Insight,

ASX guidance on disclosure in a cyber breach: Sensible guidance but there’s more to think about

AU | EN
Current site :    AU   |   EN
Australia
China
China Hong Kong SAR
Japan
Singapore
United States
Global

As we commented on previously  in May (see ASX provides welcome cyber breach disclosure guidance) the ASX updated Guidance Note 8 to include a new example addressing a cyber incident.

Like the other examples in the Guidance Note, the new cyber example gives guidance on the ASX’s view of how various ‘typical’ steps in a cyber incident should be looked at from a continuous disclosure perspective.

While the guidance is sensible and helpful on the whole it can’t (and doesn’t) address all the twists and turns listed companies are likely to face when they are the subject of a cyber incident.

The sensible and helpful:

A key aspect of the new ASX guidance is a recognition that in the early stages of an incident, disclosure may not be needed where it’s not clear what information has been accessed, whether anything has been taken and even where regulators have been approached on a confidential basis.

The twists and turns:

How much time this guidance actually buys a listed company facing a cyber incident before disclosure is required can never be made clear in advance. 

The ASX’s guidance relies in part on the preservation of confidentiality surrounding the incident to guide disclosure decisions (including as to timing) in the very early stages.  But there can be other factors at play that impact these decisions which  might prompt disclosure earlier that might otherwise be required.

For example:

  • Does the incident – even in its very early stages – trigger any notification or disclosure obligations to third parties under contract (e.g. customers or suppliers or joint venture partners)? Perhaps notification to a very small number of these third parties under an appropriate confidentiality regime preserves confidentiality for LR 3.1 purposes, but the notification of a broad cohort of third parties may weigh in favour of disclosure.
  • What about if the company needs to immediately shut down some systems to help ensure more damage isn’t done until the picture is clearer? Even if that action is only known to employees, and not third parties, are too many on notice that something has happened that hasn’t been made public? Does that increase the leak risk? If customer-facing functionality has been affected by a shut down, it’s hard to see how concurrent disclosure can be delayed.
  • What about if a threat actor starts to contact customers, including by using public platforms, to put pressure on the listed company to respond or engage? While there are some standard playbooks threat actors tend to follow, their behaviour isn’t always predictable, and any plan needs to be flexible.

Having helped a number of listed companies deal with major cyber incidents, in our experience, no incident is the same and there are unique challenges faced by listed companies in Australia arising from cyber incidents. The ASX’s new guidance is helpful but like all of the examples in Guidance Note 8 it shouldn’t be followed slavishly, nor considered exhaustive. 

Particularly at the very start of a cyber incident, events often unfold rapidly and in real time. Judgment calls will need to be made and retested in dynamic circumstances, including when new information comes to light. The interests of many stakeholders need to be considered and many commercial and legal factors taken into account in making decisions on disclosure. The better prepared you are, the better you are able to make these judgment calls in real time.  Having a well thought out (and current) stakeholder management plan in place that has been reviewed and tested is a key part of this. That will require some investment of time and money but is worth it. 

And, once disclosure is made, listed companies are likely to be in constant dialogue with the market about the incident, particularly in the early stages and as information comes to light. This helps ensure that any concurrent communications to third parties like customers and suppliers doesn’t give rise to issues around selective disclosure. 

LATEST THINKING
Insight
This week, the Federal Government formally shelved its ‘nature positive’ reform legislation after failing to secure support for the bills in the Senate.

06 February 2025

Publication
In our APAC Climate Guide, experts across the region share their insights as they help clients to navigate the transition. We look at the incentives encouraging clean energy, how carbon markets are expanding, the growth of sustainable finance and the role of the private sector. We also look at focus areas in each jurisdiction, from wind power in Japan to electric vehicles in China.

05 February 2025

Insight
As of Monday 3 February 2025, all wind farms in Queensland will be subject to impact assessable development as a result of legislative changes pushed through on Friday 31 January 2025.

03 February 2025