A timely reminder for listed entities 12 min read
Historically, shareholders have appeared unfazed by news of cyber attacks, with the vast majority of incidents having only a very minor and short-term impact on share prices.
However, recent studies by CGI and Comparitech have found that cyber attacks can have a significant and lasting impact on the market value of a company. Given the stringent requirements to notify various regulators of data breaches or cybersecurity incidents under a growing number of global and local regulatory regimes (including the Privacy Act 1988 (Cth) notifiable data breaches scheme, APRA Prudential Standard CPS 234, the Security of Critical Infrastructure Act and the GDPR), and given regulators such as ASIC are beginning to take legal action against entities for their alleged failure to manage cyber risk,1 these findings are a good reminder that when it comes to serious cyber security breaches, listed entities should be complying with existing continuous disclosure requirements.
- As a general rule, data breaches that would reasonably be expected to have a material effect on the price of a listed entity's securities are required to be disclosed to the ASX. The Corporations Act 2001 (Cth) and ASX Listing Rules require that listed entities notify the ASX of 'market sensitive' information immediately. A serious data breach is capable of significantly affecting the value of an entity's securities and will warrant careful consideration, including because any a failure to do so could have both civil and criminal consequences.
- Listed entities should recognise the potential impact of a data breach on market value when considering their continuous disclosure obligations. The average cost of a data breach in Australia is $2.15 million (though in many instances the cost will far exceed this).2 More importantly, a data breach may have further significant ramifications for the conduct of an affected entity's operations and, therefore, its prospects as an investment. Listed entities are required to consider both the direct and indirect implications of a data breach when deciding whether to notify the ASX.
- The courts will have regard to subsequent market reaction in considering whether an entity breached its continuous disclosure obligations.3
- Although ASIC has not yet taken action in relation to any specific failure to notify the ASX of a data breach, we are beginning to see enforcement action in this space, including ASIC recently commencing proceedings for repeated data and cyber security breaches. From our investigation of ASX notifications between 2016-2020, it appears that ASX listed entities are increasingly disclosing data breaches occurring on their systems or, where held by another entity, their information assets.
A report published in April 2017 by security consultant CGI found 'a significant connection between a severe cyber breach and a company's share price performance'.4 This is supported by a recent study by Comparitech in September 2019, which found that share prices fell 7.27% on average after a data breach, hitting a low point almost three weeks later.5 While 'the impact of data breaches likely diminishes over time', data from the 28 companies listed on the New York Stock Exchange that were included in the Comparitech Study indicates that breached companies underperform the market in the long term, growing 8.38% on average over the year following a breach but still trailing the Nasdaq by 6.5%.
'[The report found] a significant connection between a severe cyber breach and a company's share price performance'
According to both reports, companies operating in the financial services industry are more prone to experiencing a severe impact on their share price due to a data breach. This is no surprise. The CGI report attributes this to the industry's high levels of regulation and 'the importance of customer confidence in these organisations and the potential for financial fraud to be a facet of the breach'. The share prices of communications and technology companies were also disproportionately affected by data breaches, possibly due to the industries' higher levels of digital reliance.
Those least affected by data breaches included retail, hospitality and healthcare companies. On one view, this is a surprising result, considering the large amount of personal information collected from customers by these types of companies – particularly with the stockpiles of sensitive personal information held by healthcare companies and, in the case of retail companies, the increasing volume of trade done via online platforms.
These findings regarding data breaches and their impact on the value of a company's share price are supported by some recent examples (though we note that share price is impacted by a range of factors):
- In September 2019, third-party app developers exposed 540 million records about Facebook users, including passwords, account names, IDs, friends, photos, location check-ins and details about comments and reactions to posts.6 Following the September incident, Facebook's share price dropped by 5.81% in the first week and 4.51% over two weeks.
