Consider this. You’re a director of a publicly listed company, rushing to join your fellow board-members for a swiftly convened in-person meeting. Online wasn’t an option as the company has been hacked.
Your mind races. IT, security and cyber consultants are working furiously to understand the nature and extent of the breach, but few details can be confirmed. Markets open in half an hour. What if the press finds out? Do you know enough to warrant disclosure? Request a trading halt? What can even be said in an announcement?
Key Takeaways
- ASIC and ASX are increasingly focussed on cyber incidents and data breaches
- Disclosure considerations can be very challenging in the context of a live cyber incident
- Trading halts and suspensions are short term, and cannot be used to attain ‘perfect information’
- Rigorous planning and real-time scenario-testing is critical
Unsurprisingly given the increasingly challenging cyber environment, managing IT and cyber risks is a key area of focus for businesses. Over 50% of respondents to KWM’s recent Directions survey identified these areas as a key concern over the short term. [1] Cyber risk was also identified as one of the top concerns facing business leaders in KPMG’s 2023 “Keeping us up at night” survey. [2]
During the 2021-22 financial year, over 76,000 cyber crime reports were made to the ACSC, an increase of nearly 13% from the previous financial year. [3] Adding to earlier publicised incidents, there have been more cyber incidents announced by ASX listed companies in the past few weeks alone.
Given the increased frequency and severity of cyber crimes, and the heightened scrutiny and expectations that companies are facing from the public and regulators, it is imperative that all companies are adequately prepared for a cyber incident.
ASX listed companies face an added layer of complexity arising from their continuous disclosure obligations, and must be prepared to manage those obligations if a material cyber incident arises. The financial, legal and reputational implications of a failure to adequately disclose are potentially significant, including having regard to the potential for a significant cyber incident to materially impact share price.
Continuous disclosure obligations
The basic continuous disclosure obligation for a listed company is to immediately disclose to ASX any information concerning it that a reasonable person would expect to have a material effect on the price or value of the company’s securities. Announcements should contain sufficient detail for investors or their professional advisors to understand its ramifications and impact on the share price.
What comprises a ‘material effect on price or value’ in the context of a cyber incident can be very difficult to determine, particularly in the early stages. While recognising this complexity, ASX indicated in 2022 that it was unwilling to implement prescriptive thresholds as to what comprises a “material effect” in the context of a cyber incident, and that listed companies should remain guided by their existing continuous disclosure obligations. However, given the increasing frequency of incidents, further guidance from the ASX may be forthcoming.
Absent a prescriptive standard, what constitutes a ‘material effect’ in the context of cyber incidents will likely evolve as the market grapples with the increasingly regular attacks and what they mean for disclosure obligations.
Regulatory context and key considerations
Increased regulatory scrutiny regarding continuous disclosure and cybersecurity
(a) ASIC
ASIC has recently indicated that it will be seeking “record penalties for breaches of market disclosure amid new findings that listed companies are acting illegally by failing to disclose material cyber attacks”. [4] With the recent $15 million fine against GetSwift for continuous disclosure breaches (although unrelated to cyber issues), ASIC deputy chairman Sarah Court has signalled ASIC will pursue even higher fines in relation to continuous disclosure breaches.
ASIC has also confirmed that consideration of cyber risks is required when exercising directors’ duties, in particular with respect to acting with care, skill and diligence. Directors need to be mindful of personal liability issues and class action risks if there is a failure to satisfy their duties with respect to cyber risks.
(b) ASX
As flagged above, ASX is also increasingly focussed on cyber incidents and data breaches. In November 2022 the ASX Chief Compliance Officer noted that “it wouldn’t be surprising if we see more disclosures to the market” regarding cyber incidents, indicating an expectation from the ASX that companies should be increasingly conscious of their continuous disclosure obligations regarding cyber issues. Further, Moran encouraged listed companies to:
- prepare in advance and update their plans regarding how they intend to inform the market in the event of a cyber attack or data breach; and
- ensure that they fulfil their continuous disclosure obligations by:
- if there is sufficient information, disclosing any information about the cyber attack as early as possible; or
- if the company requires further information, considering the use of trading halts and/or brief voluntary suspensions. [5]
However, ASX flagged that a company cannot rely on a trading halt or suspension to defer the disclosure of market sensitive information. Temporary halts and suspensions can only be used where the relevant facts are not known because the situation is continually unfolding. Moran stressed the goal is not “perfect information” rather to get the “information that you need to disclose to the market”.
Continuous disclosure obligations are relevant to various types of breaches and stages of a cyber breach
A cyber incident can often be a rapidly evolving scenario, which takes time to work through in order to determine the impact and scale. However, listed companies must turn their mind at each stage of the incident to whether there is information that could materially impact its share price, including:
- at the first instance that a cyber incident has been discovered, and as further material information becomes known
- if and when a ransom has been demanded for the return of data
- if and when data has been released by a threat actor
- if ransomware has been deployed or a data breach has materially disrupted operations
- when impacted individuals are required to be notified
- at the commencement of any class action proceedings or regulatory investigations
- if a decision is made to remediate impacted individuals.
In particular, it is imperative to have a robust governance process and framework in place given the complexity of an evolving cyber incident. In particular, difficult judgements must be made with respect to the timing and content of disclosures, particularly having regard to the following considerations:
- the full extent of a breach will rarely be apparent from the first detection of a cyber threat (and may broaden in scope as a cybersecurity event evolves) – the drafting of a disclosure must therefore weigh up timeliness and accuracy of information available to the company
- although any disclosure must be made based on the best information available to the company at that time, a company must be careful that disclosure is accurate at the time of disclosure – and caveated if necessary – to avoid disclosing information that may later be discovered to be false
- once regulators and authorities are notified of the cyber breach, it is likely that any confidentiality with respect to the details of the incident will be lost
- trading halts may be an effective tool to allow a company to gather the necessary information to make an informed disclosure, however ASX has stressed these cannot be relied upon to obtain “perfect information” – rather, merely to gather the “information that you need to disclose to the market”
- although the business may determine that an individual stage of a cyber incident is not disclosable, an important consideration is whether the cumulative effect of any updates could materially impact price or value. In such an instance, disclosure must be made.
What companies should do now
The Australian Institute of Company Directors published their Cyber Security Governance Principles in October 2022, which provide a practical framework for organisations to build stronger cyber resilience. [6]
At a high level, these principles recommend:
- setting clear roles and responsibilities
- developing, implementing and evolving a comprehensive cyber strategy
- embedding cyber security in existing risk management practices
- promoting a culture of cyber resilience
- planning for a significant cyber security incident
We recommend that all directors and executives familiarise themselves with these helpful principles as they are likely to set a baseline regarding cyber security governance expectations.
No matter the size of your IT department, or the amount of money you have invested in your cyber security defences, it is impossible to guarantee that you will be immune from a cyber incident. Preparation for such an incident is key, with clear processes and accountabilities critical. If you would like assistance in preparing for a potential cyber incident, please reach out to our authors or see here.