Historically, shareholders have appeared unfazed by news of cyber attacks, with the vast majority of them having only a very minor and short-term impact on share prices. However, a recent study by CGI has found that cyber attacks can have a significant and lasting impact on the market value of a company. With so much attention directed at preparing for the notification requirements under the notifiable data breaches scheme and the GDPR due to take effect in early 2018, these findings are a good reminder that when it comes to serious cyber security breaches, listed entities should already be complying with existing continuous disclosure requirements.
- As a general rule, data breaches that would reasonably be expected to have a material effect on the price of a listed entity's securities are required to be disclosed to the ASX. The Corporations Act 2001 (Cth) and ASX Listing Rules require that listed entities notify the ASX of 'market sensitive' information immediately. Given that a serious data breach is capable of significantly affecting the value of an entity's securities, a failure to disclose a data breach to the ASX could have financial consequences and repercussions under the criminal law.
- Listed entities should recognise the potential impact of a data breach on market value when considering their continuous disclosure obligations. The average cost of a data breach in Australia is $2.51 million – which alone may be enough to significantly affect the market value of an entity's securities.1 More importantly, a data breach may have further significant ramifications for the conduct of an affected entity's operations (and therefore its prospects as an investment). Listed entities are required to consider both the direct and indirect implications of a data breach when contemplating whether to notify the ASX.
- The courts will have regard to subsequent market reaction in considering whether an entity breached its continuous disclosure obligations.2
- Although ASIC has not yet taken action in relation to any failure to notify the ASX of a data breach, we are likely to see increased attention in this space, considering the corporate regulator's renewed focus on cyber resilience. For more information on ASIC and cyber resilience, please see our Client Update: ASIC Highlights Importance of Cyber Resilience.
A report published in April 2017 by security consultant CGI found 'a significant connection between a severe cyber breach and a company's share price performance'.3 The study also found that cyber attacks cause an average permanent loss in value to a company's stock price of 1.8 per cent, and that in some cases, successful data breaches had caused a company's valuation to drop by as much as 15 per cent.
According to the report, companies operating in the financial services industry are more prone to experiencing a severe impact on their share price due to a data breach. This is no surprise. The report attributes this to the industry's high levels of regulation and 'the importance of customer confidence in these organisations and the potential for financial fraud to be a facet of the breach'. The share prices of communications companies were also disproportionately affected by data breaches, possibly due to the industry's higher levels of digital reliance.
Those least affected by data breaches included retail and hospitality companies. On one view, this is a surprising result, considering the large amount of personal information collected from customers by these types of companies – particularly with the increasing volume of trade done via online platforms. Interestingly, healthcare companies – with their large stockpiles of sensitive personal information – also fell towards the lower end of the scale.
These findings regarding data breaches and their impact on the value of a company's share price are supported by some recent examples:
- Last year, it was revealed that Uber had suffered a data breach that compromised the personal information of some 57 million users. Before this, Uber had been valued at around US$69 billion. Following the revelations, Japanese technology company SoftBank led a group of investors in acquiring a substantial interest in Uber at a price that implied a valuation for the company of US$48 billion, a material discount to earlier valuations.4
- In October 2017, Yahoo revealed that it had been successfully breached on a number of occasions between 2013 and 2016, affecting all 3 billion of its user accounts. Following this disclosure, Verizon and Yahoo agreed to a reduce the previously agreed consideration for Verizon's acquisition of Yahoo's internet business by $350 million.5 For more information on the Yahoo data breach, please see our article Spotlight: Cyber Breach at Yahoo.
- On 7 September 2017, Equifax announced that the company had experienced a cybersecurity incident that had potentially affected 143 million consumers. Within a week, the consumer credit reporting agency's share price had fallen approximately 35 per cent, from US$142.72 down to US$92.98. Even though initial fears surrounding the extent of the breach have been dispelled, the company's shares are still trading below values observed before the announcement of the breach. As of 16 January 2018, Equifax shares are trading at US$122.16 – only 85 per cent of pre-breach value.
- On 21 October 2015, UK telecommunications company TalkTalk was subjected to a 'significant and sustained' attack on its digital infrastructure.6 Within two days of the breach, the company's share price had dropped by more than 10 per cent, sparking a trend that would continue until the year's end. Unfortunately for TalkTalk investors, the British telco's share price is still struggling to recover from the impact of its 2015 data breach.
- In November 2013, Target became the victim of a cyber attack on its point-of-sale systems during the US holiday season. Target sustained a significant decline in its share value following the incident, which took the retail giant more than a year to recover from. For more information on the Target data breach, please see our article Spotlight: Cyber Breach at Target.
Listed entities need to be aware of this continuing pattern, and the capacity for cyber attacks to affect their share price in the context of their continuous disclosure obligations under the Corporations Act and ASX Listing Rules.
ASX listed entities are required to comply with the continuous disclosure obligations set out in the Corporations Act and ASX Listing Rules. Specifically, a listed entity must immediately notify the ASX of any information that a reasonable person would expect to have a material effect on the price or value of its securities once it becomes aware of that information.7
Whereas the test for notification under the notifiable data breaches scheme (the NDB scheme) is directed at the potential harm that could be caused by a breach of personal information, the continuous disclosure requirements focus on circumstances that have the potential to impact on the security price of the entity in circumstances that could include a broader cyber attack, not just an attack affecting personal information.
What is 'market sensitive' information?
