Disclosure Obligations after a Data Breach: Updated ASX Guidance

Feature

Recent high-profile data breaches have put boards on high alert, making cyber security a top priority for companies across the country. To assist listed entities in discharging their disclosure obligations under the Listing Rules, ASX has recently updated its guidance to include a worked example of how and when to update the market if a data breach occurs.

Continuous Disclosure Obligations

ASX-listed entities will be familiar with the requirement to immediately disclose ‘market sensitive information’ (unless a carve-out to disclosure applies) (Continuous Disclosure Obligation).

While this is a strict obligation, what is ‘market sensitive information’ will invariably depend on the circumstances. Since the purpose of the Continuous Disclosure Obligation is “to enhance the integrity and efficiency of Australia’s capital markets1 by keeping investors informed, any information that might reasonably be expected to have a material effect on the price or value of a company’s shares is prima facie considered disclosable.

But how does this apply in a data breach situation?

The Continuous Disclosure Obligation is agnostic as to what the relevant ‘market sensitive information’ is and information relating to any data breaches which may be experienced by a listed entity needs to be considered in this context. Accordingly, as part of their responsibility to monitor the cyber risks faced by their company, boards of listed entities must also be conscious of making proper disclosure of any data or security breaches to the market.

Obligations of the board

As previously discussed in our recent alert, board members are responsible for actively evaluating their entity’s cyber security processes and ensuring that any cyber crisis is managed effectively. Boards are expected to focus on four key areas: Readiness, Response, Recovery and Remediation.

Accurate and timely disclosure of a data breach will be required as part of the ‘Response’ phase of a cyber crisis. However, Boards should also take steps during the ‘Readiness’ phase to ensure they are prepared to discharge their Continuous Disclosure Obligations easily and effectively during the ‘Response’ phase.

A failure to comply with the Continuous Disclosure Obligation is not only a breach of the Listing Rules but may also give rise to a contravention of section 674 of the Corporations Act 2001 (Cth), resulting in serious legal consequences for the relevant entity as well as potentially its officers and directors.

ASX’s updated Guidance Note 8 includes a detailed example to assist listed entities in understanding when the Continuous Disclosure Obligation may be enlivened during a cyber crisis / data breach. We consider this example below.

ASX Guidance for a data breach

The following is a high-level overview of the example scenario detailed in ASX Guidance Note 8.

Practical tips for boards to consider

Based on the example in the revised ASX guidance, boards should consider the following actions:

1. Seek legal advice and engage ASX as early as possible

Entities are encouraged to engage with ASX as early as possible to appropriately manage disclosure obligations in connection with a cyber incident.

Consider whether legal advice is required to assist the company to comply with its ASX disclosure obligations, particularly if you have concerns that personal information may have been lost, disclosed or subject to unauthorised access during this cyber incident.

The company may have obligations under Australian or overseas privacy laws to assess whether it is required to notify the Office of the Australian Information Commission (or another privacy regulator) and the affected individuals about the cyber incident and risks to personal information.

2. Engaging a forensic expert

If there is a need to engage a third-party forensic expert to assess the cyber incident and company’s systems, the company should consider its legal or other purposes for engaging the expert, and whether its general counsel or specialist cyber security lawyer should commission and further instruct the forensic experts’ investigations of the cyber incident.

As we have seen in recent high-profile Australian data breaches, this decision about the dominant purpose of forensic investigations may impact the company’s ability to maintain legal professional privilege in relation to any communications with or reports produced by the relevant expert.2

For these reasons, boards should consider obtaining urgent legal advice upon discovering a potential data breach. Alternatively, best practice is for boards to review their current systems, policies and procedures now to ensure that clear protocols are established for employees and management to follow in the event of a data breach or other cyber security crisis.

3. Ensure there is sufficient information before disclosing

Is there sufficient information regarding the circumstances of the data breach and the potential implications of the same to determine whether the breach might have an adverse impact on the value or price of the company’s shares?

If not, the matter may be insufficiently definite to warrant disclosure (provided it remains confidential).

Once there is sufficient information then disclosure will be required immediately even if the company does not have complete information (i.e. even if the relevant expert has not completed their investigation).

4. Maintain confidentiality

Details of the breach must remain confidential, or disclosure will be required. Engagement with the ASX, other government regulators or forensic experts, will not cause confidentiality to be lost for the purposes of the Exception, provided such engagement occurs on a confidential basis.

Once affected individuals have been notified, a data breach will cease to be confidential and the company can no longer rely on the Exception – an entity must be prepared to release a market announcement regarding the data breach to ensure compliance with its Continuous Disclosure Obligations (see below).

5. Prepare a draft announcement

Boards should ensure that draft announcements have been prepared and are on hand to be quickly updated and released if a data breach ceases to be confidential at any point (or if disclosure is otherwise considered to be appropriate).

Even if an entity considers information not to be ‘market sensitive information’, ASX may require that entity to make any announcement and will expect the board to act quickly.

6. Include all of the details

The content of a market announcement by an entity will depend on all of the facts and actual knowledge at the time. However, ASX would expect any announcement to include:

  • a description of what has occurred;
  • the material facts known about the data breach;
  • any material impact on operations or financial position that the entity is aware of at the relevant time;
  • the action that the entity is taking in response to the data breach; and
  • when the entity expects to be in a position to update the market.

7. Consider a trading halt

The Board should consider whether a trading halt is necessary to allow time to prepare a sufficiently detailed announcement. All announcements must be carefully drafted so that accurate and complete disclosure is given which does not omit any material information known to the entity at the relevant time. If there are any factual uncertainties which will be resolved within a short time, ASX may agree to grant voluntary suspension to allow for a more definitive and informative announcement to be made while keeping interruption to trading to a minimum.

8. Provide regular updates

The board should be conscious of its continuing obligations to release updated announcements to the market as the matter progresses. For example, if the cyber-criminal ultimately releases a large volume of the information, an updated announcement must be provided to ASX.

The updated Guidance Note took effect on 27 May 2024 and can be accessed via ASX Online or the ASX Listing Rules page on the ASX website.

If you have any queries or concerns regarding how the Continuous Disclosure Obligation relates to your company, please contact a member of our Corporate and Commercial team. For help with identifying and assessing your cyber security risks, or preparing to successfully respond to a cyber incident such as a ransomware attack or business email compromise, contact our Cyber Security team.


1 James Hardie Industries NV v ASIC [2010] NSWCA 332 at paragraph 355.
2 Robertson v Singtel Optus Pty Ltd [2023] FCA 1392.

|By Rebecca Rutland & Luke Dawson