discovery application seeking information about the bank’s internal risk management framework. The shareholder was allegedly concerned the bank “may not be properly managing the twin risks of climate change and biodiversity loss”. The action was discontinued however, shortly after this the bank announced it will no longer provide project finance to new or expanded oil and gas projects.

We expect to continue to see environment groups and other claimants, with the assistance of activist law firms, testing the parameters of the existing laws to pursue an environmental agenda. The misleading or deceptive conduct laws have already proven a flexible tool generally in Australia and breach does not require an intention to mislead. In 2022 the Full Federal Court declined to recognise a duty of care to protect groups (such as children) from potential harm from climate change. ^[1] However, this issue is again before the Courts, with judgment pending in a claim brought on behalf of Torres Strait Islanders against the Commonwealth of Australia and regardless of the outcome in that case, is unlikely to go away. ^[2]

WTW: What are the emerging risks impacting business profitability?

Australian businesses face increased compliance burden and cost due to new laws, including forthcoming cyber and privacy laws (touched on below). While clarification and greater cohesion of the laws and policies in these areas is welcome, this is occurring at a time when many businesses are already facing pressures on their bottom line.

Additionally, the benefits associated with AI create a tension with climate responsibilities. AI is a large consumer of resources. The power required to train large language models and maintain data centers to support AI 24 hours a day, 7 days a week is far greater than traditional technology. Deloitte states that, on average, a gen AI–based prompt request consumes 10 to 100 times more electricity than a typical internet search query. ^[3] This adds an additional layer of complexity (and therefore costs) when measuring scope 3 emissions or assessing a business’ carbon footprint.

Thirdly, there has been a sustained increase in the costs of attracting and retaining talent across many sectors in Australia. This was acute in the immediate aftermath of the COVID-19 lockdowns and was attributed to the opening up of borders and pent up demand. However, it shows few signs of abating and may be ‘the new normal’ in some industries, such as law and other professions. Jobs and Skills Australia reports that 33% of occupations experienced a shortage in 2024, slightly down from 36% in 2023.^[4] The most impacted industries were professionals (48%) and technicians and trade workers (35%), consistent with 2023. Of the top 20 largest employing occupations in shortage, 15 have been experiencing a shortage continuously for the last 4 years.

The challenges for businesses are exacerbated by a series of new workplace laws commenced from December 2023 and set to continue throughout 2025, described as the ‘Closing Loopholes’ laws (being part of a commitment to improve workplace conditions and protections for employees made by the Labour Government during the last election). The laws introduce significant and widespread changes, including from 26 August 2024, a new right to disconnect which permits an employee to refuse to respond to contact or attempted contact from their employer or a third party (such as a client) outside their working hours, unless the refusal is ‘unreasonable’. The right to disconnect has yet to be tested in the Courts.

WTW: Cyber has been a hot topic in past years. In WTW's 2024 Global Directors’ and Officers’ Survey, for the first time in many years cyber-related risks were not at the very top of the list as a concern. Do you think cyber risks have abated?

Now is not the time for business leaders to be complacent about cyber risks. Regulators expect businesses to have a robust risk management framework which addresses cybersecurity risks and are using their powers to investigate and prosecute business that don’t. We also expect to see a growth in class actions and other claims with the introduction of new laws.

In terms of regulatory action:

In September 2024, ASIC confirmed it is investigating how directors have prepared for and responded to cyberattacks and legal action is looming against some unnamed individuals. ^[5]This follows a number of warnings from ASIC that it will not hesitate to take legal action against board directors and executives who are “recklessly ill-prepared for cyber attacks” and do not take sufficient steps to protect their customers and infrastructure from hackers. ^[6] Cyberattacks are no longer seen as a novel risk in the eyes of the regulator.
Following one of the largest cyberattacks in Australia, in which the personal data of an estimated 9.7 million customers of a health insurer was compromised, the insurer is now the subject of proceedings by the privacy regulator. The regulator is seeking fines of up to $2.22 M for each individual contravention. The maximum penalty for breach of the Privacy Act 1988 (Cth) has since increased to $50M.

