Companies face ever-growing risks and threats in cyber security, including by way of phishing and ransomware. Given the continuous disclosure obligations placed upon on ASX-listed entities, it is critical that companies have appropriate guidance in relation to their disclosure obligations as they relate to data breaches and prepare for cyber security incidents as they occur.
On 16 May 2024, the ASX announced a new worked example on data breaches to be included in Guidance Note 8 Continuous Disclosure: Listing Rules 3.1 – 3.1B. The worked example does not change an entity’s continuous disclosure obligations, but instead offers insight into ASX’s views on the timing and content of the disclosure that is required when an ASX-listed entity experiences a data breach. The updated Guidance Note 8 took effect on 27 May 2024 and is available for viewing here.
The former Guidance Note 8 did not address continuous disclosure arrangements for data breaches or cyber security incidents. In the latest update to Guidance Note 8, the ASX has provided a welcome eight-part worked example illustrating the ASX’s views on the application of Listing Rule 3.1 and the Listing Rule 3.1A exception to a hypothetical data breach scenario. This provides some guidance to ASX-listed entities on the response that ASX expects from them while a cyber security incident is unfolding.
Listing Rule 3.1
As a refresher, Listing Rule 3.1 provides:
Once an entity is or becomes aware of any information concerning it that a reasonable person would expect to have a material effect on the price or value of the entity’s securities, the entity must immediately tell ASX that information.
As an exception to Listing Rule 3.1, Listing Rule 3.1A provides:
Listing Rule 3.1 does not apply to particular information while each of the following is satisfied in relation to the information:
To disclose or to not disclose
From a continuous disclosure perspective, the first step when an ASX-listed entity encounters a data breach is to carefully consider whether, based on what the company is aware of, the matter is materially price sensitive. The updates to Guidance Note 8 recognise that determining whether a breach is materially price sensitive can be difficult and that whether a disclosure obligation has been triggered will vary depending on the circumstances. If the matter is materially price sensitive, the second step is to consider whether the conditions of the exception continue to be satisfied.
The updated Guidance Note 8 provides some helpful guidance on ASX’s views on when disclosure would be required and the expected content of that disclosure, following its worked example. In that worked example, the ASX outlines its expectations about a possible course of action that the ASX-listed entity may take, from identifying the data breach, to investigating the scope of the issue and the regulatory consultation that may be required, as well as the challenges of dealing with a ransom approach or possible class actions. This is interesting in itself, because it provides a play-by-play description of the various pressures that will be brought to bear on the ASX-listed entity.
The worked example also includes the ASX’s views of the analysis that an ASX-listed entity should constantly be carrying out about its continuous disclosure obligations. The highlights from this analysis are that:
Although the worked example on data breaches provides better context for when disclosure is required, it is not a north star that ASX-listed entities can follow with ease. Determining whether disclosure is required in the varied and developing circumstances of a data breach will be greatly assisted by a team with specialised expertise in both data privacy response (in order to manage the data breach itself and the consequences of the data breach) and managing your continuous disclosure obligations. A cohesive team working together on both of these aspects of the data breach will greatly assist an ASX-listed entity during a high-stress, fast moving, challenging time.
Our expert team at Bird & Bird work together across disciplines to provide seamless expert advice on your response to a data breach. Chris Clarke (Partner at Chris.Clarke@twobirds.com) and Aaron Chan (Special Counsel at aaron.chan@twobirds.com) have experience advising on continuous disclosure obligations, while Jonathon Ellis (Partner at jonathon.ellis@twobirds.com) and Julie Cheeseman (Partner at julie.cheeseman@twobirds.com) have experience advising on disputes arising from cyber incidents.
The authors also acknowledge Benjamin McDermott and Tia Khan for their contributions to this article.