Listed Entities Cyber Update: ASX updates continuous disclosure guidance note for cyber incidents and data breaches
By Katherine Jones and Morgan Lane
On 27 May 2024, the ASX updated its 'Listing Rules Guidance Note 8 Continuous Disclosure' to include an example and commentary specific to a listed entity's disclosure obligations in the event of a cyber incident or data breach.
In brief
On 27 May 2024, the ASX updated its 'Listing Rules Guidance Note 8 Continuous Disclosure' (available here) (Guidance Note) to include an example and commentary specific to a listed entity's disclosure obligations in the event of a cyber incident or data breach.
The recent update notably includes a detailed data breach scenario with accompanying comments providing guidance on when an entity should disclose a data breach and, upon disclosure to market, what information should be included.
This piece briefly summarises the ASX continuous disclosure obligation and provides our comments on what this update means for listed entities.
ASX Listing Rule 3.1
The general rule to continuous disclosure outlined in ASX Listing Rule 3.1 is:
"Once an entity is or becomes aware of any information concerning it that a reasonable person would expect to have a material effect on the price or value of the entity's securities, the entity must immediately tell ASX that information."
This rule is designed to drive timely disclosure for an informed market (subject to certain exceptions - see Listing Rule 3.1A). The new cyber incident content does not change the rule, relevantly, it adds a cyber specific example and comments on how the existing rule may apply in such an event.
The update also comments on how listed entities can be exempt from such disclosure (under Listing Rule 3.1A) where all three of the following requirements apply:
-
Any one or more of the following situations applies:
-
it would be a breach of a law to disclose the information;
-
the information concerns an incomplete proposal or negotiation;
-
the information comprises matters of supposition or is insufficiently definite to warrant disclosure;
-
the information is generated for the internal management purposes of the entity; or
-
the information is a trade secret; and
-
-
The information is confidential and ASX has not formed the view that the information has ceased to be confidential; and
-
A reasonable person would not expect the information to be disclosed.
The update specifically emphasises how entities the subject of a cyber incident or data breach may, at least initially, be exempt from disclosure on the grounds that information about the incident is "insufficiently definite to warrant disclosure"; knowledge of incident is confidential; and "a reasonable person would expect the information to be disclosed". While this updated commentary is consistent with our existing understanding of how the continuous disclosure rules would apply, this specific clarification is particularly helpful in the context of a cyber breach where quick decisions would need to be made without luxury of extended time for legal analysis.
Breach of continuous disclosure obligations is an offence under chapter 6CA of the Corporations Act 2001 (Cth), which can be punishable by up to 5 years' imprisonment and can cause the company to be suspended from ASX quotation.
While the ASX's example relates to a listed entity who holds "a significant amount of personal information about its customers" (e.g. sensitive information (as that term is known under the Privacy Act 1988 (Cth) (Privacy Act)), and financial information such as credit card details), the analysis and takeaways in the Guidance Note and this article apply to all listed entities.
A cyber breach has occurred - when will disclosure not be expected?
While every case turns on the application of the law to its specific facts (according to ASX's example within the recent update), disclosure of a cyber incident or data breach will not be expected in situations where the breach is confidential and:
-
a breach has just been identified, but it is unclear at the time what information has been accessed and whether any information has been taken or "exfiltrated" (the example case study comments on where all personal information is held in encrypted forms and a forensic expert has been engaged to urgently assess the situation on a confidential basis);
-
there has been a ransom demand (e.g. with the threat of publicly releasing personal information), but it is still unclear what type of information was accessed and whether that information was encrypted;
-
the company approaches regulators on a confidential basis. Engagement with regulators on a confidential basis in this context does not cause confidentiality to be lost for the purposes of LR 3.1A;
-
a forensic expert confirms to the listed entity that some unencrypted personal information has been exfiltrated (including sensitive information), however it is still uncertain how much information was taken. If the information subject of the breach is materially price sensitive, but the requirements of the LR 3.1A exception continue to be met, disclosure is not required; or
-
information about the breach is "insufficiently definite to warrant disclosure" (i.e. there is no knowledge of any personal information having been accessed), the entity is taking immediate and urgent action to obtain sufficient information about the breach, and in doing so, has kept news about the breach confidential.
A cyber breach has occurred - when is disclosure required?
