29/07/2024 | News release | Distributed by Public on 29/07/2024 10:28
Following recent high profile data breaches impacting ASX listed entities, ASX has included guidance and worked examples in ASX Guidance Note 8 - Continuous Disclosure: Listing Rules 3.1 -3.1B (Guidance Note) for disclosure requirements for ASX listed entities in the event of a data breach. The Guidance Note provides listed entities with practical guidance on the timing and content of market announcements, and insight into ASX's expectations for approaching disclosure requirements.
A data breach occurs when personal information is accessed or disclosed without authorisation or is lost.1 Examples include sensitive information being sent to an unintended recipient, or a hacker gaining unauthorised access to an entity's systems containing personal client/customer data (including business and financial information). The data breach described in the Guidance Note refers to the latter.
There are cyber incidents that are not data breaches such as fraudulent transactions conducted over an entity's network and systems, fraudulently accessing or initiating banking transactions, or where an entity has successfully thwarted a cyberattack such that no information has been compromised. This is not to say such incidents are not required to be disclosed to the market however the new examples in the Guidance Note refer to a data breach only.
A listed entity should carefully consider whether, based on the information available to the listed entity at this stage, the data breach is materially price sensitive.
If a listed entity has (1) identified the breach but has incomplete information about the circumstances of the incident and (2) is not in a position to determine whether the breach is material to the price or value of securities of the listed entity, disclosure would not be required at this stage.
Market disclosure will be required where the event is materially price sensitive.
Listed entities will need to consider whether the three requirements satisfying the exception to general disclosure in Listing Rule 3.1A are met, namely, whether a reasonable person would not expect the information to be disclosed, whether the information is confidential and whether the information falls into at least one of five categories listed in Listing Rule 3.1A.1.2 If all three requirements are satisfied, disclosure would not be required at this stage.
While it can be difficult to determine the extent of the data breach, the general rule for determining whether the breach is materially price sensitive is whether a reasonable person would expect the breach to have a material effect on the price of the entity's securities. Forensic experts can assist listed entities by investigating the data breach to determine the extent of the breach as soon as the listed entity is aware of a suspected or actual data breach.
Once the listed entity has obtained more information about the breach, it will be easier to determine whether the breach is materially price sensitive. Price sensitivity will be determined by considering the nature of the data that may have been exfiltrated, the volume of the data and whether the data has been encrypted. If the breach is materially price sensitive, immediate disclosure is required.
Where a listed entity receives a ransom email from a cybercriminal threatening to publicly release personal information obtained in the data breach if the listed entity does not pay a ransom, the listed entity should consider the following factors before making a decision to disclose to the market:
If the data breach ceases to be confidential, the listed entity will be required to immediately disclose the breach.3 The Guidance Note provides that the confidentiality of a data breach will be lost if (i) the listed entity notifies affected parties, (ii) there is speculation about a data breach in the media, (iii) data has been released onto the dark web or (iv) if the listed entity notifies the Office of the Australian Information Commissioner.
Consultation with relevant regulators and ASX during the early stages of investigation will not compromise the confidentiality of the breach and, in fact, engagement with ASX throughout the data breach is encouraged.
The public announcement should be drafted based on all the information that is known to the listed entity at the time. The announcement will be expected to, at a minimum, include a description of the data breach, the type of data that has been accessed, the number of customers or accounts that have been impacted and whether the data was accessed through the listed entity's systems or through a third party.4
It can be useful for a listed entity to prepare draft market announcements (for different scenarios) in advance to help the listed entity comply with forthcoming immediate disclosure requirements - which will occur when the data breach has lost confidentiality, and if the breach is materially price sensitive.
Dentons can assist with any queries you may have in relation to the disclosure requirements for ASX listed entities. Please contact Kym Livesley, Urvashi Seomangal or your usual member of the Dentons Corporate team for further information.