Recent cyber incidents are a timely reminder to boards and senior management 7 min read
Medibank's 18% share price drop following its trading halt is a timely reminder that listed entities need to carefully consider their continuous disclosure requirements in the wake of cyber incidents.
The growing recognition of the impact of cyber incidents on a broad range of stakeholders is also spurring calls for cybersecurity to be viewed beyond a technology lens, as a broader ESG issue.1 This trend compounds the already challenging task of monitoring and combatting the wide-ranging threats from financially motivated cyber criminals2, through to Russia's activities in cyberspace against Ukraine.3
This Insight examines the growing need for boards and senior management to consider disclosure obligations in the event of an actual or suspected cyber incident—regardless of their significance—as well as the need to apply an ESG lens to cyber resilience.
- Reports that firms are already investigating the prospect of class actions against Medibank by shareholders and consumers who are said to be angry about what they consider to be misleading statements made by the insurer, underscore the importance of considering continuous disclosure requirements early on when organisations suspect or become aware of a cyber incident. These considerations should form part of cyber incident response plans and playbooks (for our analysis of data breach class actions, see our Insight: A step into the breach – will the Optus incident give rise to more data breach class actions?).
- We remain of the view that disclosure (for the purposes of the ASX listing rule requirements) of cyber incidents and data breaches should only occur when the obligations to do so are satisfied. That said, we expect that determining whether a cyber incident has a 'material effect' and therefore warrants disclosure will continue to evolve and require the evaluation of a broad range of both qualitative and quantitative factors.
- Although market disclosure regimes have existed for some time, we expect to see more specific requirements to report on cyber-risk metrics (including on resilience to future adverse cyber events).
- Public, regulatory and political debate on cybersecurity and data governance has snowballed in the wake of the recent Optus and Medibank cyber incidents, particularly given the unauthorised access of current and former customers’ personal information (including financial and medical details). Given this, boards and senior management need to apply an ESG lens to these issues and ensure they not only focus on their preparedness to respond to cyber incidents but also that data governance and cyber risk management is a part of the fabric of everything they do.
ASX-listed entities that experience a cyber incident or data breach will need to consider whether to make a disclosure in accordance with their continuous disclosure obligations set out in the Corporations Act 2001 (Cth) and ASX Listing Rules.
We expect ASIC will continue to focus on enforcement, given the foundation of these obligations as a pillar of market integrity.
Information that is likely to have an effect on the value of a listed entity's securities must be 'immediately'4 disclosed to the ASX. This is unlike the:
- 30-day reporting window permitted by the NDB scheme under the Privacy Act 1988 (Cth);
- the 'as soon as possible and, in any case no later than 72-hour' reporting window permitted under APRA Prudential Standard CPS 234; and
- the 12-hour reporting window for cybersecurity incidents that have a significant impact on the availability of a critical infrastructure asset, or the 72-hour reporting period for cybersecurity incidents that have a relevant impact, under the security of critical infrastructure regime.
We expect ASIC will continue to focus on enforcement, given the foundation of these obligations as a pillar of market integrity. This is evidenced by ASIC's recent announcement on 29 September 2022 that it had commenced proceedings in the Federal Court against Nuix Limited for alleged continuous disclosure breaches and misleading or deceptive conduct; as well as proceedings against members of the Nuix board for breaches of their directors’ duties.5
Determining whether a cyberattack or data breach should be disclosed in accordance with continuous disclosure obligations will be an ongoing challenge. We previously commented that the number of entities reporting an incident to ASX per year does not yet appear to have exceeded ten—this remains the case today. And notwithstanding the decision in ASIC v RI Advice Group, ASIC has not prosecuted a company or any particular individual specifically for failure to notify the ASX of a data breach.
This may suggest that a cyberattack or data breach need only be disclosed when it is of such size and scale that it is clearly a matter requiring immediate disclosure.
Attacks or breaches once thought to be not so significant may now require immediate disclosure
However, courts have confirmed they may look to subsequent market reaction when the information in question was eventually released, in considering whether a company was in breach of its continuous disclosure obligations.6 This brings into play a broader analysis and will potentially capture attacks or breaches once thought to be not so significant as requiring immediate disclosure.
