Cyber security and Australian business: Disclosure obligations for ASX-listed companies

Cyber security has shot into headlines recently, after the high-profile cyber security attacks on Optus and Medibank. Consequently, all Australian businesses, both big and small, are now on alert and closely examining their cyber security requirements.

We discuss the implications for listed companies and the ASX Listing Rules to be aware of. 

In the case of listed companies, the individuals affected by the cyber security attack are not the only individuals that need to be kept informed. Listed companies have the added responsibility of ensuring that they are also keeping their investors updated with regards to the developing situation. In the rush to address the immediate impact of the cyber security attack, listed companies must still ensure that they are meeting their continuous disclosure requirements and updating the market with appropriate information as soon as that information is available.

This has been highlighted in comments by the Chief Compliance Officer of the ASX as reported by the Australian Financial Review on 8 November 2022, in which listed companies are being urged by the ASX to implement a plan for how they will inform the market of a data breach in the event they fall afoul of a cyber security attack. It is important that in doing so, ASX Listed companies consider their continuous disclosure obligation under the ASX Listing Rules, including the use of trading halts and/or voluntary suspensions where appropriate.

What is the continuous disclosure obligation?

The ASX Listing Rules impose several disclosure requirements on listed entities, one of which is the continuous disclosure obligation. This obligation is imposed by Listing Rule 3.1, which states that a company must immediately disclose to ASX any information which a reasonable person would expect to have a material effect on the price or value of their securities. In this context, ASX Guidance Note 8 identifies that:

  • “material effect’ is a consideration of whether the information would, or would be likely to, influence persons who commonly invest in the securities of the company in deciding whether acquire or dispose of securities; 
  • ‘Immediately’ does not necessarily mean instantaneously, but rather, promptly (as quickly as possible) and without delay (without postponing the announcement to a later time).
  • ‘Information’ is not strictly a matter of fact but can also be an opinion or intention.  It does not need to be financial information, or even measurable in financial terms – as long as it has a material effect on the company’s securities price.

Disclosure must be made even if it does not appear to be in the short-term interests of the company and a breach of the disclosure obligations can incur serious legal consequences for the company and its officers.

Exclusions are available but would be unlikely to be relevant in the event of data breach resulting from a cyber security attack.

Given the potentially significant costs associated with a cyber security attack, including undertaking forensic investigation, remedial action, notification action, potential payment of a ransom demand, together with the cost of the disruption to the business and the potential for reputational damage, any significant cyber security attack on a listed company that holds a large amount of personal information has the potential to have a material effect on the financial position of the company and, in turn, its share price. This is before factoring in the potential financial consequences arising from regulatory fines or civil compensation claims where the company may be found to have breached any applicable laws or been negligent in keeping up with industry standards, in terms of cyber security attack prevention or management. 

Trading Halts and Voluntary Suspensions

Under Listing Rule 17, a company can request up to a two- day trading halt or a longer-term voluntary suspension of trading where it considers that trading in the market could occur on an uninformed basis. 

However, the grant of a trading halt or voluntary suspension remains at the discretion of ASX where it is satisfied that the company is not in a position to make an announcement to the market and that trading in the market could occur on an uninformed basis.

ASX commentary

The comments made by Daniel Moran, Chief Compliance Officer of ASX, as reported by the Australian Financial Review on 8 November 2022:

  • highlight that ASX will be closely monitoring the actions of companies in terms of meeting their disclosure obligations in the event of a cyber security attack;
  • confirm that ASX is satisfied that the current listing rules and guidelines are sufficient to address the developing circumstances and that the ASX are not looking to introduce new formal guidelines around disclosure requirements in the case of cyber security attacks;
  • highlight that listed entities must disclose what they know about cyber security attacks as early as possible;  
  • recognise that a brief voluntary suspension could assist a company to conduct necessary investigations to get relevant facts for disclosure to the market, but noting that this will not permit a company to go into a trading halt to defer disclosing market sensitive information simply because the relevant facts aren’t known due to an unfolding situation -  “Companies also can’t go into suspension; while they get perfect information, the goal is to get the information that you need to disclose to the market”; and
  • noted the complexity and urgency associated with the circumstances of a cyber security attack and urged companies to plan in advance with regard to their approach to communication to investors and the public.

Recommendations

Listed companies and their directors understand the importance of keeping the ASX informed of any price sensitive information in order to meet the entity’s continuous disclosure obligations under Listing Rule 3.1. Ensuring compliance with these obligations remains a key component of any response to the occurrence of a cyber security attack and potential data breach.  

This is not only relevant to listed companies who hold vast quantities of retail customer information, but to all listed companies with regard to employee and supplier information that are retained by them.

If a cyber security attack could affect the price of the securities in your company, then you should be on the front foot to ensure that your response plan includes steps to inform the market of the impact of the attack.

The steps that a company could take include: 

  1. reviewing and updating the company’s continuous disclosure policy specific to the inclusion of an action plan for dealing with the circumstances of a cybersecurity attack (or preparing and implementing a continuous disclosure if one does not already exist);
  2. a review/identification of appropriate company personnel/consultants who need to participate in the coordination of the disclosure;
  3. preparing a draft template request for trading halt; and
  4. preparing a draft template initial announcement identifying the initial occurrence of the cyber security attack and the proposed response. 

This may be predicated by an assessment of the financial, reputational and other impacts that a cyber security attack could have on the company and the circumstances in which a cyber security attack could represent a price sensitive event for the company.

Many listed companies will already have examples of policies and template documents available to address other potential disclosure situations (e.g. media speculation / adverse media) and companies can benefit greatly by having an action plan and materials available to cover the potential for a cybersecurity attack. 

Whilst a cyber security attack can occur in a variety of forms and the disclosure required to be made will need to be considered in the context of the specific circumstances, an established process and draft documentation will be of great assistance to a board and its management team in ensuring that its continuous disclosure obligations are not left behind in the whirlwind of a cyber security attack.
 

|By Michele Muscillo & Richard Hanel