ASX decodes data breach continuous disclosure obligations
In the context of a live cyber security attack involving a potential data breach, ASX listed companies need to make decisions about how to discharge their continuous disclosure obligations with often imperfect information and in evolving and complex circumstances under real time pressure.
Acknowledging that what is required of a listed company to discharge its disclosure obligations in these situations will necessarily be fact-dependent, ASX released on 16 May 2024 a very helpful update to ASX Guidance Note 8: Continuous Disclosure: Listing Rules 3.1 - 3.1B to include a new worked example, providing practical guidance for listed companies on how to appropriately manage continuous disclosure obligations in the circumstances of a data breach. The updated Guidance Note will take effect from 27 May 2024.
Given the ever-present risk of cyber security breaches faced by companies, this update is topical and should be carefully considered by ASX listed companies.
Key principles
Through the new worked example in updated ASX Guidance Note 8, which steps through the evolving circumstances of a live cyber security attack involving a potential data breach, ASX has illustrated in an effective and practical way the application of existing key principles that should guide a listed company in managing continuous disclosure obligations in these circumstances.
Is the cyber attack or potential data breach price sensitive?
- A listed company must carefully and quickly consider whether the breach is materially price sensitive, based on information available to the company at that time.
- The mere fact of the breach is not necessarily price sensitive. Without significant detail about the circumstances of the incident (including the nature and volume of data that may have been exfiltrated), it may be too early to form a view whether the breach is price sensitive. However, this should be continually tested as investigations into the breach progress and more information comes to light.
When do I need to disclose?
- Even if the breach is considered price sensitive, while assessing the situation, a company may withhold disclosure in reliance on the "disclosure carve-out" in ASX Listing Rule 3.1A, on the basis that information about the breach remains insufficiently definite to warrant disclosure and provided that information about the the breach remains confidential.
- Engagement with, or notification to, regulators (such as the Office of the Australian Information Commissioner (OAIC)) on a confidential basis regarding the breach does not cause confidentiality to be lost for the purposes of ASX Listing Rule 3.1A.
- If the breach is price sensitive, disclosure to the market would be needed if a company is required to notify individuals whose data is the subject of the breach. ASX suggests that an announcement in these circumstances should be released just prior to notification to the individuals, to comply with ASX Listing Rule 3.1
- Even if the company does not consider the circumstances to be price sensitive, if ASX detects abnormal trading, ASX may still require an announcement to be made and will expect the company to act particularly quickly in this situation.
What do I need to disclose?
- A listed company should take steps to prepare a draft announcement once the breach is identified, so it can move quickly to release an announcement if confidentiality is lost or if the company otherwise considers disclosure is needed. The draft announcement should be updated as new information comes to light so that the listed company can be as prepared as possible to disclose promptly when required.
- The content of any announcement will be fact specific, but the new worked example provides guidance on ASX's expectations regarding the content of any announcement at various stages in an evolving data breach scenario. For example, in circumstances of a price sensitive data breach involving access to sensitive customer information, the example demonstrates that ASX would expect the announcement to disclose details of the number of impacted customers and the fact that sensitive personal information of customers has been accessed and taken.
Can I use a trading halt or voluntary suspension to delay disclosure?
- A listed company can use trading halts to assist it to manage its disclosure obligations in connection with a data breach. The fact that the situation is developing and all of the facts are not yet known is unlikely to be sufficient reason to delay disclosure of price sensitive information that is known. If, however, factual uncertainty is expected to be resolved by receipt of information within a short period, ASX may agree to grant a trading halt or a voluntary suspension to give a company additional time to provide a more definitive and informative announcement to the market.
- Listed entities should engage with ASX as early as possible if a trading halt or voluntary suspension may be required.
Action items for listed entities
Given that both ASX and ASIC have clearly stated their expectation that companies need to be planning for how they would manage a cyber security and data breach incident, listed companies should carefully review the additional ASX guidance and consider actions they should take to be as prepared as possible in the event it faces a data breach.