Directors Beware – ASIC’s Continued Use of Stepping Stone Liability


Key takeaways

  • Stepping Stone Liability refers to holding directors accountable in respect of breaches by companies of their statutory obligations.
  • Directors’ duty of care: Under section 180(1) of the Corporations Act, directors must exercise their powers and discharge their duties with the degree of care and diligence that a reasonable person would exercise in similar circumstances.
  • Penalties for breach: Violating section 180(1) can result in civil penalties, including a maximum fine of 5000 penalty units ($1,565,000), relinquishment orders, and disqualification orders.
  • Directors cannot be indemnified by the company for such breaches but can seek coverage through D&O insurance, though obtaining such insurance is increasingly challenging and costly.
  • The Business Judgment Rule: provides a safe harbour for directors making business judgments, but its protection does not extend to Stepping Stone Liability compliance matters.
  • Emerging areas of focus are ESG, AI and Cybersecurity:
    • Directors must ensure compliance with ESG regulations and avoid greenwashing to mitigate liability risks.
    • Directors must prevent AI-washing and ensure transparent and accurate AI-related disclosures.
    • Directors are increasingly expected to prioritise cyber resilience and comply with data protection regulations to avoid potential liability.
  • There is a pressing need for regulatory intervention to provide clearer safe harbours and protections for directors to manage these evolving risks effectively.

Stepping Stone Liability

Australian company directors remain in ASIC’s crosshairs for causing companies to breach their statutory obligations. ASIC has pursued directors for a breach of director duties under section 180(1) of the Corporations Act where a director has authorised or permitted a company’s contravention of statutes (Stepping Stone Liability). Stepping Stone Liability has been one of the most effective weapons in ASIC’s arsenal against directors, demonstrating their willingness to pursue directors for company breaches, even beyond those relating to the Corporations Act. With the growing risk of Stepping Stone Liability, it is more important than ever for directors to understand their duties and to ensure the company meets its statutory obligations.

Directors’ Duty of Care

The Corporations Act imposes a number of duties on directors. The most prominent duty is in section 180(1) which provides that:

  1. A director or other officer of a corporation must exercise their powers and discharge their duties with the degree of care and diligence that a reasonable person would exercise if they:
    1. were a director or officer of a corporation in the corporation’s circumstances; and
    2. occupied the office held by, and had the same responsibilities within the corporation as, the director or officer.

This is the statutory duty of care and diligence imposed on directors that mirrors duties owed in torts and equity. The test for a breach of this duty is whether the acts or omissions of an individual exposed the corporation to a foreseeable risk of harm, and that a reasonable person holding that position would not have acted or failed to act. This risk is real if it is not far-fetched and fanciful. In making a determination, the court will consider the company’s circumstances and the responsibilities of the director within the company.

Penalties for Breach

Section 180(1) is a civil penalty provision with a maximum pecuniary penalty for individuals of 5000 penalty units ($1,565,000). The non-pecuniary penalties courts generally order in respect of a breach of this provision includes relinquishment and disqualification orders.

Indemnity and Insurance

Notably, section 199A of the Corporations Act prohibits a company from indemnifying a director for a breach of their directors’ duties. However, companies have the option to obtain directors and officers (D&O) insurance to shield directors from personal liability and financial consequences resulting from such breaches. D&O insurance typically encompasses three distinct ‘sides’. Side A coverage specifically addresses directors’ legal costs, settlement fees, and penalties arising from breaches of duties. Notably, the premiums for Side A D&O insurance are especially high and cover is increasingly challenging to obtain.

Section 199B of the Corporations Act restricts companies from paying premiums for policies that would indemnify directors against liability for, among other things, wilful breaches of duty. This does not limit a director from paying the D&O premium.

A Stepping Stone Approach

In Australian Securities and Investments Commission v Fortescue Metals Group Ltd (ASIC v Fortescue),1 Keane CJ described contraventions of the Corporations Act as a ‘stepping stone’ to director liability. Since then, the principles of Stepping Stone Liability have seen drastic development under common law.

Not all contraventions by a company will impose liability on a director under section 180(1) of the Corporations Act.2 The courts have confirmed that it does not create a wide-ranging obligation for directors to ensure a company acts in accordance with the law.3

Recent cases indicate that Stepping Stone Liability actions do not need to be solely in relation to breaches of the Corporations Act. ASIC has found Stepping Stone Liability through contraventions of the Australian Securities and Investments Commission Act 2001 (Cth) and the National Consumer Credit Protection Act 2009 (Cth). Whilst traditionally ASIC have always made these arguments in combination with a contravention of the Corporations Act, ASIC v Drake (No 2) was an exception.4 In that case, ASIC brought an action against directors under section 180(1) solely for causing the company to commit a breach of trust under section 22(1)(a) of the Trusts Act 1973 (Qld).5 Whilst ASIC’s case was dismissed for various reasons, Edelman J did not suggest in his judgment that a breach of the Corporations Act was a requirement in establishing liability.6 ASIC will no doubt test the limits of this approach in future cases.