- In February and May 2019, Australian property valuation firm LandMark White (LMW) suffered two data breaches affecting more than 100,000 customers. The first breach involved the posting of property valuations and personal contact information to a dark web forum, while the second breach resulted in the publishing of company documents on a US file sharing platform by two IT contractors known to LMW.7 LMW lost a number of key financial institution clients as a result of the two data breaches.8 Upon return to the ASX in August 2020 following two trading halts, share prices had fallen by 52% since May 2019.9
- In May 2019, a design error in First American Financial's website caused the leak of 885 million records covering a 16-year period, including bank account numbers, statements, mortgage and tax records, social security numbers, wire transaction receipts and driver license images.10 First American Financial share prices had dropped by 5.6% the day following the breach announcement, and by 4.15% by the 10th market day after the incident.11
- In July 2019, an employee of Capital One breached 100 million of its bank records, including bank account information, social security numbers and other general account information. Capital One's stock price dropped nearly 6% immediately in after-hours trading and lost a total of 13.89% over two weeks.12
- In October 2018, a hacker was able to break into Cathay Pacific Airlines' computer system to access personal information for as many as 9.4 million travellers. This incident led to the airline share prices dropping nearly 7% and losing more than $200 million in market value.13
- In June 2018, customer data from the British Airways website and app was stolen across a two-week period which affected 500,000 customers. The subsequent shares in International Airlines Group, the owner of British Airways, dropped by more than 4% after the airline revealed the data breach,14 and 2% after the announcement that British Airways would be fined £183.39 million by the UK Information Commissioner's Office for the breach (though the fine was subsequently reduced to £20 million).15
Listed entities need to be aware of this continuing pattern and the capacity for cyber attacks to affect their share price in the context of their continuous disclosure obligations under the Corporations Act and ASX Listing Rules.
ASX listed entities are required to comply with the continuous disclosure obligations set out in the Corporations Act and ASX Listing Rules. Specifically, a listed entity must immediately notify the ASX of any information that a reasonable person would expect to have a material effect on the price or value of its securities once it becomes aware of that information.16
While the test for notification under the notifiable data breaches scheme (the NDB scheme) is directed at the potential harm that could be caused by a breach of personal information, the continuous disclosure requirements focus on circumstances that have the potential to impact the security price of the entity in circumstances that could include a broader cyber attack, not just an attack affecting personal information.
The continuous disclosure obligation is only triggered where the information that becomes known to the listed entity is market sensitive information – ie information that would, or is likely to, influence persons who commonly invest in securities in deciding whether to acquire or dispose of the securities.17
The ASX has issued detailed guidance to assist entities to understand and comply with their continuous disclosure obligations, which includes guidance on when information is market sensitive.18 Acknowledging the difficulty in undertaking an assessment as to materiality in practice, the ASX guidance offers that:
- entities may find it useful to ask two questions when considering whether information needs to be disclosed:
- Would this information influence my decision to buy or sell securities in the entity at their current market price?
- Would I feel exposed to an action for insider trading if I were to buy or sell securities in the entity at their current market price, knowing this information had not been disclosed to the market?
The ASX recommends that if the answer to either of these questions is 'yes', this should be taken as an indication that the information may well be 'market sensitive'.19
- entities may also find it helpful to consider the quantitative parameters the ASX utilises in determining whether to refer a potential breach to ASIC. Those parameters provide that if the value of a company's securities is affected by more than 10% as a result of the information, the ASX will generally regard the relevant information as being market sensitive. By contrast, if the information has an impact of 5% or less on the value of a company's securities, the ASX will typically not regard this as being market sensitive.
It is important that entities do not treat these tests as definitive, and use them only as a guide in considering whether information is indeed 'market sensitive'.
Determining whether a cyber attack or data breach should be disclosed in accordance with continuous disclosure obligations may be no easy task, particularly given the absence of precedent in Australia. While our analysis of ASX disclosures between 2016 and October 2020 indicates that the number of entities disclosing a breach is increasing, the number of entities reporting an incident per year does not yet appear to have exceeded ten. Despite current proceedings by ASIC against an AFS licensee for failure to establish and maintain adequate cyber security compliance measures,20 to date, ASIC has not prosecuted a company or any particular individual specifically for failure to notify the ASX of a data breach.
courts have confirmed they may look to subsequent market reaction when the information in question was eventually released, in considering whether a company was in breach of its continuous disclosure obligations.
However, there is a large volume of case law that can inform us how the courts are likely to respond when such a matter invariably comes to light. Importantly, courts have confirmed they may look to subsequent market reaction when the information in question was eventually released, in considering whether a company was in breach of its continuous disclosure obligations.21
Listed entities should therefore take into account the various indirect financial impacts of a data breach when considering whether to notify the ASX under their continuous disclosure obligations. Significantly, in the aftermath of a breach, an affected entity may suffer reputational damage, loss of business and incur substantial costs to rectify issues with their existing digital defences. Of course, the severity of these consequences will vary depending on the nature of business being undertaken. For example, a data service, financial institution or telco is likely to be affected to a far greater degree than a company operating in the retail space. However, retailers are not immune from the market risks posed by a data breach, as we examined in our Insight: Spotlight: Cyber Breach at Target.
