Insight,

ASX guidance on disclosure in a cyber breach: Sensible guidance but there’s more to think about

AU | EN
Current site :    AU   |   EN
Australia
China
China Hong Kong SAR
Japan
Singapore
United States
Global

As we commented on previously  in May (see ASX provides welcome cyber breach disclosure guidance) the ASX updated Guidance Note 8 to include a new example addressing a cyber incident.

Like the other examples in the Guidance Note, the new cyber example gives guidance on the ASX’s view of how various ‘typical’ steps in a cyber incident should be looked at from a continuous disclosure perspective.

While the guidance is sensible and helpful on the whole it can’t (and doesn’t) address all the twists and turns listed companies are likely to face when they are the subject of a cyber incident.

The sensible and helpful:

A key aspect of the new ASX guidance is a recognition that in the early stages of an incident, disclosure may not be needed where it’s not clear what information has been accessed, whether anything has been taken and even where regulators have been approached on a confidential basis.

The twists and turns:

How much time this guidance actually buys a listed company facing a cyber incident before disclosure is required can never be made clear in advance. 

The ASX’s guidance relies in part on the preservation of confidentiality surrounding the incident to guide disclosure decisions (including as to timing) in the very early stages.  But there can be other factors at play that impact these decisions which  might prompt disclosure earlier that might otherwise be required.

For example:

  • Does the incident – even in its very early stages – trigger any notification or disclosure obligations to third parties under contract (e.g. customers or suppliers or joint venture partners)? Perhaps notification to a very small number of these third parties under an appropriate confidentiality regime preserves confidentiality for LR 3.1 purposes, but the notification of a broad cohort of third parties may weigh in favour of disclosure.
  • What about if the company needs to immediately shut down some systems to help ensure more damage isn’t done until the picture is clearer? Even if that action is only known to employees, and not third parties, are too many on notice that something has happened that hasn’t been made public? Does that increase the leak risk? If customer-facing functionality has been affected by a shut down, it’s hard to see how concurrent disclosure can be delayed.
  • What about if a threat actor starts to contact customers, including by using public platforms, to put pressure on the listed company to respond or engage? While there are some standard playbooks threat actors tend to follow, their behaviour isn’t always predictable, and any plan needs to be flexible.

Having helped a number of listed companies deal with major cyber incidents, in our experience, no incident is the same and there are unique challenges faced by listed companies in Australia arising from cyber incidents. The ASX’s new guidance is helpful but like all of the examples in Guidance Note 8 it shouldn’t be followed slavishly, nor considered exhaustive. 

Particularly at the very start of a cyber incident, events often unfold rapidly and in real time. Judgment calls will need to be made and retested in dynamic circumstances, including when new information comes to light. The interests of many stakeholders need to be considered and many commercial and legal factors taken into account in making decisions on disclosure. The better prepared you are, the better you are able to make these judgment calls in real time.  Having a well thought out (and current) stakeholder management plan in place that has been reviewed and tested is a key part of this. That will require some investment of time and money but is worth it. 

And, once disclosure is made, listed companies are likely to be in constant dialogue with the market about the incident, particularly in the early stages and as information comes to light. This helps ensure that any concurrent communications to third parties like customers and suppliers doesn’t give rise to issues around selective disclosure. 

LATEST THINKING
Insight
The MYEFO just released by the Treasurer shows that an end to the surpluses the Government has enjoyed over the last two year is fast approaching, with slowing revenues and the promise of new policies such as the Build to Rent tax incentives announced in the last Budget beginning to bite.

19 December 2024

Insight
The Australian Food and Agricultural Taskforce (AFAT) has released a position paper, “Land of Plenty – Transforming Australia into a food superpower” (the Position Paper), which highlights that ‘there is a clear opportunity for Australia to become a food superpower and build a second engine of economic growth that mirrors the resources sector’.

19 December 2024

Insight
Employment disputes commonly have confidential or sensitive information front and centre of the matters in issue. Information such as personal details, medical conditions, disciplinary records, family circumstances, commercially sensitive information and workplace dynamics including harassment, bullying or discrimination, or scandalous material seemingly deployed for the purpose of damaging individual reputations – to highlight a few.

19 December 2024