Hello and welcome back to The Pinsent Masons Podcast, where we try to keep you abreast of the most important developments in global business law, every fortnight. I’m Matthew Magee and I’m a journalist at Pinsent Masons, and this week we ask if the S in ESG gets enough attention, and outline new cybersecurity requirements for organisations in Australia.
But first, here is some business law news from around the world:
UK government sets clear deadlines for buildings with unsafe cladding
New Irish Companies Act enhances CEA enforcement powers and
EU chases 23 countries on cyber law implementation
Developers and landlords of high-rise buildings affected by unsafe cladding in England must meet new deadlines set out by the government to remediate cladding issues, or face stringent enforcement measures and financial consequences. The UK government recently set out targets to speed up the process of fixing buildings with combustible cladding in England. The new measures will also introduce significantly tougher penalties for failing to act. Under the government’s Remediation Acceleration Plan, all buildings over 18 metres with unsafe cladding in a government-funded scheme will have to be remediated by the end of 2029. All buildings over 11 metres with unsafe cladding should either have been remediated or have a date for completion by the end of 2029, otherwise, the landlords will be liable for severe penalties. Building safety regulation expert Katherine Metcalfe said “The new sanctions include a legal duty to complete remediation within a clear timescale, supported by significant financial consequences for inaction, a new criminal offence of failing to remove unsafe cladding and further enforcement powers for regulators.”
The new Irish Companies Act will enhance the supervisory and enforcement powers of the Corporate Enforcement Authority (CEA) following a long period of expansion of its enforcement team. CEA has been the company enforcement watchdog since 2022 and is responsible for investigating suspected violations of the Companies Act 2014. It refers serious matters to the Director of Public Prosecutions (DPP) for prosecution on indictment. Litigation expert Lisa Carty said: “The expansion of the CEA’s powers under the Act coincides with additional funding for the recruitment of extra specialist staff. These steps signal very clear endorsement of the work of the CEA and the importance of the integrity of Irish companies and their officers.”
The European Commission has threatened 23 EU countries with potential fines over their failure to implement the Network and Information Security (NIS2) Directive into national laws. Cyber law expert Stuart Davey said the lack of national implementing legislation for NIS2 is hampering businesses’ efforts to comply with the new regime. NIS2 imposes cybersecurity risk management and incident reporting obligations on organisations. EU member states had until 17 October 2024 to implement the directive into their national legislation, but only four countries met the deadline. The Commission said it had opened “infringement procedures” against 23 states – including Germany, France, Spain, Ireland, the Netherlands and Luxembourg – “for failing to fully transpose the NIS2 Directive”.
Every major company in the world will be amending their conduct in line with demands that they operate in a way that is responsible in relation to environmental, social and governance, or ESG, considerations. A combination of formal regulation, especially in Europe, customer expectation and investor pressure means that ESG requirements are a hard reality for firms. But is activity well balanced between the E and the S and the G? Leeds-based responsible business expert Mike Harvey thinks that as corporate social responsibility has morphed into ESG activity the stakes have got higher. And while the amount of action on environmental damage is welcome, it may be coming at the expense of the S – social considerations.
Mike Harvey: It's become a lot more business critical, I would say. So clients and businesses, investors are asking more pointed questions. You know, what difference is it making? Show me the data. There is a lot more regulation that is coming through that businesses have to comply with. So it's moved from the situation where it's voluntary, it's relying on goodwill of the people or the interests of the leaders to a compliance issue. Businesses have to do this because it's regulated that they do so. ESG, in the main and in the conversations that I have with businesses both internally and externally, to be honest, most people associated that with the environmental aspect of it and the thing that makes the environmental element different is that while climate change is a complex thing in the world, it is a relatively simple message. OK, so damage to our environment poses a significant risk to our planet and human life on the planet, and people see the extreme weather events, you know. It's tangible. People can see it and feel it.
Matthew Magee: Part of the problem is that environmental impact is relatively easy to measure. The same can’t be said for socially-geared activity.
