Powered by
MOMENTUM
MEDIA
As regulatory changes sweep across the Asia-Pacific region, organisations must ensure their legal, technical, and communications teams are aligned, or risk facing the same costly fallout experienced by others who failed to do so.
The rapidly changing regulatory environment across the Asia-Pacific (APAC) region has placed organisations under significant pressure, demanding quick adaptation to a series of evolving compliance requirements.
As the regulatory challenges continue to unfold, organisations face an urgent need to align their legal, technical, and communications teams in order to foster proactive compliance and ensure robust privacy protection.
Speaking with Lawyers Weekly after her panel session at RelFest Sydney, Simone Herbert-Lowe, legal practitioner director at Law & Cyber, offered her insights into the increasing complexity of these challenges and shared strategies for organisations to better align their internal teams for success.
Key obstacles in this evolving landscape
Organisations are no longer simply tasked with implementing policies; the real challenge now is ensuring these policies are consistently and effectively executed across all teams.
Despite the clear importance of comprehensive policies, significant obstacles still hinder organisations from achieving this critical goal.
Herbert-Lowe identified that one of the primary challenges organisations face today is not just creating these policies, but ensuring they are effectively integrated within the very fabric of an organisation’s culture.
“One of the big issues is cultural, because it’s one thing to have policies, but if you don’t actually implement them, then you don’t get the outcome that you’re looking for,” she said.
This cultural divide is being felt across organisations, with Herbert-Lowe noting that it has been especially evident in several high-profile court cases over the past year that showcase how having policies in place is not enough – they must be effectively put into practice.
“There was a case against a pathology company; they had an incident response plan in place, but the person who was supposed to lead it had left. The officers’ information commissioners brought an action against them for civil penalties for failing to protect personal information,” she said.
“When that case went to the Federal Court, it became obvious that they had actually said they were going to do, but they weren’t implemented. So, the court took a really granular view of whether or not just whether they had policies, but whether they actually implemented them.”
“In that case, they had a plan, but they had never rehearsed it. So they copped a total $5.4 million fine for failing to protect personal information either before the cyber attack or after the cyber attack.”
Another key challenge Herbert-Lowe stressed that organisations face in ensuring compliance is the potential siloing of departments within the organisation
She explained that many teams work in isolation, focused on their own priorities with little coordination, which often leads to inefficiencies, communication breakdowns, and missed opportunities to address risks before they escalate.
“When you’ve got people in different business groups, whether it’s legal or technology or finance or other groups, they can be siloed about it,” she said.
“For example, what if the finance team doesn’t want to spend money on something that the technology people say they need or whatever?”
Unlocking the solution
To overcome the challenges of aligning diverse teams and fully integrating compliance into an organisation’s operations, Herbert-Lowe emphasised that senior leadership must make it a top priority.
“There’s broad oversight to make sure that happens, and then I guess it’s also the really senior leadership to make sure that everybody’s looking and committed to the same things, and that it’s a really important strategic priority as well,” she said.
One effective way to ensure top-down commitment and alignment, Herbert-Lowe suggested, is through practical exercises that simulate real-world scenarios, noting how they not only reveal gaps in compliance policies but also cultivate a culture of collaboration between departments and leadership.
“An example of an exercise I did once is when you role-play a cyber incident, for example, the CEO said, ‘Are you telling me that we still have the CVs of every single person who’s ever applied for a job here? HR said, ‘Yes’, and he’s like, why get rid of it today?” she said.
“The fact that they actually had that conversation since sitting around a table meant that something came before him that he had no idea, and they just changed their policy on the spot about that.”
Herbert-Lowe also shared the need for a unified, overarching company strategy that aligns all departments towards a shared vision of compliance and risk management.
“It’s really about somebody having an overall company strategy to make sure everybody’s working together on those issues,” she said.
The high cost of inaction
While organisations may be tempted to delay addressing alignment and compliance, believing it’s a problem for later, the consequences of this mindset can be both severe and far-reaching.
Beyond the immediate financial costs, Herbert-Lowe stressed that one of the most damaging risks of this mindset is the devastating reputational harm organisations face when found non-compliant with APAC policies.
“Certainly reputational. We all know the really big breaches in Australia over the last few years; they’re very damaging to corporate reputations,” she said.
Herbert-Lowe pointed to high-profile cases like the Optus and Medibank breaches, which not only caused significant reputational damage but also left these companies ranked among the most distrusted in Australia, even six months after the incidents.
“I remember seeing that six months after the Optus and Medibank breach, those two organisations were in the top six most distrusted organisations in Australia. So people see that, and they feel let down,” she said.
Outside of reputational damage, she also warned that organisations risk facing legal action, including class actions and penalties from regulatory bodies, such as the Privacy Commissioner.
With the regulatory landscape evolving rapidly, she stressed that companies can no longer afford to overlook compliance – they must act now to avoid severe consequences.
“The environment is very different to what it was two or three years ago in terms of what the penalties and the consequences could be for an organisation if they don’t get it right,” she said.
