Breaking the news to investors: Disclosure requirements for ASX listed entities where there is a data breach

July 29, 2024

Following recent high profile data breaches impacting ASX listed entities, ASX has included guidance and worked examples in ASX Guidance Note 8 - Continuous Disclosure: Listing Rules 3.1 -3.1B (Guidance Note) for disclosure requirements for ASX listed entities in the event of a data breach. The Guidance Note provides listed entities with practical guidance on the timing and content of market announcements, and insight into ASX's expectations for approaching disclosure requirements.

What is a data breach?

A data breach occurs when personal information is accessed or disclosed without authorisation or is lost.¹ Examples include sensitive information being sent to an unintended recipient, or a hacker gaining unauthorised access to an entity's systems containing personal client/customer data (including business and financial information). The data breach described in the Guidance Note refers to the latter.

There are cyber incidents that are not data breaches such as fraudulent transactions conducted over an entity's network and systems, fraudulently accessing or initiating banking transactions, or where an entity has successfully thwarted a cyberattack such that no information has been compromised. This is not to say such incidents are not required to be disclosed to the market however the new examples in the Guidance Note refer to a data breach only.

When is a market announcement required?

A listed entity should carefully consider whether, based on the information available to the listed entity at this stage, the data breach is materially price sensitive.

If a listed entity has (1) identified the breach but has incomplete information about the circumstances of the incident and (2) is not in a position to determine whether the breach is material to the price or value of securities of the listed entity, disclosure would not be required at this stage.

Market disclosure will be required where the event is materially price sensitive.

Listed entities will need to consider whether the three requirements satisfying the exception to general disclosure in Listing Rule 3.1A are met, namely, whether a reasonable person would not expect the information to be disclosed, whether the information is confidential and whether the information falls into at least one of five categories listed in Listing Rule 3.1A.1.² If all three requirements are satisfied, disclosure would not be required at this stage.

Is the data breach materially price sensitive?

While it can be difficult to determine the extent of the data breach, the general rule for determining whether the breach is materially price sensitive is whether a reasonable person would expect the breach to have a material effect on the price of the entity's securities. Forensic experts can assist listed entities by investigating the data breach to determine the extent of the breach as soon as the listed entity is aware of a suspected or actual data breach.

Once the listed entity has obtained more information about the breach, it will be easier to determine whether the breach is materially price sensitive. Price sensitivity will be determined by considering the nature of the data that may have been exfiltrated, the volume of the data and whether the data has been encrypted. If the breach is materially price sensitive, immediate disclosure is required.

What happens if the listed entity receives a ransom demand by email?

Where a listed entity receives a ransom email from a cybercriminal threatening to publicly release personal information obtained in the data breach if the listed entity does not pay a ransom, the listed entity should consider the following factors before making a decision to disclose to the market:

• the extent of investigations of listed entity and forensic expert at this stage; and
• whether it is clear at this stage that the breach is materially price sensitive.

Is the data breach confidential?

If the data breach ceases to be confidential, the listed entity will be required to immediately disclose the breach.³ The Guidance Note provides that the confidentiality of a data breach will be lost if (i) the listed entity notifies affected parties, (ii) there is speculation about a data breach in the media, (iii) data has been released onto the dark web or (iv) if the listed entity notifies the Office of the Australian Information Commissioner.

Consultation with relevant regulators and ASX during the early stages of investigation will not compromise the confidentiality of the breach and, in fact, engagement with ASX throughout the data breach is encouraged.

What information should be included in the public announcement?

The public announcement should be drafted based on all the information that is known to the listed entity at the time. The announcement will be expected to, at a minimum, include a description of the data breach, the type of data that has been accessed, the number of customers or accounts that have been impacted and whether the data was accessed through the listed entity's systems or through a third party.⁴

It can be useful for a listed entity to prepare draft market announcements (for different scenarios) in advance to help the listed entity comply with forthcoming immediate disclosure requirements - which will occur when the data breach has lost confidentiality, and if the breach is materially price sensitive.

Dentons can assist with any queries you may have in relation to the disclosure requirements for ASX listed entities. Please contact Kym Livesley, Urvashi Seomangal or your usual member of the Dentons Corporate team for further information.

1. Notifiable data breaches | Office of the Australian Information Commissioner , accessed 25 July 2024.
2. ASX Listing Rule 3.1A.1 requires that one or more of the following 5 situations applies: (i) it would be a breach of law to disclose the information; (ii) the information concerns an incomplete proposal or negotiation; (iii) the information comprises matters of supposition or is insufficiently definite to warrant disclosure; (iv) the information is generated for the internal management purposes of the entity; or (v) the information is a trade secret.
3. ASX Listing Rule 3.1A2.
4. If disclosure is required before the full extent of the breach is realised and before all the required information is known, the announcement should include a statement that the entity is still investigating the breach and is not yet aware of the full extent or impacts of the breach. The listed entity may also request a trading halt or voluntary suspension to allow time to prepare a detailed announcement to market, however, it is ultimately ASX's decision whether the request will be acted on.