On 27 May 2024, updated guidance from the Australian Securities Exchange (ASX) regarding continuous disclosure obligations for cyber breaches came into effect.
ASX’s recent update to Guidance Note 8 (GN 8) includes a detailed data breach case study, providing practical insights for entities navigating cybersecurity incidents.
This article explores how ASX’s guidance clarifies cybersecurity disclosure practices, focusing on four key aspects: the application of the Listing Rule 3.1A exception, the contents of announcements, ASX’s approach to confidential engagement with regulators, and the use of trading halts and voluntary suspensions.
1. Application of the Listing Rule 3.1A exception
The data breach case study outlines scenarios where immediate disclosure may not be warranted, due to insufficient information or uncertainty about the breach’s impact on the entity’s securities. The role of confidentiality is also discussed.
The example set out in GN 8 confirms that the mere existence of a cyber incident does not (of itself) enliven an obligation for immediate disclosure, but a listed entity must continually assess the materiality and the justification for maintaining confidentiality of the breach, to ensure that timely disclosure is made when or if required under the listing rules.
Investigation of the Incident
At the point where the entity is aware of the breach, but uncertain about its scope and impact on its business (for example, because data is encrypted and may therefore even if actually taken, be useless to a hacker), the exception in Listing Rule 3.1A.1 (bullet point 3) (along with the elements in Listing Rules 3.1A.2 and 3) are likely to apply to avoid disclosure, as it is not yet clear that the breach is price sensitive. This may even apply when a ransom demand threatening disclosure of a sample of information is received, or if it becomes known that some personal information routinely stored in encrypted form has been accessed (but the extent of access, and whether that information was exfiltrated, remains unknown) and this information is made known to the Office of the Australian Information Commissioner (OAIC) on a confidential basis.
At this stage:
- confidential engagement with regulators may remain confidential and does not result in loss of confidentiality for disclosure purposes; and
- preparation of a draft ASX announcement that may be rapidly released if necessary is recommended.
Announcement of the incident
If, at any point, it becomes evident that the breach is likely to be price sensitive, an announcement should be made. This will occur, for example, if it becomes evident that a large amount of customers’ sensitive information (such as personal information and credit card details) has been exfiltrated in unencrypted form. The same applies if a journalist becomes aware of the matter or if it becomes necessary to notify affected customers, as in these cases, the confidentiality element in Listing Rule 3.1A is lost.
Evolution of the incident
The case study provides commentary along a continuum as the incident unfolds, noting inflection points when disclosure may become necessary:
- discovery that a breach has occurred, but the extent and effect of the breach is not yet known;
- ransom demand;
- confirmation from experts that some personal and financial information has been exfiltrated, but there is insufficient information to determine if the breach is price sensitive, because the extent of the exfiltrated information and the extent to which that information was stored in encrypted form is not yet known;
- confidential engagement with regulators;
- formal notification to the OAIC;
- loss of confidentiality through the media or an obligation to notify affected customers;
- confirmation that a large amount of customers’ personal and financial information in unencrypted form has been exfiltrated;
- post announcement events, such as threats of wider publication of stolen data and payment of ransom demands;
- actual release of stolen information on the dark web; and
- potential class action from impacted customers or shareholders (and, subsequently, service of any such class action).
While the case study does not touch on this particular scenario, one other factor that a listed entity may need to consider is the extent to which the business activities of the entity are disrupted due to the cyber incident, such as when data is encrypted by the ransomware threat actor or when systems are inaccessible. Again, the key will be whether or not this is price sensitive.
2. Announcement content
The case study highlights information that the ASX expects should be included in announcements, such as a description of the breach, its potential impact on operations and the entity’s financial position, and the remedial measures being implemented and when further market updates can be expected. Specific inclusions recommended in ASX disclosure include:
- awareness of the type of data accessed;
- whether data has been exfiltrated;
- the number of customers or accounts impacted;
- whether data was accessed through T’s systems or a third party system; and
- whether the incident is continuing.
3. ASX’s approach to confidential engagement with regulators
ASX confirms that where an entity engages with regulators on a confidential basis about a data breach incident (ie before there is a formal notification lodged and/or notification to impacted individuals), such engagement does not result in loss of confidentiality for the purposes of the Listing Rule 3.1A exception to disclosure. Accordingly, the confidentiality limb of that exception will still apply and, provided the other prerequisites are satisfied, disclosure will not be required.
4. Use of trading halts and voluntary suspensions
During cybersecurity incidents, entities may use trading halts and voluntary suspensions to manage market uncertainties. However, trading halts and voluntary are not means to simply delay disclosure, and may be only appropriate where resolution of uncertainty is expected within a short period so as to enable more detailed disclosure. ASX also strongly encourages entities to engage with ASX early if they consider they may need a trading halt or voluntary suspension to manage their disclosure obligations with respect to a cyber-incident.
Conclusion
A listed entity experiencing a cyber incident may face a whole spectrum of decision points in managing its disclosure obligations as the various stages of the incident unfold. In what is already a complex, stressful and high stakes situation, this is an additional challenge for companies to navigate when faced with such a crisis.
As always, the test comes back to the price sensitivity of information, but how that plays out in a given scenario is not always straightforward. In these circumstances, the case study in the ASX’s updated GN8 sets out a useful practical scenario which boards of listed entities would do well to study closely.
The guidance is therefore a useful tool, not only to guide a company when responding to a real life cyber incident but also, ideally, as part of a company’s cyber incident response planning, including conducting cyber simulation exercises as part of a company’s incident preparedness.
Contacting our team
Our corporate team at HWL Ebsworth Lawyers regularly advises listed companies on ASX and Corporations Act compliance and can assist you in complying with your continuous disclosure obligations.
Our cyber incident response team can also assist you in the event of a cyber breach, including advising on relevant regulatory obligations (including notifiable data breaches), ransom demands, stakeholder communications, notifications to impacted individuals and working with other external experts to manage the response to an incident. You can also contact our cyber team if you would like assistance with incident response planning or conducting a cyber simulation exercise.
This article was written by Brent van Staden, Partner, Andrew Miers, Partner, Damien Gillespie, Special Counsel, Nicolas Totaro, Associate and Angus Clugston, Solicitor.
