Recent high-profile data breaches have put boards on high alert, making cyber security a top priority for companies across the country. To assist listed entities in discharging their disclosure obligations under the Listing Rules, ASX has recently updated its guidance to include a worked example of how and when to update the market if a data breach occurs.
Continuous Disclosure Obligations
ASX-listed entities will be familiar with the requirement to immediately disclose ‘market sensitive information’ (unless a carve-out to disclosure applies) (Continuous Disclosure Obligation).
While this is a strict obligation, what is ‘market sensitive information’ will invariably depend on the circumstances. Since the purpose of the Continuous Disclosure Obligation is “to enhance the integrity and efficiency of Australia’s capital markets”1 by keeping investors informed, any information that might reasonably be expected to have a material effect on the price or value of a company’s shares is prima facie considered disclosable.
But how does this apply in a data breach situation?
The Continuous Disclosure Obligation is agnostic as to what the relevant ‘market sensitive information’ is and information relating to any data breaches which may be experienced by a listed entity needs to be considered in this context. Accordingly, as part of their responsibility to monitor the cyber risks faced by their company, boards of listed entities must also be conscious of making proper disclosure of any data or security breaches to the market.
Obligations of the board
As previously discussed in our recent alert, board members are responsible for actively evaluating their entity’s cyber security processes and ensuring that any cyber crisis is managed effectively. Boards are expected to focus on four key areas: Readiness, Response, Recovery and Remediation.
Accurate and timely disclosure of a data breach will be required as part of the ‘Response’ phase of a cyber crisis. However, Boards should also take steps during the ‘Readiness’ phase to ensure they are prepared to discharge their Continuous Disclosure Obligations easily and effectively during the ‘Response’ phase.
A failure to comply with the Continuous Disclosure Obligation is not only a breach of the Listing Rules but may also give rise to a contravention of section 674 of the Corporations Act 2001 (Cth), resulting in serious legal consequences for the relevant entity as well as potentially its officers and directors.
ASX’s updated Guidance Note 8 includes a detailed example to assist listed entities in understanding when the Continuous Disclosure Obligation may be enlivened during a cyber crisis / data breach. We consider this example below.
ASX Guidance for a data breach
The following is a high-level overview of the example scenario detailed in ASX Guidance Note 8.
| Event | Event Details | Disclosure required | Why / why not? |
|---|---|---|---|
| Data breach discovered | It is not yet clear what information has been accessed and whether anything has been taken or “exfiltrated”. The Company holds the information in encrypted form. The Company urgently calls in a forensic expert on a confidential basis to assess the situation | Disclosure is not required at this time | Based on the limited information available, the Company is not yet in a position to determine if the data breach is material to the price or value of the Company’s securities AND even if it was, at this stage the matter is insufficiently definite to warrant disclosure (Exception). |
| Ransom email received | Shortly after the discovery of the data breach one of the Directors of the Company receives a ransom demand by email. The forensic expert is continuing to work to determine whether any data was exfiltrated and it appears that the accessed data was encrypted. | Disclosure is not required at this time | For the same reasons set out above, but ASX would expect the Company to continue the forensic work with urgency – the Continuous Disclosure Obligation is triggered as soon as an officer of the Company has, or ought reasonably to have, become aware of the information in the course of performing their duties. The Company and its officers should now be on heightened alert as to the likely need to make disclosure pending the outcome of the investigations by the forensic expert. |
| Discussion with regulators | The Company engages with regulators in relation to the data breach on a confidential basis | Disclosure is not required at this time | If the data breach were determined to be materially price sensitive, the Company can no longer rely on the Exception once confidentiality of the fact of the data breach is lost (although engagement with the regulators will not of itself cause confidentiality to be lost). The Company should prepare a draft announcement that can be rapidly released if the data breach ceases to be confidential at any point. |
| Personal information has been exfiltrated (extent not confirmed) | The forensic expert confirms that, despite previous indications, some unencrypted personal information has been exfiltrated (including sensitive information). Still uncertain precisely how much information was taken. | Disclosure is not required at this time (until confidentiality is lost) | In the Guidance Note example, the Company is required to notify the Office of the Australian Information Commission that sensitive information has been taken and notify the affected individuals BUT disclosure is not required as the extent of the data breach still remains highly uncertain (so the Exception continues to apply). However, once the affected individuals are notified, the data breach will cease to be confidential, and the Company will no longer be able to rely on the Exception. The Company should release a market announcement immediately prior to notifying affected individuals to ensure compliance with its Continuous Disclosure Obligations. |
| Personal information has been exfiltrated (extent confirmed) | The next day, although the review is not yet complete, the forensic expert confirms that information about a large number of customers has been exfiltrated including financial information such as credit card details. The Company is also approached by a journalist asking for a comment for an article they intend to write about a reported cyber incident. | Disclosure to the market is now required | The fact that the information of a large number of customers has been accessed is new information which is likely to have a material effect on the price or value of the Company’s securities, and the extent of the data breach is now sufficiently certain to warrant immediate disclosure (despite the expert not yet having completed its investigation). In addition, the journalist’s approach indicates that confidentiality has been lost. The Company may consider consulting with ASX at this point in relation to entering a trading halt to allow the Company time to prepare an announcement. |
| ASX Announcement and another ransom demand | The Company has now released an ASX announcement regarding the data breach which includes a statement that, as far as the Company is aware, none of the exfiltrated information has been further disseminated. The Company’s securities are trading. The cyber-criminal sends another ransom demand, and the forensic expert indicates that the cyber-criminal has released information in the past of other victims who failed to pay the ransom. The board meets and decides not to pay the ransom. | Further disclosure not normally required | ASX would not consider the decision not to pay the ransom to be disclosable since the Company has already informed the market of all materially price sensitive information regarding the data breach of which it is aware. |
| Large volume of personal information released | The cyber-criminal releases a large volume of personal information onto the dark web. | Further disclosure is required | At the time of the earlier announcement, the Company had stated that it was not aware of any personal information having been released by the cyber-criminal. |
Practical tips for boards to consider
Based on the example in the revised ASX guidance, boards should consider the following actions:
1. Seek legal advice and engage ASX as early as possible
Entities are encouraged to engage with ASX as early as possible to appropriately manage disclosure obligations in connection with a cyber incident.