A 2020 report by IBM, in conjunction with the Ponemon Institute published in July, found that the average cost of a data breach in Australia was US$1.59 million (the average global cost was US$3.86 million, and the average total cost of a breach at enterprises of more than 25,000 employees is US$5.52 million).22 In some instances a data breach may result in costs far exceeding this, eg following the Marriott Hotel data breach disclosed in 2018, in addition to the initial US$28 million (approximately $38 million AUD) in expenses, Marriott was fined £18.4 million by the UK's Information Commissioner's Office (ICO).23 Accordingly, it is important that companies holistically consider the potential impact of a data breach on the value of their securities to accurately comply with their continuous disclosure obligations.
Unlike the 30-day reporting window permitted by the NDB Scheme under the Privacy Act 1988 (Cth), the 'as soon as possible and, in any case no later than 72-hour' reporting window permitted under APRA Prudential Standard CPS 234, and the 12-hour reporting window earmarked as part of the reforms to the security of critical infrastructure regime, information that is likely to have an effect on the value of a listed entity's securities must be 'immediately' disclosed to the ASX.
ASX Guidance Note 8 clarifies that, in this context, 'immediately' means 'promptly and without delay' rather than 'instantaneously'.24 Accordingly, relevant information should be reported to the ASX as quickly as possible in the circumstances, while ensuring there is no unnecessary delay or deferral until a later time.25
Both ASIC and the ASX have enforcement options available where an entity is in breach of its continuous disclosure obligations:
- The ASX is empowered to sanction a non-compliant entity by placing a suspension of the trading of its securities.
- As each entity admitted to the ASX official list is contractually bound to comply with the Listing Rules under the terms of its listing agreement, the ASX may seek a court order compelling the entity to comply with the contract.
- A non-compliant listed entity may be liable for a range of civil and criminal penalties under the Corporations Act.
- A non-compliant entity may also be liable to pay damages to any person who suffers loss resulting from the breach.
- Directors, secretaries or officers who are involved in the contravention may be liable for civil penalties.
Ponemon Institute and IBM, 2020 Cost of a Data Breach Report – Australia.
- James Hardie Industries NV v Australian Securities and Investments Commission  NSWCA 332.
- CGI, The Cyber-Value Connection (April, 2017).
Comparitech, 'How data breaches affect stock market share prices' (Updated 20 April 2020).
Comparitech, 'How data breaches affect stock market share prices' (Updated 20 April 2020).
The Market Herald, 'IT contractor arrested for LandMark White data breach' (October 2019); IT News, 'Second IT contractor charged over LandMark White data breach' (July 2020).
Business News Australia, 'LandMark White in trading halt as banks head for the exits' (June 2019).
Business News Australia, 'Landmark White share price tanks on return to ASX' (August 2019).
Comparitech, 'How data breaches affect stock market share prices' (Updated April 2020).
Harvard Law School Forum on Corporate Governance, Bull or Bear? How the Market Reacts to Data Breach News (28 November 2018).
The Independent, British Airways owner’s share price slides after airline reveals data breach (7 September 2018).
IG, IAG share price: what's next after record fine for British Airways? (10 July 2019).
ASX Listing Rule 3.1; Corporations Act, s674.
Corporations Act, s677.
ASX Listing Rules, Guidance Note 8, 'Continuous Disclosure: Listing Rules 3.1 – 3.1B'.
Guidance Note 8, 'Continuous Disclosure: Listing Rules 3.1 – 3.1B', 10.
IT News, 'ASIC sues financial services company for repeated hacks' (August 2020).
Grant-Taylor v Babcock & Brown Limited (In Liquidation)  FCA 149; See Allens Focus: Babcock & Brown – A Market Disclosure Claim Decided
Ponemon Institute and IBM, 2020 Cost of a Data Breach Report – Australia.
CSO, Marriott data breach FAQ: How did it happen and what was the impact? (13 February 2020).
Guidance Note 8, 'Continuous Disclosure: Listing Rules 3.1 – 3.1B', 13.