Takeaways from recent guidance on cyber incident disclosure obligations for listed companies

Recent developments at home and abroad 10 min read

For listed entities, determining whether (and when) to tell the market about a cyber incident is an ongoing challenge. Nonetheless, recent developments at home and abroad—in particular a recent update to ASX Listing Rules Guidance Note 8, the Medibank shareholder class action and a new US SEC rule—are contributing to an increasing body of guidance (and heightened expectations) as to when listed companies should disclose cyber incidents in accordance with their continuous disclosure obligations.

In this Insight, we examine the updates to the guidance note amongst broader global developments, and offer our view as to when disclosure (for the purposes of the ASX listing rule requirements) (the Listing Rules) of cyber incidents should generally occur.

Key takeaways

• The latest update to ASX Listing Rules Guidance Note 8 (GN 8) introduces a new worked example to help illustrate when, in the context of a cyber incident, relevant information would, or would not, be expected to be disclosed to the ASX. The example suggests that disclosure will generally not be required where the company cannot yet ascertain the materiality of the cyber incident to the price or value of its securities due to limited information. However, incomplete information about an ongoing cyber incident is unlikely (by itself) to justify delaying disclosure of known information.
• Medibank is currently defending the first Australian shareholder class action proceedings to have challenged the adequacy of a company’s cyber risk disclosures. There are several critical issues that warrant careful consideration in these proceedings, including the scope and application of APRA Prudential Standard CPS 234 (Information Security) and the materiality of various alleged cyber deficiencies. This class action will function as a test case on cyber risk disclosures and, if the proceedings do not resolve on commercial terms, a watershed judgment looms large that will be of keen interest to all ASX-listed and APRA-regulated entities.
• The US Security and Exchange Commission's (SEC) new cybersecurity-specific disclosure obligations for public companies in the US have triggered a wave of market disclosures regarding cyber incidents, even where the relevant materiality threshold has not been met. Although a similarly prescriptive approach has not been adopted in Australia, we expect the new SEC rules and corresponding disclosure activity to influence shareholder expectations as to reporting on cybersecurity risks and incidents globally as they become more accustomed to greater transparency.
• We remain of the view that disclosure (for the purposes of the ASX listing rule requirements) of cyber incidents should generally only occur when the materiality threshold is satisfied. That said, we expect that determining whether a cyber incident has a 'material effect' and, therefore, warrants disclosure will continue to evolve and require the evaluation of a broad range of both qualitative and quantitative factors. The increased risk of class action proceedings following cyber incidents—especially if as expected, the Federal Government introduces a direct right of action for breaches of the Privacy Act—will be relevant to this assessment.

The challenge

In the early stages of a cyber incident, little is known about its nature, scope and impact, and much of what is thought to be known often turns out to be wrong. Cyber forensic investigations and compromised data assessments can take weeks if not months to complete, making it difficult to assess the likely operational, financial and reputational impact and legal and regulatory exposure. What's more, public disclosures can create security risks (eg by revealing critical vulnerabilities to threat actors), impede internal and law enforcement investigations, and (where relevant) impact negotiations with threat actors.

We previously commented that the number of entities reporting a cyber incident to the ASX per year does not yet appear to have exceeded 10—this remains the case today (three disclosures were made in 2021, four in 2022, 10 in 2023 and two have been made to date in 2024).

Notwithstanding the decision in ASIC v RI Advice Group, ASIC has not prosecuted a company or any particular individual specifically for failure to notify ASX of a cyber incident.

Update to ASX Listing Rules Guidance Note 8

ASX recently issued an update to GN 8. The update introduces a new worked example to help illustrate when, in the context of a cyber incident, relevant information would, or would not, be expected to be disclosed to ASX.

To recap, cyber incidents that would reasonably be expected to have a material effect on the price of a listed entity's securities must be immediately disclosed to ASX (Listing Rule 3.1), unless (relevantly):

• one of the following exceptions applies:¹
  • it would be a breach of a law to disclose the information;
  • the information comprises matters of supposition or is insufficiently definite to warrant disclosure; or
  • the information is generated for the internal management purposes of the entity;
• the information is confidential and ASX has not formed the view that the information has ceased to be confidential; and
• a reasonable person would not expect the information to be disclosed.

(Listing Rule 3.1A). For more information, see Continuous disclosure obligations in the evolving age of cyberattacks and Coming clean and staying clean: continuous disclosure obligations in the age of the data breach.

Recent experience shows that cyber incidents can be (but are not always) material to the value of a listed entity's securities. However, it can be hard to assess the materiality of an incident in its early stages and to pinpoint the time at which the ASX Listing Rules (the Listing Rules) require information about the incident to be disclosed to the market.

