Skip to main content

Clifford Chance

Clifford Chance
All
Cyber<br />

Cyber

Talking Tech

Cybersecurity and the ASX Listing Rules: Key Takeaways from the Updated Guidance Note 8

Cyber Security 4 June 2024

The Australian Securities Exchange (ASX) has updated its Guidance Note 8 (effective 27 May 2024) which provides crucial insights for listed entities on managing and disclosing cyber incidents.

The Guidance is particularly relevant in an era where data breaches and cyber-attacks are becoming increasingly common. It outlines the circumstances under which a listed entity must disclose a data breach and the exceptions to their disclosure obligations. We have set out below the key takeaways for listed entities in Australia.

Understanding the Disclosure Requirements

ASX Listing Rule 3.1 provides that once an entity is, or becomes aware, of any information concerning it that a reasonable person would expect to have a material effect on the price or value of the entity's securities, the entity must immediately tell ASX that information. This is subject to certain exceptions provided for in Listing Rule 3.1A.

Data Breaches

In the event of a data breach, the updates to Guidance Note 8 provide direction as to when disclosure may be required by Listing Rule 3.1 to the market:

  • Initial Discovery of a Breach: When a listed entity discovers a data breach, the preliminary question is whether the matter is materially price sensitive. Immediate disclosure would not be required if the impact of the data breach is uncertain and is insufficiently definite, and where the information remains confidential. The listed entity should continue to monitor the situation closely.
  • Ransom Demands: If confidential information held by a listed entity is stolen and the listed entity receives ransom demands, disclosure would not normally be required where there is still a preliminary question as to whether the matter is materially price sensitive. Where the breach remains confidential and insufficiently definite, the listed entity can rely on the Listing Rule 3.1A exception. The ASX expects the listed entity to continue forensic work urgently to determine whether a disclosure obligation has been triggered.Where the listed entity has disclosed to the market about the cyber incident and continues to receive further ransom demands and threats, the listed entity's decision on how to handle further threats does not necessarily necessitate additional disclosure unless new materially price-sensitive information arises
  •  Engagement with Regulators: Engaging with regulators on a confidential basis would not necessitate disclosure, provided it is still not yet clear whether the breach is materially price sensitive and the information has not been made public.
  •  Confirmation of Exfiltrated Information: Where the listed entity is notifying affected individuals and the Office of the Australian Information Commissioner of exfiltrated unencrypted personal information, disclosure is not necessarily required where it is still not yet clear whether the breach is materially price sensitive. However, if the listed entity determined the breach was materially price sensitive, upon notification to the affected individuals, the breach will cease to be confidential and the listed entity will not be able to rely on the Listing Rule 3.1A exception.
  • Large Scale Data Exfiltration: Even where an investigation is continuing, if it is confirmed that a significant number of customers have been affected (for example where customers' sensitive information has been accessed), this would likely be materially price sensitive. The listed entity should disclose the breach to the market if it cannot rely on the Listing Rule 3.1A exception.
  • Media Inquiries: Where inquiries are being received from media, this indicates that confidentiality has been lost and the entity can no longer rely on the Listing Rule 3.1A exception if it had determined the breach is materially price sensitive. The listed entity must make a market announcement prior to providing information to the media.
  • Potential Legal Claims: The possibility of legal claims is not necessarily materially price sensitive and does not require immediate disclosure. However, once a class action is served or becomes likely, the listed entity must disclose this information promptly.

Key Takeaways

Listed entities, both domestic and international with operations in Australia, must be cognisant of the ASX's expectations regarding the management and disclosure of cyber incidents. The salient points for entities to consider are:

Prompt Action: Listed entities are required to act expeditiously to assess the materiality of any cyber incident and disclose it when necessary.

Confidentiality Maintenance: It is critical for entities to maintain the confidentiality of the incident to avoid premature disclosure. However, once confidentiality is lost, entities will not be able to rely on the Listing Rule 3.1A exception.

Preparation for Disclosure: Listed entities should have draft announcements and comprehensive response plans in place for potential cyber incidents to ensure adherence to disclosure obligations. A draft announcement depends on the facts and actual knowledge available to the entity at the time but should include:

  • a description of what has occurred
  • material facts regarding the breach such as the type of data accessed
  • the number of customers or accounts impacted
  • if the information was sensitive personal information and arrangements for notifying the impacted customers
  • whether data was exfiltrated and if it was through the entity's system, and if the incident is still ongoing
  • any material impact on the entity's operations or financial position and actions the entity is taking to address the breach
  • when the entity expects to be in the position to update the market
  • that the entity is still investigating the breach and is unaware of the full extent of the breach and its impacts.

Early Engagement with ASXListed entities are advised to engage with the ASX at the earliest opportunity if they anticipate the need for a trading halt or voluntary suspension to manage their disclosure obligations effectively.

The updated ASX Guidance Note 8 provides a definitive framework for listed entities in the management of cyber incidents. It underscores the importance of assessing the materiality of a data breach, maintaining confidentiality, and making timely disclosures when required. Listed entities must remain vigilant and proactive in their cybersecurity strategies and response plans to ensure they meet the ASX Listing Rules and safeguard the interests of their stakeholders.

Toolkits & Client Log-in