A helpful illustration, not a universal playbook… ASX's new continuous disclosure guidance on data breaches

Key takeaways

• ASX acknowledges that information may be too uncertain to be material and/or insufficiently definite to warrant disclosure in the early stages of a cyber incident. 
• Dialogue with a regulator around a data breach will not automatically result in a loss of confidentiality (although in practice, the risk of loss of confidentiality is ever present in a cyber incident, so companies should have draft announcements on hand).
• Trading halts and voluntary suspensions are only intended to be used in limited circumstances, and not as a means for avoiding continuous disclosure obligations.
• ASX expects more than a short, boilerplate announcement when a disclosure obligation is triggered (ie all material information known to the entity should be included). 
• The GN8 example is intended to be illustrative not definitive, so each case still needs to be assessed applying the core disclosure rules to the facts at hand. 

Disclosure is not a ‘default’ starting point

ASX recognises that an incident that is not sufficiently definite may remain in the territory of ‘disclosure is not required’ for a period of time, even as further information materialises. 

Applying the disclosure principles, ASX recognises that:

• the information might be so uncertain that it will not have a material effect on the price or value of the entities’ securities (ie Listing Rule 3.1 is not yet triggered); or 
• even if materially price sensitive, the information is insufficiently definite to warrant disclosure and remains confidential (ie Listing Rule 3.1A carve-out applies).

In the specific hypothetical scenario, it is only after the listed entity confirms that the cyber criminal accessed information about a large number of customers that ASX considers a disclosure obligation to be triggered.

While in the hypothetical scenario, disclosure is ultimately triggered on those particular facts, it is not always a “given” that the exfiltration of customer information will automatically trigger the continuous disclosure requirement. In our experience, there have been similar scenarios where listed entities have concluded that the consequences of the incident were not market sensitive. 

Work swiftly to firm up the fact base

Unsurprisingly, the hypothetical scenario emphasises that, even where no immediate disclosure obligation is triggered, ASX expects listed entities to continue forensic work with urgency to determine the impact of the data breach, and to reassess whether a disclosure obligation arises as new information becomes known to the entity.

When is confidentiality ‘lost’

The new example has helpfully confirmed that engagement with ASX and other regulators on a confidential basis will not automatically result in the information being non-confidential (ie the confidentiality limb of Listing Rule 3.1A may still apply).

In practice, entities should be alive to the fact that the scale of stakeholder engagement required in a cyber incident may, in particular instances, be so extensive that there is a high risk of a leak, even where steps are taken to preserve confidentiality. For example, certain incidents may trigger the activation of the National Coordination Mechanism (through the National Office of Cyber Security), which will immediately loop 200-300 representatives from both Federal and state / territory agencies (as well as industry bodies and the private sector as required) into a collaborative forum where information pertaining to the incident will be openly discussed.

In addition, we note that the threat of confidentiality being lost is always a possibility when you have cyber criminals in the mix – they could publicise the exfiltrated data at any time without warning, and entities cannot control when or how this would occur (no matter how much they would want to!). 

In ASX’s hypothetical, release of information onto the dark web is treated as triggering loss of confidentiality and results in the hypothetical entity making a further market announcement (though we note that the hypothetical proceeds on the basis the public release of that particular information is materially price sensitive, which may not always be the case). 

Early preparation of draft announcements

An underlying thread throughout ASX’s example is that ASX encourages an early preparation of draft announcements, with the drafts evolving further as more information comes to light. Any market announcements should be updated prior to release to reflect the market sensitive information the entity is aware of at that time.

No boilerplate announcements

The example makes clear that ASX’s expectation is that market announcements are accurate, complete (not omitting material information known to the entity), and not misleading – in short, a boilerplate announcement will not be enough.

ASX expects the announcement to contain a significant amount of information where available, such as:

• a description of what has happened; 
• the material facts the listed entity knows; 
• any material impact on operations or financial position the entity is aware of at the relevant time; 
• the action the entity is taking in response to the breach; and
• when the entity expects to be in a position to update the market.

However, as the ASX hypothetical illustrates, the content of a market announcement will depend on all facts and actual knowledge available at the time. 
Entities will need to balance the need to provide ‘all material information’ in an announcement against the risk of overstating the amount of information that is ‘known’ (cyber incidents have a nasty habit of continuing to evolve, and early definitive statements can quickly become incorrect).

Use of trading halts or voluntary suspension

While ASX accepts that a trading halt or voluntary suspension may be required to manage disclosure obligations during a cyber incident, it signals that these tools should be used sparingly, such as when a disclosure obligation has crystallised and more time is required to prepare a definitive announcement in relation to the scope of the incident.

The guidance recommends close engagement with ASX throughout a data breach incident, including if a trading halt or voluntary suspension is considered. 

Where a trading halt or suspension is granted, ASX expects that the entity should make its market announcement as quickly as possible (ie these measures do not provide relieve the entity of its usual disclosure obligations).

The need for further announcements

The hypothetical example indicates a view from ASX that further announcements may be required as the factual matrix changes and evolves.

It would be oversimplifying to infer that making an initial ASX announcement will automatically necessitate a subsequent announcement for each new development – each specific situation will still involve a fact-based assessment.  

A subsequent disclosure obligation will arise where:

• an entity becomes aware of new material price sensitive information; or
• information in the initial market announcement ceases to be correct in a material respect or becomes potentially misleading. 

From a practical perspective, the demand for further information from external stakeholders will be increased once a cyber incident becomes publicly known, so it may also be the case that an entity chooses to make a subsequent announcement via the ASX platform – however in some instances this will be a choice rather than an obligation (and other channels such as posting on the entity’s own website or direct notifications to affected stakeholders may be preferred).