As we commented on previously in May (see ASX provides welcome cyber breach disclosure guidance) the ASX updated Guidance Note 8 to include a new example addressing a cyber incident.
Like the other examples in the Guidance Note, the new cyber example gives guidance on the ASX’s view of how various ‘typical’ steps in a cyber incident should be looked at from a continuous disclosure perspective.
While the guidance is sensible and helpful on the whole it can’t (and doesn’t) address all the twists and turns listed companies are likely to face when they are the subject of a cyber incident.
The sensible and helpful:
A key aspect of the new ASX guidance is a recognition that in the early stages of an incident, disclosure may not be needed where it’s not clear what information has been accessed, whether anything has been taken and even where regulators have been approached on a confidential basis.
The twists and turns:
How much time this guidance actually buys a listed company facing a cyber incident before disclosure is required can never be made clear in advance.
The ASX’s guidance relies in part on the preservation of confidentiality surrounding the incident to guide disclosure decisions (including as to timing) in the very early stages. But there can be other factors at play that impact these decisions which might prompt disclosure earlier that might otherwise be required.
For example:
- Does the incident – even in its very early stages – trigger any notification or disclosure obligations to third parties under contract (e.g. customers or suppliers or joint venture partners)? Perhaps notification to a very small number of these third parties under an appropriate confidentiality regime preserves confidentiality for LR 3.1 purposes, but the notification of a broad cohort of third parties may weigh in favour of disclosure.
- What about if the company needs to immediately shut down some systems to help ensure more damage isn’t done until the picture is clearer? Even if that action is only known to employees, and not third parties, are too many on notice that something has happened that hasn’t been made public? Does that increase the leak risk? If customer-facing functionality has been affected by a shut down, it’s hard to see how concurrent disclosure can be delayed.
- What about if a threat actor starts to contact customers, including by using public platforms, to put pressure on the listed company to respond or engage? While there are some standard playbooks threat actors tend to follow, their behaviour isn’t always predictable, and any plan needs to be flexible.
Having helped a number of listed companies deal with major cyber incidents, in our experience, no incident is the same and there are unique challenges faced by listed companies in Australia arising from cyber incidents. The ASX’s new guidance is helpful but like all of the examples in Guidance Note 8 it shouldn’t be followed slavishly, nor considered exhaustive.
Particularly at the very start of a cyber incident, events often unfold rapidly and in real time. Judgment calls will need to be made and retested in dynamic circumstances, including when new information comes to light. The interests of many stakeholders need to be considered and many commercial and legal factors taken into account in making decisions on disclosure. The better prepared you are, the better you are able to make these judgment calls in real time. Having a well thought out (and current) stakeholder management plan in place that has been reviewed and tested is a key part of this. That will require some investment of time and money but is worth it.
And, once disclosure is made, listed companies are likely to be in constant dialogue with the market about the incident, particularly in the early stages and as information comes to light. This helps ensure that any concurrent communications to third parties like customers and suppliers doesn’t give rise to issues around selective disclosure.