The example provides that disclosure becomes required as soon as:
-
it becomes confirmed that unencrypted individuals' personal information has been exfiltrated and notice to affected individuals is imminent (this is because the entity will likely be required to notify the Office of Australian Information Commissioner and affected individuals under the Privacy Act, causing news of the breach to lose its confidentiality and (therefore lose its disclosure exemption)); or
-
news of the breach loses confidentiality (e.g. a journalist approaches the entity enquiring about the breach, data from the breach has been released publicly or on the dark web, rumours have circulated about the breach etc).
Further disclosure would be required if material new information becomes known that has not already been disclosed in any previous market announcement. Whether further disclosure is required will again fall on the question of whether there is any new development or information regarding the breach which a reasonable would expect to have a material effect on the entity's value or share price. This could include situations where:
-
personal information is leaked or released by the cyber criminal; or
-
a class action or other legal claim in relation to the breach has been served.
A cyber breach has occurred - what information is expected to be disclosed?
Although each market announcement will depend on all of the facts and actual knowledge at the time, the ASX expects disclosure to include any of the following information that is known at the time of announcement:
-
description of what has occurred (including whether the breach was through an internal or third party system);
-
material facts about the breach (including what type of data has been accessed or exfiltrated) and whether the incident is continuing;
-
any material impact on the operations or financial position of the breached entity because of the breach;
-
the actions that the breached entity is taking in response to the breach (including how the entity is taking steps to identify the full extent of the breach);
-
when the breached entity expects to provide a further update on the breach and surrounding circumstances.
Updated cyber breach content - key takeaways
1. The new content deals with personal information but entities should consider all information
While the ASX update provides comment on how continuous disclosure obligations operate in the event of unauthorised access to personal information (e.g. sensitive information such as health information belonging to an individual, or financial information belonging to an individual), the update does not deal with the exfiltration of other types of commercially sensitive information or "commercial in confidence" information which is not personal information but gives an entity a commercial advantage, drives performance and value (such as an entity's intellectual property or key operational and customer data).
Having to consider disclosure is not confined to unauthorised access to personal information. Upon a breach, a listed entity should not simply consider whether it is personal information that has been accessed, but rather whether the information exfiltrated or lost may have a material effect on the entity's share price.
If the breached entity is unsure about whether the information is materially price sensitive, the ASX expects disclosure. This is to avoid the risk of investors trading on a false market.
2. The benefit of encrypting or hashing information
That the example given by the ASX in the Guidance Note expressly contemplates encrypted data, could potentially be said to reflect a general recognition or expectation that data (especially personal information) is stored in encrypted form.
Encryption can serve to mitigate the effects of a cyber incident or data breach and provide an entity more time before being required to disclosed to market.
3. The importance of preparation
Aside from the fact that preparations for cyber resilience and data security are modern-day non-negotiables for good governance and the proper conduct of business, it could be said that a listed entity's preparations for dealing with a cyber security incident or a data breach are even more important given they are the custodians of shareholders' investments and retirement savings.
Proper preparations, including training, reporting and having external advisers at the ready (including in respect of making a disclosure to market), mean that a listed entity will be in a position to assess when and how disclosure is "immediately" made to the market.
4. The importance of taking immediate action
As soon as an incidence or breach is identified, the affected entity should immediately start preparing a draft market announcement. This is because as soon as the entity obtains sufficiently definite information to warrant disclosure, or ought to have, disclosure is required "promptly and without delay". Relevantly, "the fact that the situation is developing, and all of the relevant facts are not yet known is unlikely to be, of itself, a reason to delay disclosure of what is known".
The ASX may grant, upon request from the affected entity, a trading halt or voluntary suspension to allow the entity time to prepare the market announcement. However, it is not guaranteed that a voluntary suspension, or a trading halt, or a trading halt for enough time, will be granted.
Additionally, entities cannot simply indefinitely rely on the exemption that information of the breach is "insufficiently definite to warrant disclosure" unless they are taking reasonable steps to obtain sufficiently definite information. As seen with the above examples, the ASX excuses immediate disclosure of a potential or actual data breach on the basis that the breached entity is taking urgent steps to understand the nature of the breach. This is because the obligation arises not only when an entity becomes aware of sufficiently definite information about the breach, but also when they "ought reasonably to have" become aware of such information.
Further, in context of the third limb of the exception to disclosure in Listing Rule 3.1A, we are of the view that a reasonable person would not expect material information regarding a cyber breach to be withheld indefinitely.