Hooked and Held for Ransom: ASX Updates to Guidance Note 8 on Data Breaches

On 16 May 2024, the ASX announced a new worked example on data breaches to be included in Guidance Note 8 Continuous Disclosure: Listing Rules 3.1 – 3.1B. The worked example does not change an entity’s continuous disclosure obligations, but instead offers insight into ASX’s views on the timing and content of the disclosure that is required when an ASX-listed entity experiences a data breach. The updated Guidance Note 8 took effect on 27 May 2024 and is available for viewing here.

Updated Guidance Note 8

The former Guidance Note 8 did not address continuous disclosure arrangements for data breaches or cyber security incidents. In the latest update to Guidance Note 8, the ASX has provided a welcome eight-part worked example illustrating the ASX’s views on the application of Listing Rule 3.1 and the Listing Rule 3.1A exception to a hypothetical data breach scenario. This provides some guidance to ASX-listed entities on the response that ASX expects from them while a cyber security incident is unfolding.

Listing Rule 3.1

As a refresher, Listing Rule 3.1 provides:

Once an entity is or becomes aware of any information concerning it that a reasonable person would expect to have a material effect on the price or value of the entity’s securities, the entity must immediately tell ASX that information.

As an exception to Listing Rule 3.1, Listing Rule 3.1A provides:

Listing Rule 3.1 does not apply to particular information while each of the following is satisfied in relation to the information:

• One or more of the following 5 situations applies:
  • it would be a breach of a law to disclose the information;
  • the information concerns an incomplete proposal or negotiation;
  • the information comprises matters of supposition or is insufficiently definite to warrant disclosure;
  • the information is generated for the internal management purposes of the entity; or
  • the information is a trade secret; and
• The information is confidential and ASX has not formed the view that the information has ceased to be confidential; and
• A reasonable person would not expect the information to be disclosed.

To disclose or to not disclose

From a continuous disclosure perspective, the first step when an ASX-listed entity encounters a data breach is to carefully consider whether, based on what the company is aware of, the matter is materially price sensitive. The updates to Guidance Note 8 recognise that determining whether a breach is materially price sensitive can be difficult and that whether a disclosure obligation has been triggered will vary depending on the circumstances. If the matter is materially price sensitive, the second step is to consider whether the conditions of the exception continue to be satisfied.

The updated Guidance Note 8 provides some helpful guidance on ASX’s views on when disclosure would be required and the expected content of that disclosure, following its worked example. In that worked example, the ASX outlines its expectations about a possible course of action that the ASX-listed entity may take, from identifying the data breach, to investigating the scope of the issue and the regulatory consultation that may be required, as well as the challenges of dealing with a ransom approach or possible class actions. This is interesting in itself, because it provides a play-by-play description of the various pressures that will be brought to bear on the ASX-listed entity.

The worked example also includes the ASX’s views of the analysis that an ASX-listed entity should constantly be carrying out about its continuous disclosure obligations. The highlights from this analysis are that:

• Disclosure will generally not be required while the ASX-listed entity has limited information that means that it cannot determine the materiality of the data breach to the price or value of its securities;
• That said, ASX expects an ASX-listed entity to act with urgency to obtain as much information as possible (including carrying out forensic IT work), so that it can determine the materiality of the data breach to the price or value of its securities;
• The fact that the situation is developing and all of the relevant facts are not yet known is unlikely to be, of itself, a reason to delay disclosure of what is known;
• An ASX-listed entity should consider preparing draft announcements that can be rapidly updated and released if at any point the breach ceases to be confidential and disclosure is required;
• For the purposes of the exception to Listing Rule 3.1, engaging with regulators and ASX on a confidential basis does not of itself result in confidentiality being lost; and
• An ASX-listed entity is strongly encouraged to engage with ASX as early as possible if it considers that it may need to apply for a short trading halt or voluntary suspension to manage its continuous disclosure obligations (which ASX will only grant after consideration of the usual principles).

Conclusion

Although the worked example on data breaches provides better context for when disclosure is required, it is not a north star that ASX-listed entities can follow with ease. Determining whether disclosure is required in the varied and developing circumstances of a data breach will be greatly assisted by a team with specialised expertise in both data privacy response (in order to manage the data breach itself and the consequences of the data breach) and managing your continuous disclosure obligations. A cohesive team working together on both of these aspects of the data breach will greatly assist an ASX-listed entity during a high-stress, fast moving, challenging time.

Contact Us

Our expert team at Bird & Bird work together across disciplines to provide seamless expert advice on your response to a data breach. Chris Clarke (Partner at Chris.Clarke@twobirds.com) and Aaron Chan (Special Counsel at aaron.chan@twobirds.com) have experience advising on continuous disclosure obligations, while Jonathon Ellis (Partner at jonathon.ellis@twobirds.com) and Julie Cheeseman (Partner at julie.cheeseman@twobirds.com) have experience advising on disputes arising from cyber incidents.

The authors also acknowledge Benjamin McDermott and Tia Khan for their contributions to this article.