Snapshot:
Organisations need to make constant decisions on how to meet their ongoing disclosure obligations for cyber events.
Historically, feedback indicates there has been a lack of adequate or suboptimal information to serve as guidance, particularly for evolving and complex situations when an organisation is under real-time pressure.
On 16 May 2024, the ASX released the latest guidance available here (opens a new window) which took effect from 27 May 2024. The update provides practical guidance for listed organisations and outlines broader regulatory intentions.
The guidance also emphasises the importance of ensuring that an organisation’s insurance program, including Directors & Officers (D&O), Cyber, and, if applicable, Tech E&O/IT insurance, is aligned to respond appropriately in such instances.
Cyber security, particularly incident response and management, extends beyond technology. It involves identifying risks, determining the acceptable risk level for the organisation, efficiently and commercially mitigating those risks, and being prepared to respond to and remain resilient during an event.
A holistic, resilience-led approach to cyber risk management goes beyond the technical. It means understanding regulatory obligations.
An increasing burden on discharging continuous disclosure obligations
In the context of an evolving cyber security event, all organisations must prepare for potential incidents. However, ASX-listed companies face an increasing burden in responding to these events, particularly in deciding how to fulfill their continuous disclosure obligations. This challenge is compounded by the lack of guidance available until recently.
Quick refresher
The general rule for continuous disclosure, as specified in ASX Listing Rule 3.1, is:
"Once an entity is or becomes aware of any information concerning it that a reasonable person would expect to have a material effect on the price or value of the entity's securities, the entity must immediately tell ASX that information."
New guidance on continuous disclosure obligations
On 16 May 2024, the ASX released “Guidance Note 8: Continuous Disclosure: Listing Rules 3.1 - 3.1B”, providing practical guidance for listed organisations on how to appropriately manage continuous disclosure obligations in the circumstances of a data breach.
Taking effect from 27 May 2024, the Guidance Note is a must-read for all listed entities and is available in full here (opens a new window). The Guidance Note walks through various steps of a cyber incident scenario, recognising the need for an organisation to work through what has happened before disclosure may be required.
It also discusses the implications of engaging with regulators before the incident has been disclosed. Non-listed entities are equally well placed to read the note and use the document as guidance as part of a wider playbook.
Pressed for time? Here are our key takeaways
Cyber events, the associated response and areas of focus are often sudden and unpredictable. Effective management of a cyber event needs to be holistic. This means using advisors to varying degrees who are experts in specific areas of specialism to complement internal capabilities.
Given the time sensitive nature of events, and the potential catastrophic consequences of getting it wrong, emotions can be high, and blinding. The impartiality that advisors bring can be priceless and essential. In the context of listed disclosure obligations, here are our three big takeaways:
Key takeaway one: when swift decisions must be made in the moment without full information or context, whilst entities may initially be excused from disclosing the incident if the knowledge of the incident is confidential, or if a reasonable person would expect the information to be kept private, an organisation should be ready to act as soon as that situation changes.
Key takeaway two: a situation can quickly shift when news of the breach becomes public or when unencrypted personal information of individuals has been taken, and notification to those affected is about to be made. Impartial guidance here is essential.
Key takeaway three: if there has been any new development or information regarding the breach which a reasonable person would expect to have a material effect on the entity’s value or share price, disclosure to the ASX is required. A good question to ask internally, is: “has material information become known that has not already been disclosed?” Who can provide an “outside in” perspective or opinion on this?
How can a cyber insurance policy help with holistic cyber event risk management and continuous disclosure obligations?
Cyber insurance continues to be an essential part of all organisations’ cyber resilience strategy. When an organisation purchases an insurance policy, they are typically buying a network of professional crisis managers who can be the “bench strength” to get them ready when not only making a disclosure to the market, but holistically managing the event, including effective communication and messaging, internally and externally.
What’s happening globally?
Looking abroad, the guidance note is timely given the U.S. Securities and Exchange Commission’s (“SEC”) recent stance to clarify the materiality definition when it comes to reporting cyber events.
The SEC has attempted to clarify when it expects public companies to report a cyber-attack/event under their own new rules that came into force in December 2023.
The SEC requires public companies to report a cyber-attack within four business days after it is determined that the attack will have a material impact to its operations, but critics have queried how companies should make such a determination.
The SEC released its stance on filing "placeholder" 8-Ks (which was becoming a more common occurrence due to the uncertainty around the materiality test and reaching the threshold), noting in summary, the SEC believes registrants should refrain from filing Item 1.05 8-Ks if they cannot explain the materiality of an incident, but they may file Item 8.01 8-Ks. This decision aims to prevent market confusion over potentially contradictory financial disclosures.
The positions of the regulators in Australia and the U.S. serve as a good insight into the intentions in the broader regulatory space when it comes to cyber events. They also speak to the importance – specific to insurance – of ensuring an organisation’s insurance program, specifically their Directors and Officers, Cyber and, if applicable, Tech E&O/IT program, is aligned to appropriately respond in such instances. The insurance market is responding in various manners, dictating the need for specialist expertise.
How the industry is reacting
King & Wood Mallesons: https://www.kwm.com/au/en/insights/latest-thinking/asx-provides-welcome-cyber-breach-disclosure-guidance-update-to-guidance-note-8.html (opens a new window)
Colin Biggers & Paisley: https://www.cbp.com.au/insights/insights/2024/may/listed-entities-cyber-update-asx-updates-continuo (opens a new window)
Herbert Smith Freehills: https://www.herbertsmithfreehills.com/insights/2024-05/asxs-new-continuous-disclosure-guidance-on-data-breaches (opens a new window)
Contents of this publication are provided for general information only. It is not intended to be interpreted as advice on which you should rely and may not necessarily be suitable for you. You must obtain professional or specialist advice before taking, or refraining from, any action on the basis of the content in this publication. Lockton arranges the insurance and is not the insurer. Any insurance cover is subject to the terms, conditions and exclusions of the policy. For full details refer to the specific policy wordings and/or Product Disclosure Statements available from Lockton on request.