The continuous disclosure obligation is only triggered where the information that becomes known to the listed entity is market sensitive information – ie information that would, or is likely to, influence persons who commonly invest in securities in deciding whether to acquire or dispose of the securities.8
The ASX has issued detailed guidance to assist entities to understand and comply with their continuous disclosure obligations, which includes guidance on when information is market sensitive.9 Acknowledging the difficulty in undertaking an assessment as to materiality in practice, the ASX guidance offers that:
- entities may find it useful to ask two questions when considering whether information needs to be disclosed:
- Would this information influence my decision to buy or sell securities in the entity at their current market price?
- Would I feel exposed to an action for insider trading if I were to buy or sell securities in the entity at their current market price, knowing this information had not been disclosed to the market?
The ASX recommends that if the answer to either of these questions is 'yes', this should be taken as an indication that the information may well be 'market sensitive'.10
- entities may also find it helpful to consider the quantitative parameters the ASX utilises in determining whether to refer a potential breach to ASIC. Those parameters provide that if the value of a company's securities is affected by more than 10 per cent as a result of the information, the ASX will generally regard the relevant information as being market sensitive. In contrast, if the information has an impact of 5 per cent or less on the value of a company's securities, the ASX will typically not regard this as being market sensitive.
It is important that entities do not treat these tests as definitive, and use them only as a guide in considering whether information is indeed 'market sensitive'.
When will a cyber attack or a data breach constitute market sensitive information?
Determining whether a cyber attack or data breach should be disclosed in accordance with continuous disclosure obligations may be no easy task, particularly given the absence of precedent in Australia. To date, ASIC has not prosecuted a company or any particular individual for their failure to notify the ASX of a data breach.
However, there is a large volume of case law that can inform us how the courts are likely to respond when such a matter invariably comes to light. Importantly, courts have confirmed that they may look to subsequent market reaction when the information in question was eventually released, in considering whether a company was in breach of its continuous disclosure obligations.11
Listed entities should therefore take into account the various indirect financial impacts of a data breach when considering whether to notify the ASX under their continuous disclosure obligations. Significantly, in the aftermath of a breach, an affected entity may suffer reputational damage, loss of business and incur substantial costs to rectify issues with their existing digital defences. Of course, the severity of these consequences will vary depending on the nature of business being undertaken. For example, a data service, financial institution or telco is likely to be affected to a far greater degree than a company operating in the retail space. However, as the 2013 cyber incident at Target proved, retailers are not immune from the market risks posed by a data breach. For more information on the Target data breach, please see our article Spotlight: Cyber Breach at Target. A 2017 report by the Ponemon Institute published in June found that the average cost of a data breach in Australia was $2.51 million.12 This figure alone undoubtedly has the potential to seriously affect the financial viability of a company and its allure to investors. Accordingly, it is important that companies holistically consider the potential impact of a data breach on the value of their securities, to accurately comply with their continuous disclosure obligations.
When must a listed entity notify the ASX?
Unlike the 30-day reporting window permitted by the NDB Scheme under the Privacy Act 1988 (Cth), information that is likely to have an effect on the value of a listed entity's securities must be 'immediately' disclosed to the ASX.
ASX Guidance Note 8 clarifies that, in this context, 'immediately' means 'promptly and without delay' rather than 'instantaneously'.13 Accordingly, relevant information should be reported to the ASX as quickly as possible in the circumstances, while ensuring that there is no unnecessary delay or deferral until a later time.14
Both ASIC and the ASX have enforcement options available where an entity is in breach of its continuous disclosure obligations:
- The ASX is empowered to sanction a non-compliant entity by placing a suspension of the trading of its securities.
- As each entity admitted to the ASX official list is contractually bound to comply with the Listing Rules under the terms of its listing agreement, the ASX may seek a court order compelling the entity to comply with the contract.
- A non-compliant listed entity may be liable for a range of civil and criminal penalties under the Corporations Act.
- A non-compliant entity may also be liable to pay damages to any person who suffers loss resulting from the breach.
- Directors, secretaries or officers who are involved in the contravention may be liable for civil penalties.
- Ponemon Institute, 2017 Cost of a Data Breach Study – Australia.
- James Hardie Industries NV v Australian Securities and Investments Commission  NSWCA 332.
- CGI, The Cyber-Value Connection (April, 2017).
- Eric Newcomer, 'SoftBank Bids to Buy Uber Shares for 30% Less Than Current Value', Bloomberg.
- Vindu Goel, 'Verizon will pay $350 million less for Yahoo', New York Times.
- BBC, 'TalkTalk cyber-attack: Website hit by 'significant' breach' (23 October 2015).
- ASX Listing Rule 3.1; Corporations Act, s674.
- Corporations Act, s677.
- ASX Listing Rules, Guidance Note 8, 'Continuous Disclosure: Listing Rules 3.1 – 3.1B'.
- Guidance Note 8, 'Continuous Disclosure: Listing Rules 3.1 – 3.1B', 10.
- Grant-Taylor v Babcock & Brown Limited (In Liquidation)  FCA 149; See Allens Focus: Babcock & Brown – A Market Disclosure Claim Decided
- Ponemon Institute, 2017 Cost of a Data Breach Study – Australia.
- Guidance Note 8, 'Continuous Disclosure: Listing Rules 3.1 – 3.1B', 13.
- ASX, Continuous Disclosure: an Abridged Guide, 5.