When considering various indirect financial impacts of a data breach as to whether to notify the ASX, we previously identified the potential for reputational damage and loss of business. While we continue to believe that those considerations, as well as the substantial costs to rectify an issue, must be taken into account, another factor continues to gain prominence: the growing volume of discussion of cybersecurity compliance as an ESG issue. This adds another dimension to the matters that must be considered when determining whether a cyber incident or data breach should be disclosed.
Cyber resilience has now joined environmental, diversity and social justice issues as a key consideration on the ESG agenda. Just as a company's environmental practices can impact its 'E' standing, the ongoing reporting and community outrage over recent cyber incidents has demonstrated how deficient data and information-security practices can significantly affect the 'S' and 'G' elements. In essence, if ESG offers a means for companies to frame and assess their business practices in terms of their impact on communities and the environment, a major cyber incident affecting millions of customers reveals the potential both for losing consumer trust and the consequent impact on an entity's share price.
In the context of risk governance, corporate stakeholders now require cyberattacks and security breaches to be proactively measured and mitigated in governing enterprise-wide risk management.7 In turn, this has spurred greater transparency, governance and reporting on cyber risk metrics, including on resilience to future adverse cyber events.
The Wannacry ransomware attack on the UK's National Health Service (NHS) in May 2017.
The cyberattack severely disrupted more than 80 hospital trusts and 8% of GP practices after a type of malware was used to lock down hospitals in England, leading to 19,000 appointments being cancelled across the one-week period of the attack. The ransomware worked by causing 200,000 computers to lock out users with red-lettered error messages demanding Bitcoin, and has since been blamed on elite North Korean hackers.8
Although market disclosure regimes have existed for some time, we expect to see more specific requirements to report on cyber risk metrics. The recent proposed draft of the new prudential standard CPS 230 (Operational Risk Management) is a case in point. (For more on CPS 230, see our Detailed Analysis and our Practical Implementation Guide).
Overseas, the US Securities and Exchange Commission has recently proposed regulations that would mandate the disclosure by US public companies (including foreign private issuers) of:
- material cybersecurity incidents in Form 8-K and Form 6-K within four days of becoming aware that they have experienced a material cybersecurity incident, and updates on these incidents in annual and quarterly reports; and
- details regarding their cyber risk management, strategy and governance arrangements in annual reports on Forms 10-K and 20-F and other periodic reports.
If adopted, these rules will expand and codify existing guidance, and create the first cybersecurity-specific disclosure obligations for public companies in the US.
The US Securities and Exchange Commission recently proposed regulations that would, if adopted, expand and codify existing guidance, and create the first cybersecurity-specific disclosure obligations for public companies in the US.
There is now a broader suite of stakeholders actively considering and assessing cybersecurity resilience: from investors, employees and customers, through to regulators, the supply chain and the community at large. In this context, we expect that boards and senior managers will need to consider both the views of, and the impact of a data breach on, these stakeholders when assessing whether or not to disclose a cyberattack or data breach.
We are not suggesting an immediate change of approach as to how entities consider their disclosure obligations in the context of cyber-security compliance and the ESG considerations we have discussed. We remain of the view that disclosure (for the purposes of the ASX listing rule requirements) of data breaches or attack should only occur when the obligations to do so are satisfied.
However, with the rise of cybersecurity compliance as an ESG issue, we expect it will need to be considered, if and when an attack occurs, when assessing the need for disclosure. It's not an easy decision, but adopting a holistic approach to these considerations when assessing the potential impact of a data breach on the value of an entity's securities will significantly assist in complying with the continuous disclosure obligations.
ASX Guidance Note 8 clarifies that, in this context, 'immediately' means 'promptly and without delay', rather than 'instantaneously'. Accordingly, relevant information should be reported to the ASX as quickly as possible in the circumstances, while ensuring there is no unnecessary delay or deferral until a later time.
Grant-Taylor v Babcock & Brown Limited (In Liquidation)  FCA 149; See Allens Focus: Babcock & Brown – A Market Disclosure Claim Decided