Insight,

Data,

ASX provides welcome cyber breach disclosure guidance – update to Guidance Note 8

20 May 2024

Our People
KWM Kinetic
Owl Advisory
AU | EN
Current site :    AU   |   EN
Australia
EN |
China
JP | ZH | EN |
China Hong Kong SAR
ZH | EN |
Japan
JP | ZH | EN |
Singapore
ZH | EN |
United States
EN |
Global
ZH | EN |

Following recent high profile cyber breaches, ASX has included a new data breach worked example in its updated Guidance Note 8 (effective 27 May 2024). A mark-up comparing the updated Guidance Note 8 to the current version can be accessed here.

The example walks through various steps of a cyber incident, recognises the need for a company to work through what has happened before disclosure may be required and discusses the implications of engaging with regulators before the incident has been disclosed. 

When ASX considers disclosure would not yet be required / further disclosure is not required:

  • during the initial stage of a cyber breach where it is not yet clear what information has been accessed and whether anything has been taken or ‘exfiltrated’.
  • receipt of a ransom demand email where it is unclear that any data was exfiltrated and it appears that the relevant data that was accessed was encrypted.
  • approaching regulators on a confidential basis because a cyber breach potentially relates to sensitive information. Engagement with regulators on a confidential basis in this context does not cause confidentiality to be lost for the purposes of LR 3.1A. However, a draft announcement should be prepared so it can be rapidly released in case the breach ceases to be confidential (and the information relating to the breach is material).
  • a forensic expert confirms to the company that some unencrypted personal information has been exfiltrated (including sensitive information of customers), however it is still uncertain how much information was taken. Even if the company determines that information regarding the breach is materially price sensitive, if the requirements of the LR 3.1A exception continue to be met, disclosure is not required.
  • if the material details of a cyber breach have already been disclosed to the market (and the company’s securities are trading), and a cyber criminal sends a message to the company threatening to publish all of the personal information it holds if a ransom is not paid in 24 hours.
  • if, following disclosure to the market regarding an incident, the company becomes aware of commentary from class action lawyers indicating they are considering potential material claims and inviting impacted customers and interested shareholders to get in touch to register their interest (but the company should be prepared to immediately disclose if and when a class action is served or the information about the potential material legal claims becomes materially price sensitive).

When disclosure / further disclosure is ordinarily required:

  • when the company intends to notify individuals affected by the cyber breach (specifically, ASX considers it “prudent” to release a market announcement before notifying affected individuals because the breach will cease to be confidential). However, even if a company chooses not to make a market announcement at the time of notifying affected individuals (because the company considers that the breach was not materially price sensitive), ASX may require a company to release a market announcement if ASX detects abnormal trading in the company’s securities or considers that there is a false market in the company’s securities (for example, due to rumours or commentary in the media about the breach).
  • a forensic expert confirms to the company that a cyber criminal has exfiltrated unencrypted personal information about a large number of customers, and the company is approached by a journalist saying that they have had reports of a cyber incident and asking for comment for an article they are planning to write. At this point, the company, in consultation with ASX, may also request a trading halt to allow time to prepare an ASX announcement regarding the scope of the incident. The updated Guidance Note 8 provides guidance regarding the content that ASX expects to be included in such a release, and indicates when ASX may agree to grant a voluntary suspension.
  • a cyber criminal releases a large volume of exfiltrated personal information onto the dark web.

We welcome the additional guidance that ASX has provided in this updated Guidance Note, which provides sensible and helpful clarity regarding the application of the continuous disclosure rules in a data breach context.

While various aspects of managing a data breach remain very complex, particularly in highly regulated industries, the additional guidance provides helpful insights for ASX listed entities. 

Categories

MEET THE AUTHORS

LATEST THINKING
Insight
Top 10 Trends for Private Capital in an uncertain world
With sophisticated investors quickly seeking diversification in response to geopolitical risk, Asia Pacific markets are well-positioned to become an attractive hedge.

17 April 2025

Insight
Private Capital Leading the Surge into Data Centres - What have we learned and what next?
Australia and the Asia Pacific Region emerge as a hotbed for data centre investment, as the AI revolution and resulting demand for digital infrastructure surges.

17 April 2025

Insight
Cov-What? Financial covenants in leveraged finance deals
A short primer on the different approaches being taken to financial covenants in leveraged finance deals

17 April 2025

EXPLORE LATEST THINKING
OUR PEOPLE
LOCATIONS
MEDIA CENTRE
CAREERS
ABOUT US
Explore Our Expertise
Explore insights
Explore Our Insights

Advertising and Targeting Cookies