The results are in – health and safety and cyber risks continue to dominate the risk rankings in the Pacific again, following a global trend for directors and officers around the world.
While the broad banner of ESG (Environmental, Social and Governance) continues to make headlines, the survey results demonstrate a greater increase in risk rating for social and governance risks ahead of environmental risks. Climate change (the E in ESG) has dropped out of the top seven risks, replaced by a breach of human rights, demonstrating a rise in the importance of social risks (the S in ESG).
Systems and controls (the G in ESG) and regulatory breaches remain key risks. As an outlier, insolvency and financial distress just make it into the top seven risks for the pacific. Data from Australia’s corporate regulator shows that the rate of insolvency continues to rise, with 7,485 insolvencies for the 6 months ending 31 December 2024, representing an increase of 47% from the same period in 2023. The perceived risk of shareholder claims has continued to drop down the rankings, reflecting the decrease in securities class action filings and a number of successful company defences (however, the outlook may not be as rosy at it seems; see further below).
Despite the rise in the availability and use of generative AI and machine learning, and the broad reaching reforms overseas such as the European Union’s Artificial Intelligence Act or the proposed reforms in Australia, this risk continues to rank in the bottom half.
Whilst the categories of risk have remained relatively stable when compared with last year’s results, the perception of those risks has heightened. For example, four risks in 2025 were assessed at 80% or higher (with % indicating a risk is ‘very important’ or ‘extremely important’). This is compared with only one risk rating above 80% in 2024.
Climate change has dropped out of the Pacific's top seven risks, despite mandatory sustainability reporting in Australia starting from January 2025. This new regime requires large businesses and financial institutions to disclose environmental impacts, risks, and opportunities, including climate-related financial risks, greenhouse gas emissions, and sustainability targets. The reporting covers both direct and indirect climate risks and data, with directors required to provide specific declarations, gradually moving from "reasonable steps" to strict compliance.
While directors and officers are aware of these evolving disclosure obligations, the survey indicates that cyber, social, and governance risks are currently seen as more pressing. It will be interesting to see how climate risks are perceived in the coming years as the reporting regime expands and the geopolitical landscape changes.
Health and safety rose up the rankings last year and has solidified its number one spot in 2025.
Given the prominence of cyber risks, this comes as somewhat of a surprise. However, this result is consistent across the world with health and safety topping the global risk rankings for the second year in a row.
Company boards are facing an everchanging regulatory and risk landscape for health and safety issues. As at the end of 2024, industrial manslaughter is now recognised as an offence across all Australian states and territories (attracting sizeable penalties for body corporates and lengthy terms of imprisonment for individuals), with talk of introducing similar provisions in New Zealand.
When asked why health and safety issues are important, survey respondents confirmed that while traditional physical health and safety remains the dominant concern (43%), there was also a growing recognition of mental health and wellbeing as a critical aspect to health and safety (40%).
Various legislative reforms were introduced in 2023 and 2024 with many taking effect throughout 2024, including “Closing the Loophole Bills” one and two, as well as the ‘right to disconnect’ (the right of an employee to refuse to monitor, read or respond to contact from their employer outside their usual working hours, unless doing so is unreasonable), which underscores the increasing importance of monitoring and managing psychosocial risks in the workplace. The High Court of Australia also recently considered the psychosocial impact on employees where a company’s policies and procedures for employee dismissals were not adhered to.
In December 2024, the New Zealand Government announced proposed reforms to strike a balance between employer and employee interests. If passed, those reforms may result in a shift in the risk rating for this category in New Zealand. Nonetheless, the outcome of a recent regulatory action in New Zealand may still be front of mind for many directors. The regulator pursed a novel action against a company director after the entity had been found guilty of health and safety failings following the death of a contractor in 2015. This action resulted in a multi-million-dollar settlement with the regulator. We observe that New Zealand respondents prioritised cover for fines and penalties (71%) under the questions relating to insurance coverage areas. This rating may reflect sentiments in response to this high-profile action.
Data loss and cyber attacks continued to hold the top ranks taking out the second and third spots in the top seven respectively. This is in line with other regions, although the growing perception of these risks in Australasia was material. Data loss (83%) has nearly doubled in two years, up from 64% in 2024 and 42% in 2023. Cyber attacks (81%) had a similar trend, up from 69% in 2024 and 46% in 2023.
The aftermath of the high profile and widely publicised data breaches of sensitive information held by telecommunication companies, law firms and health care service providers are still being felt. Cyber attacks and data breaches became more widespread in 2024, impacting various businesses such as car dealerships, tertiary education, engineers and FI traders, highlighting the indiscriminate nature of the risks.
In late 2024, Australia introduced significant reforms to the Privacy Act 1988 (Cth) bringing it more closely in line with international standards like the EU’s General Data Protection Regulation (GDPR). Amongst other changes, the reforms introduced a tort for serious invasions of privacy, enhanced mandatory data breach reporting obligations and provided new enforcement powers for regulators.
In New Zealand, reforms to expand notification requirements were tabled in late 2023 and as at the time of writing, continue to progress in Parliament.
These statutory reforms and increased regulatory oversight have continued to push cyber governance further into the boardroom. The survey showed 73% of the Pacific companies had completed a cyber table-top exercise in the last 12 months. Although many organisations are aware of the risks, the gap between cyber preparedness and the rising sophistication of attacks remains a challenge. Boards need to ensure cybersecurity strategies, data governance frameworks and crisis management protocols are continually reviewed.
Securities class actions have tumbled down in the risk rankings, reflecting easing pressure in the space following decreased filings (only three in Australia in 2024 and one in New Zealand) and a number of successful company defences. However, the space will continue to mature this year with two of the recent decisions being under appeal at the time of writing. The dial may shift again depending on the outcome of these appeals.
Changes in the securities class action landscape have led plaintiff firms and litigation funders to diversify their books and target a broader range of companies and industries. One event trend to look out for is the commencement of class actions (both shareholder and consumer) against companies as well as board or executive members following a data breach. It will be interesting to watch developments in the data breach class action space this year, as the first wave of these actions progress through the Australian courts.
Legislative reform in New Zealand will also be a factor with the Government having announced proposals for the most substantial changes to the Companies Act 1993 in over 30 years. The first phase is centred around modernising the Act (e.g. allowing greater use of digital processes), however there will also be a second phase of reform focusing on directors' duties and related liabilities. This will be welcome in the wake of the Supreme Court’s decision in Mainzeal in August 2023. The Companies Act changes will also potentially operate alongside the introduction of long-awaited class action legislation, which is still ongoing.
Almost one third (31%) of respondents purchased higher D&O policy limits compared to 24% last year. 2024 saw a number of new insurers enter the D&O insurance market, creating competition and resulting in reduced premiums and expanded coverage for most risks. The favourable environment allowed many buyers of insurance to reinvest any premium savings into higher insurance limits, as cost remains the key driver for insurance, followed by broker advice and perception of risk.
Cover for fines and penalties shot to number one this year, up from number six in 2024, as an important coverage area. This is not surprising given the increased activity observed by the corporate regulator. In the six months to 30 June 2024, ASIC commenced 12 civil penalty proceedings, compared to seven in the same period in 2023. Additionally, reforms in the Financial Accountability Act or the New Aged Care Act heighten the potential risks and exposures for accountable persons or responsible persons, highlighting the importance of cover for fines and penalties.