The Business Judgment Rule

The Corporations Act provides a statutory safe harbour for breaches of section 180(1) where a director makes a business judgement (Business Judgement Rule). The Business Judgment rule has been eroded with the emergence of Stepping Stone Liability. There was great uncertainty about whether the rule applied to Stepping Stone Liability. However, the recent case of ASIC v Big Star Energy Ltd echoed the stance in ASIC v Fortescue that the Business Judgment Rule does not extend to compliance matters contemplated by Stepping Stone Liability.7 Consequently, the limitations of the Business Judgment Rule in safeguarding certain corporate decisions may become increasingly significant in regulatory contexts, as the scope of Stepping Stone Liability widens.

A Widening Scope – Australian Securities and Investments Commission (ASIC) v Wilson (No 3) [2023] FCA 1009 (ASIC v Wilson)

Whilst traditionally an actual contravention was required to establish stepping stone liability, in ASIC v Cassimatis [No 8] there was doubt as to whether it was actually a requirement.8 Edelman J suggested that it might have been sufficient to prove that a contravention is ‘extremely likely’.9

In the recent case of ASIC v Wilson, it was alleged that Frank Wilson, the Managing director of Quintis Limited (Quintis), a publicly listed company, committed various breaches of section 180(1).10 The breaches amounted from failing to tell the board that certain material agreements were going to be terminated or were terminated. This resulted in a failure of Mr Wilson to ensure Quintis did not mislead the market about the termination of the agreements.

ASIC relied on sections 1041H and 674 of the Corporations Act to allege three breaches by Mr Wilson of his duty under section 180(1). Notably, ASIC did not actually allege that these provisions were contravened. ASIC alleged that:

  1. the Quintis board lost the opportunity to determine whether a disclosure to the market was required in relation to the termination of the agreements;
  2. the alleged breach of section 674 by Mr Wilson exposed Quintis to a risk of legal proceedings; and
  3. the conduct in the announcements was potentially misleading, rather than actually misleading or deceptive.

The judge noted that section 180(1) requires a foreseeable risk of harm, which included:

  1. a risk of suffering penalties for a contravention of the law; and
  2. a risk that a company will be found to have broken the law or, conceivably, a risk that it will be perceived to have broken it.

Furthermore, it was noted that it is not a requirement of section 180(1) that harm resulted in an actual contravention of the law. The standard is nonetheless set by reference to what a hypothetical reasonable director would have done in the circumstances.

ASIC was ultimately unsuccessful due to their failure to prove Mr Wilson’s knowledge of the termination of the agreements. However, Jackson J went as far as to say the alleged breaches of section 180(1) would have been made out if such knowledge was found.

ASIC’s Continued March on Stepping Stones

Case Study: ASIC v Holista Colltech Ltd [2024]

ASIC has continued to show that they are willing to hold individuals to account in connection with corporate compliance failures. In the recent decision of Australian Securities and Investments Commission (ASIC) v Holista Colltech Ltd [2024] FCA 244 a director was held personally liable for contraventions by a company of sections 674(2) and 1041H of the Corporations Act by:

  1. allowing the company to make misleading or deceptive announcements to the ASX; and
  2. failing to qualify, withdraw or correct any existing announcements so that it wasn’t misleading or deceptive.

The director was excluded from being a director for 4 years and fined $150,000.

An ever-changing landscape

The landscape of Stepping Stone Liability will continue to evolve as ASIC targets emerging issues such as Environmental, Social, and Governance (ESG) concerns, artificial intelligence (AI), and cybersecurity.


With ASIC’s intensified focus on ESG matters, directors must ensure they accurately report environmental activities and comply with environmental statutes to avoid breaching section 180(1) of the Corporations Act.

A director would likely be found liable for a breach of section 180(1) where a company engages in greenwashing, as it would contravene sections of the Corporations Act. For example, a company could breach:

  1. Section 1041H by:
    1. making misleading statements about their climate impact, environmental policies, or adoption of global standards; or
    2. failing to qualify, withdraw or correct any existing announcements so they aren’t misleading or deceptive; or
  2. Section 674 by: failing to disclose the company’s environmental dependencies and impact, which are increasingly material.