Mike: The environmental metrics are much easier to measure and report on, so there’s specific numbers that are easier to represent. So, if you think about carbon emissions, think about energy consumption, water usage it's just easy to quantify and it's easier to report on those. It's easier to benchmark businesses against each other and compare against companies and sectors, which makes it more appealing. And then if you flip that over to the S it's much more complex and harder to measure. So, if you think about employee volunteering, community investment work, we send somebody out into the community to read with a with a young child who's maybe not the expected reading standard. We invest that time and effort in it, that young person's literacy ability increases. They can then access other areas of education, they do better in their GCSEs, they go and deliver a successful life. How do you measure that? It's really hard thing to measure and compare across. And also, if you look at how a business supports its employees, whether around social mobility, gender, ethnicity, you promote people from within the business, they're more motivated, they work harder, they bring new ideas to the organisation, that business is more successful over time, over years, it's really hard to measure those kind of things. Now there are some methods for doing that. We'd look at social value, which quantifies all that work using like government approved algorithms to transfer the time and the energy put into community into a pounds and pence figure and that's the closest thing we've got at the moment to a universal measure, but it's not ideal. But you can see that the difference between environment, which is really kind of, I mean some people might say that it's not that easy, but it feels to me that the data is easier to measure compared to the community figures.
Matthew: So what exactly is social activity? What are we talking about here? Well, it’s a broad category and includes how a company treats its own workers as well as how it relates to the outside world, says Mike.
Mike: The social side of things will look different for every organisation. So, some examples could be how an organisation strengthens diversity, equity and inclusion. So, looking at if it has inclusion networks within the organisation, inclusive practises, supporting women, LGBTQ plus individuals or people of different faiths, ethnicities or backgrounds and supporting those people through networking, mentoring, advocacy to support them in the organisation or it could be around inclusive recruitment practises. It's also around how you invest in your community, how you use your skills to support the community. For us as a law firm, it's around pro bono, using our legal skills and the skills of our business operations colleagues to support the community. We work with local schools on education programmes and build partnerships with charities not-for-profit organisations that do support social action. But it's also the basics, making sure you have fair labour practises, you look after the human rights of your employees, you're aware of your supply chain and the impact that ongoing supply chain has on communities and on human rights. But it's also supporting the mental health and well-being of our people, it's the social aspect of ESG.
Matthew: We’re familiar with ‘greenwashing’ – companies claiming environmental credentials they don’t deserve – but the same danger exists with social activity. Making unsubstantiated claims can be reputationally damaging; and laws like EU directives on sustainability reporting contain serious fines for companies that breach them. So in house legal departments have a crucial role to play in keeping companies on track, Mike says.
Mike: You know, I've worked in responsible business for 18 years and it's always relied on goodwill but it's moving to become more of a compliance issue and where it’s a compliance issue, that's when the legal departments get drawn in, and they've got a hugely important role in making sure the business is moving forward in a meaningful way. So you know, we're talking about the S of ESG, but from the E perspective it's very similar to the greenwashing accusations that a business might have and the conversations moving to socialwashing, so business might brand itself as socially responsible with policies and marketing message, but not having the genuine action that goes around it. Consumers, clients, investors are getting much more sophisticated at being able to see that greenwashing and the socialwashing. They've got more knowledge than they ever have before, so businesses cannot get away with these vague approaches to ESG. So it's really important that the GC’s within the organisations, that they're working in and supporting their boards to make the right decisions around this, that this is good for society, but it is also good for business. It is no longer just a fluffy nice thing to do. It supports long term profitability, increased productivity, it attracts talent to your organisation, it keeps your current employees happy, enhances your reputation, leads to competitive advantage and greater innovation within your organisation and that's even before you look at the regulatory compliance. We know that responsible businesses do better.
Australia has passed laws that tackle one of the biggest issues for businesses, states and societies – cybersecurity. The impact of incidents on national security, the welfare of citizens and the bottom line of businesses can be severe, so it has passed laws that adopt many internationally-common practices. Melbourne-based technology law expert Veronica Scott told me all about it.
Veronica Scott: What Parliament has done is passed a cyber security legislation package comprising three acts which have received Royal Assent now, so we can actually call them law, they have commenced. So, there's been a consultation process over the last while and we've got these three acts and the first one is the Cyber Security Act and it's the first Cyber Security Act that's been introduced in Australia, the first of its kind, I believe the UK has a cybersecurity act too and of course, we're starting to see similar legislation in other jurisdictions.