Australia does not have a human rights charter or legislation, and its appellate Courts have yet to recognise a common law tort of invasion of privacy. Therefore, historically, the avenues for private claims were limited. However, this is about to change. Notably:

changes to the Privacy Act in 2024 introduced a new statutory tort of serious invasion of privacy, described in general terms as invasion of privacy that involves an ‘intrusion upon seclusion’ (such as physically intruding into a person’s private space, watching, listening to, or recording the person’s private activities or private affairs) or ‘misuse of information’, or both. A plaintiff will need to establish seriousness, a reasonable expectation of privacy and recklessness or intention (ie, mere negligence is not enough), however, harm is not required; and
new cyber security laws introduced in 2024 impose mandatory security standards on all business (irrespective of size) that use or sell smart devices. Separately, entities whose turnover in the previous financial year exceed $3 million, and all government entities, will be required to report a ransomware payment within 72 hours after making, or becoming aware of, a payment. Additionally, a newly created Cyber Incident Review Board will investigate and report on significant cybersecurity incidents.

WTW: Do you think artificial intelligence will be a material D&O risk over the next three years? Why or why not?

In the medium term, the opportunities offered by generative AI come with significant risks particularly for C suite executives.

A key risk is a gap in knowledge and a lag in upskilling. This presents challenges for directors in implementing effective, safe and responsible AI governance, while remaining competitive through the responsible adoption of AI.

This issue was highlighted in a recent ASIC report following a review of 624 AI use cases by 23 financial services licensees. ^[7] ASIC found there was a shift towards more use of AI. However, less than 50% of the licensees had policies in place for AI that referenced fairness or related concepts such as inclusivity and accessibility and even less had policies that referenced disclosure of AI use to affected customers. Amongst the risks identified by ASIC was a trend for some entities to assess risks through a business lens, rather than the potential harm to consumers.

Australia does not currently have mandatory bespoke laws governing the development or use of AI. In September 2024, the Department of Industry, Sciences and Resources commenced consultation on proposed mandatory guardrails for ‘high risk’ settings. 9 of the 10 proposed guardrails overlap with the guardrails currently set out in the Australian Government Voluntary AI Safety Standard. Irrespective of whether a company considers it comes within a ‘high risk’ category, all entities and directors should familiarise themselves with the voluntary standard.

An overarching risk is that business leaders take a siloed view of the areas where AI use can lead to exposure. If not properly understood and managed, AI can lead to claims under existing laws relating to privacy, defamation, anti-discrimination, unconscionable conduct, misleading representations, product liability, negligence amongst other areas and in turn, can lead to allegations of breach of directors’ duties in failing to assess and govern risks to the company.

WTW: What do you envision the securities litigation environment looking like in the next 12 to 18 months?

Some commentators suggest a reduced enthusiasm for shareholder class actions in Australia is leading to reduced filings. ^[8] This is being attributed to five decided cases between 2019 and 2024, each of which were dismissed. ^[9] Two of those decisions are the subject of an appeal. ^[10]

The judgments are significant for being the first shareholder class actions in Australia to go to a trial on common issues, rather than settlement. They will have undoubtedly led to adjusted expectations amongst funders and class action lawyers about the willingness of defendants and their insurers to run appropriate matters to a trial.

In our view, the judgments are an aspect of the maturing of the class action regime and development of the law in Australia. Each case was unsuccessful for individual reasons, reflecting the inherent risks in any litigation involving highly complex and factually dependant issues (and subject to the outcome of the appeals). A common feature of all the claims was that the applicant relied on market based causation to seek to establish loss.

The judgments demonstrate that the Australian courts will take a rigorous and principled approach to causation in shareholder class actions and suggest that market based causation (or fraud on the market) may have only a limited role. However, market based causation is merely one of a number of alternative ways to approach causation. We do not expect funders or class action lawyers to be overly discouraged by the judgments.

In 2024 a number of new entrants (funders and solicitors) entered the Australian market, leading to renewed calls for regulation. With the increased availability of After the Event (ATE) insurance and recent judicial clarification that group costs orders are available at settlement stage, Australia remains an attractive market for funders. In our view, securities class actions, in one form or another, will remain an aspect of the class action landscape in Australia for the foreseeable future.