Alternatively, there are several environmental statutes that impose responsibilities on companies and directors to ensure environmental harm and adverse actions do not occur. Where a company has been found to have breached its obligations under these statutes, ASIC may bring a claim against the directors. Notably, ASIC may be more likely to bring an action against a director under section 180(1) under a civil onus of proof in circumstances that otherwise would have required criminal accessorial liability to be proven.

These breaches of section 180(1) are especially cogent given that a company’s environmental strategy and actions would be within a reasonable director’s knowledge. In both these circumstances, there is a foreseeable risk of harm, especially reputational harm. These scenarios underscore the need for directors to exercise diligence in overseeing and ensuring compliance with environmental regulations to mitigate potential legal risks and liabilities.

Artificial Intelligence

The proliferation of AI in business operations introduces new challenges around “AI-washing”; where companies exaggerate or misrepresent the capabilities of AI technologies to deceive stakeholders.  ASIC’s potential enforcement under section 1041H of the Corporations Act highlights the risks associated with misleading AI-related disclosures. Directors must exercise diligence in ensuring accurate and transparent communications regarding their company’s AI integration to prevent liability and maintain trust with stakeholders. As AI continues to evolve, ASIC’s scrutiny in this area is expected to increase, necessitating heightened awareness and compliance among directors to mitigate Stepping Stone Liability.Top of Form

Cyber Breaches

Given the growing number of cyber breaches, ASIC has had an increasing emphasis on cyber-preparedness and risk management. In an address to the Australian Financial Review’s (AFR) Cyber Summit on 18 September 2023, ASIC Chair, Joe Longo, made statements that underscore the importance of directors’ involvement in ensuring robust cyber risk management:

“For all boards, cyber security and cyber resilience have got to be top priorities. If boards do not give cyber security and cyber resilience sufficient priority, this creates a foreseeable risk of harm to the company and thereby exposes the directors to potential enforcement action by ASIC based on the directors not acting with reasonable care and diligence”.

Where a director fails to protect personal information or comply with notifiable data breach obligations under the Privacy Act 1988 (Cth) or otherwise, they may be liable held personally liable under section 180(1). Notably, as was the case in ASIC v RI Advice Group Pty Ltd [2022] FCA 496, companies may breach provisions of the Corporations Act by failing to have adequate risk management systems in place to combat cybersecurity threats. As ASIC adopts a more proactive enforcement approach, directors must actively assess and address cyber risks to fulfil their duties and mitigate the legal and reputational consequences of cybersecurity breaches.Top of Form

The Future of Stepping Stone Liability

ASIC has been given greater freedom with the acceptance of the ‘foreseeable risk’ approach to Stepping Stone Liability in ASIC v Wilson. Given this and the broader scope of contraventions ASIC have been targeting, it has the authority and capability to find directors personally liable. Notably, ASIC could find directors liable for contraventions of provisions in statutes under a civil onus of proof in circumstances that otherwise would have required criminal accessorial liability to be proven.

The continuous expansion of Stepping Stone Liability poses a significant challenge for directors, leaving them vulnerable to potential personal liability without clear defences or protections. As the scope widens, the already challenging landscape for obtaining affordable D&O insurance will intensify, leaving directors grappling with significant liability risks. Regulatory intervention is needed to provide a workable and reasonable safe harbour that gives directors much-needed clarity and protection amidst the evolving landscape of Stepping Stone Liability. Without such measures, the risks associated with directorship of companies, particularly listed companies, may make it difficult to find suitable individuals willing to accept such roles.Top of Form

1(2011) 190 FCR 364, 370 [10].

2Australian Securities and Investments Commission v Maxwell (2006) 59 ACSR 373, 399 [104].

3Australian Securities and Investments Commission (ASIC) v Mariner Corp (2015) 327 ALR 95, 173 [444].

4Australian Securities and Investments Commission (ASIC) v Drake (No 2) (2016) 340 ALR 75.



7Australian Securities and Investments Commission (ASIC) v Big Star Energy Ltd (No 3) (2020) 389 ALR 17, 116-7 [529]-[532]; Australian Securities and Investments Commission (ASIC) v Fortescue Metals Group Ltd (2011) 274 ALR 731, 788 [197]-[198].

8Australian Securities and Investments Commission (ASIC) v Cassimatis (No 8) (2016) 336 ALR 209, 218 [5].

9Ibid 339 [679].

10Australian Securities and Investments Commission (ASIC) v Wilson (No 3) [2023] FCA 1009.