Matthew: Veronica has identified the most important parts of the wide-ranging cybersecurity law for companies to be aware of.
Veronica: The first thing it does is introduce an obligation on Australian organisations to report to the National Cybersecurity Office the payment of a ransom demand. So, when they've made the payment, it doesn't prohibit their payment of a ransom, it just mandates the reporting within 72 hours. So pretty short amount of time of the payment of a ransom, either by that organisation or a related entity because the aim that the government wants to achieve is to get a better understanding because we know a lot of ransom demands are made and payments are made, but there is not a lot of transparency around that. The second change is to introduce a framework for the development of cybersecurity standards for smart devices, so anything that is a connected device. Again, it does reflect what's been introduced in the UK as well in relation to smart devices and it will allow the Minister to mandate standards for certain types of devices. Some may be exempt, there may be some categories of devices that are mandated to comply, but that gives the Minister the flexibility to develop that and allow those standards to evolve. Importantly for organisations, it's if they are manufacturing or selling smart devices in Australia, so if they're aware or reasonably to be aware that those products will be acquired in Australia and those organisations will be called so, these acts have extraterritorial effect, and so it's not just about organisations operating in Australia for those standards, but also those manufacturing and smart devices that will be connected and used in Australia. The third change will be, and this I think is really important as a lawyer who advises clients a lot in relation to responding to cyber incidents, it will introduce a limited use provision. So, what the government wants to do is to provide support to organisations when they have cyber incidents that are impacting their business and individuals and to date, there has been concern about the protection of the information that organisations voluntarily provide to the government, to the cybersecurity coordinator and her office in relation to seeking assistance for the coordination of that support. So, what the limited use provision will do is ensure that the office cannot use that information safe for very specific prescribed purposes in the act. As a lawyer, one of my main concerns is that any claim for legal professional privilege is not compromised or waived and there's an express provision that states that the provision of that information voluntarily would not waive any claim for legal professional privilege. It will also not be admissible evidence saving certain circumstances, for example, for prosecuting an offence under that relevant part of the Act. So there are some exceptions to the limited use provision, but essentially it will allow this information to be provided in confidence and to be used to support the organisation. It's very clear that it doesn't, this limited use provision doesn't mean that clients aren't subject their legal obligations, or to any other compulsory disclosure of information, for example, to the office of the Australian Information Commissioner in relation to data breaches that are mandated to be notified under the Privacy Act. The fourth change the Cyber Security Act will introduce is the establishment of a cyber incident review board. So that will conduct no fault incident reviews of incidents of major cyber security incidents and that will commence within six months. We've already seen some of the major incidents that have happened in Australia be the subject of reviews which have helped to provide insights or understandings in relation to incidents, how they happen, how they may be prevented, or how to manage those going forward.
Matthew: So what should companies do to prepare for these changes? Hopefully most will already have measures in place to protect their infrastructure, workers and customers, so they should review the policies and procedures governing these functions, Veronica says.
Veronica: So, in relation to, for example ransomware reporting, companies already have data breach notification obligations here in relation to assessing and reporting on what we call eligible notifiable data breaches and we always recommend to organisations to consider their position and policy in relation to paying a ransomware if that is something that happens to them and they really need to review an uplift and consider their policy approach to payment of ransomware demands and then how they're going to be ready to notify within the very short time period that they'll be given, once they've made that payment and the prescribed information that they're going to be expected to have to provide as well. So, it's really an uplift of their data breach response and cyber instant response planning and preparation.
Matthew: Well, that's it for this week and indeed, this year. It's been nearly a full year of producing the Pinsent Masons Podcast, and it's been quite the adventure. Thank you very much for coming along with us. I hope if you're getting a break as one year turns to the other, then it's a good one and you get some rest. We will come back in the new year with more business law news and analysis from all over the world. You can keep up to date still with the written material up in pinsentmasons.com. You can sign up for a personalised version of the news to your inbox every week at pinsentmasons.com/newsletter. Or you can just hang on until January for the next edition of the Pinsent Masons Podcast. Thank you for listening in 2024, and I'll talk to you again in 2025.
The Pinsent Masons Podcast is produced and presented by Matthew Magee for international professional services from Pinsent Masons.