Footnotes

Minister for the Environment v Sharma [2022] FCAFC 35 Return to article
Pabai Pabai v Commonwealth of Australia Return to article
As generative AI asks for more power, data centers seek more reliable, cleaner energy solutions referring to de Vries, The growing energy footprint of artificial intelligence, Joule (2023) Return to article
2024 Occupation Shortage List Return to article
ASIC pursues board directors over cyber breaches Return to article
Address by ASIC Chair Joe Longo at the Australian Financial Review Cyber Summit, 18 September 2023. Return to article
REP 716 Cyber resilience of firms in Australia’s financial markets: 2020–21 Return to article
Shareholder class actions plunge after prominent corporate victories Return to article
TPT Patrol Pty Ltd as trustee for Amies Superannuation Fund v Myer Holdings Ltd (2019) 293 FCR 29; 140 ACSR 38, [201] FCA 1747; BC201909848; Bonham as trustee for the Aucham Super Fund v Iluka Resources Ltd (2022) 404 ALR 15; [2022] FCA 71; BC202200558; Crowley v Worley Limited (No 2) [2023] FCA 1613; BC2023318444 (Worley); McFarlane as Trustee for the S McFarlane Superannuation Fund v Insignia Financial Ltd [2023] FCA 1628; BC202318569 and Zonia Holdings Pty Ltd v Commonwealth Bank of Australia Ltd (No 5) [2024] GCA 477; BC202406155 (CBA). Return to article
On 7 February 2024, the Applicant filed an appeal in Worley. On 25 June 2024, the Applicant filed an appeal in CBA. Return to article

Contact

Emily Yin

Technical Director – FINEX Australasia

email Email phone +61 409 908 382

Featured professional

Celia Wright

Principal, Gilchrist Connell,

Celia regularly acts in director and officer claims, regulatory matters and professional indemnity claims, including as coverage and monitoring counsel and in coverage disputes. She has over 20 years’ experience assisting insurers and insureds to navigate complex multi-party disputes with a focus on commercial and lateral solutions.

Celia has particular expertise and extensive experience advising insurers in connection with claims under Investment Management Insurance policies and similar blended PI and D&O policies issued to entities in the financial sector. She is familiar with the complex legal and regulatory landscape in which these entities operate in Australia.

Celia is highly regarded for her pragmatic advice and her nuanced approach to negotiating and resolving disputes.

List of website locations and languages available in Americas
Location	Languages Available
Argentina	Spanish
Bermuda	English
Brazil	Portuguese
Canada	English French
Chile	Spanish
Colombia	Spanish
Costa Rica	Spanish
El Salvador	Spanish
Guatemala	Spanish
Honduras	Spanish
Mexico	Spanish
Nicaragua	Spanish
Panama	Spanish
Peru	Spanish
United States	English
Venezuela	Spanish

List of website locations and languages available in Asia-Pacific
Location	Languages Available
Australia	English
China	Simplified Chinese
Hong Kong (China, SAR)	English
India	English
Indonesia	English
Japan	Japanese
Korea	Korean
Malaysia	English
New Zealand	English
Philippines	English
Singapore	English
Taiwan	Traditional Chinese
Thailand	English Thai
Vietnam	English

List of website locations and languages available in Europe
Location	Languages Available
Austria	German
Belgium	English French Flemish
Croatia	English Croatian
Czech Republic	English Czech
Denmark	Danish
Finland	Finnish
France	French
Germany	German
Greece	Greek
Hungary	Hungarian
Ireland	English
Italy	Italian
Kazakhstan	Kazakh Russian
Luxembourg	French
Netherlands	Dutch English
Norway	Norwegian
Poland	Polish
Portugal	Portuguese
Romania	Romanian
Serbia	Serbian
Slovakia	Slovak
Spain	Spanish
Sweden	English Swedish
Switzerland	English French German
Turkey	Turkish
Ukraine	Ukrainian
United Kingdom	English

List of website locations and languages available in Middle East and Africa
Location	Languages Available
Cameroon	English French
Congo	French
Egypt	English
Ghana	English
Ivory Coast	French
Israel	English
Jordan	English
Kenya	English
Kuwait	English
Mauritius	English
Nigeria	English
Saudi Arabia	English
Senegal	French
South Africa	English
UAE	English
Uganda	English