Consider whether legal advice is required to assist the company to comply with its ASX disclosure obligations, particularly if you have concerns that personal information may have been lost, disclosed or subject to unauthorised access during this cyber incident.
The company may have obligations under Australian or overseas privacy laws to assess whether it is required to notify the Office of the Australian Information Commission (or another privacy regulator) and the affected individuals about the cyber incident and risks to personal information.
2. Engaging a forensic expert
If there is a need to engage a third-party forensic expert to assess the cyber incident and company’s systems, the company should consider its legal or other purposes for engaging the expert, and whether its general counsel or specialist cyber security lawyer should commission and further instruct the forensic experts’ investigations of the cyber incident.
As we have seen in recent high-profile Australian data breaches, this decision about the dominant purpose of forensic investigations may impact the company’s ability to maintain legal professional privilege in relation to any communications with or reports produced by the relevant expert.2
For these reasons, boards should consider obtaining urgent legal advice upon discovering a potential data breach. Alternatively, best practice is for boards to review their current systems, policies and procedures now to ensure that clear protocols are established for employees and management to follow in the event of a data breach or other cyber security crisis.
3. Ensure there is sufficient information before disclosing
Is there sufficient information regarding the circumstances of the data breach and the potential implications of the same to determine whether the breach might have an adverse impact on the value or price of the company’s shares?
If not, the matter may be insufficiently definite to warrant disclosure (provided it remains confidential).
Once there is sufficient information then disclosure will be required immediately even if the company does not have complete information (i.e. even if the relevant expert has not completed their investigation).
4. Maintain confidentiality
Details of the breach must remain confidential, or disclosure will be required. Engagement with the ASX, other government regulators or forensic experts, will not cause confidentiality to be lost for the purposes of the Exception, provided such engagement occurs on a confidential basis.
Once affected individuals have been notified, a data breach will cease to be confidential and the company can no longer rely on the Exception – an entity must be prepared to release a market announcement regarding the data breach to ensure compliance with its Continuous Disclosure Obligations (see below).
5. Prepare a draft announcement
Boards should ensure that draft announcements have been prepared and are on hand to be quickly updated and released if a data breach ceases to be confidential at any point (or if disclosure is otherwise considered to be appropriate).
Even if an entity considers information not to be ‘market sensitive information’, ASX may require that entity to make any announcement and will expect the board to act quickly.
6. Include all of the details
The content of a market announcement by an entity will depend on all of the facts and actual knowledge at the time. However, ASX would expect any announcement to include:
- a description of what has occurred;
- the material facts known about the data breach;
- any material impact on operations or financial position that the entity is aware of at the relevant time;
- the action that the entity is taking in response to the data breach; and
- when the entity expects to be in a position to update the market.
7. Consider a trading halt
The Board should consider whether a trading halt is necessary to allow time to prepare a sufficiently detailed announcement. All announcements must be carefully drafted so that accurate and complete disclosure is given which does not omit any material information known to the entity at the relevant time. If there are any factual uncertainties which will be resolved within a short time, ASX may agree to grant voluntary suspension to allow for a more definitive and informative announcement to be made while keeping interruption to trading to a minimum.
8. Provide regular updates
The board should be conscious of its continuing obligations to release updated announcements to the market as the matter progresses. For example, if the cyber-criminal ultimately releases a large volume of the information, an updated announcement must be provided to ASX.
The updated Guidance Note took effect on 27 May 2024 and can be accessed via ASX Online or the ASX Listing Rules page on the ASX website.
If you have any queries or concerns regarding how the Continuous Disclosure Obligation relates to your company, please contact a member of our Corporate and Commercial team. For help with identifying and assessing your cyber security risks, or preparing to successfully respond to a cyber incident such as a ransomware attack or business email compromise, contact our Cyber Security team.
1 James Hardie Industries NV v ASIC [2010] NSWCA 332 at paragraph 355.
2 Robertson v Singtel Optus Pty Ltd [2023] FCA 1392.