The key takeaways from the updated guidance in GN 8 are as follows:

• Disclosure will generally not be required where the company cannot yet ascertain the materiality of the cyber incident to the price or value of its securities due to limited information.
• The fact that the cyber incident is developing, and all of the relevant facts are not yet known, is unlikely to justify (by itself) delaying disclosure of known information.
• Confidentiality is not lost by dealing on a confidential basis with a relevant regulator in relation to the breach.
• ASX may grant a trading halt or voluntary suspension to assist a company to manage its continuous disclosure obligations in relation to a material cyber incident, but a trading halt will never be granted for longer than two trading days (consistent with ASX's general position on trading halts), and a voluntary suspension will typically only be granted for the period that ASX thinks is reasonably necessary for the entity to release an announcement that complies with the Listing Rules.

Medibank shareholder class action

In 2023, two shareholder class actions were commenced against Medibank in the wake of a high-profile cyber incident. In these proceedings (which have been consolidated), the plaintiffs allege Medibank breached its continuous disclosure obligations by failing to disclose that the systems and controls it had implemented were (according to the plaintiffs' case) insufficient to mitigate the risk of a cyber incident or meet its obligations under APRA Prudential Standard CPS 234. There is a range of quite granular alleged cyber deficiencies that comprise the plaintiffs' non-disclosure case relating to Medibank's:

• multifactor authentication processes;
• network control system functionality (including monitoring for 'unusual activity' and 'lateral movement');
• systems and processes for collecting, storing and protecting personal and private information; and
• risks of unauthorised access to personal and private information by a 'hacker'.

In order to establish that Medibank contravened its continuous disclosure obligations, the plaintiffs will need to prove:

• Medibank had deficient systems and controls (in the form alleged in the proceedings);
• those alleged deficiencies constituted 'material information'; and
• Medibank's officers were—or ought to have been—aware of those deficiencies.

Establishing each of these limbs of the claim will be challenging. In particular, given CPS 234 is not prescriptive, there will undoubtedly be disagreement between the parties in relation to both the scope of Medibank's cybersecurity obligations and the adequacy of its compliance throughout the period of the claim. These issues will be the subject of hotly contested evidence.

While the outcome of the proceedings remains to be seen, this class action activity serves as an important reminder to boards and management teams of the need to carefully consider continuous disclosure obligations, particularly in the event of an actual or suspected cyber incident or vulnerability, regardless of how material the incident appears on initial discovery.

For more on recent cyber incident class action proceedings, see Takeaways from the Optus and Medibank data breach class actions and Cyberwashing: a key focus for data breach class actions.

Adoption of new US SEC rules

In July 2023, the SEC adopted new rules that create the first cybersecurity-specific disclosure obligations for public companies in the US. At the time, SEC Chair Gary Gensler noted that investors want to know more about how issuers are managing growing cyber risks and that companies and investors would benefit if this information 'were required in a consistent, comparable and decision-useful manner'.

Under the new rules, public companies must disclose material cybersecurity incidents within four business days of determining that a cybersecurity incident is 'material', and also describe the material aspects of its nature, scope, timing and actual (or likely) impact. Disclosure may be delayed where the US Attorney General determines immediate disclosure would pose a substantial risk to national security or public safety. Companies are required to make the materiality determination 'without unreasonable delay'.

In addition to introducing disclosure requirements relating to material cybersecurity incidents, the new rules also require annual disclosures about:

• cybersecurity risk management and strategy, including the company's processes (if any) for the assessment, identification and management of material risks from cybersecurity threats; and whether risks from cybersecurity threats have materially affected or are reasonably likely to materially affect the company's business strategy, operations or financial condition; and
• cybersecurity governance and management, including the board's oversight of, and management's role in, assessing and managing cyber risks.

Since the rules took effect on 18 December 2023 (and as at the date of publication of this Insight), 17 companies have reported a cybersecurity incident under the new rules, though most don't appear to have met the relevant materiality threshold. As of March 2024, of the 11 disclosures filed, only two identified a material operational disruption and the remainder generally included a voluntary affirmative statement that the incident was not reasonably likely to materially impact the financial conditions or operation of the business. It is possible the new rules are prompting businesses to err on the side of notification where there is some doubt about the materiality of an incident.

To avoid confusing investors as to which incidents are material, Erik Gerding, the Director of the Division of Corporation Finance at the SEC issued a statement on 21 May 2024 encouraging organisations that choose to disclose cybersecurity incidents that are not material or have not yet been determined as material, under a different form (item).

The Statement also clarified that the materiality assessment 'should not be limited to the impact on "financial condition and results of operation", and "companies should consider qualitative factors alongside quantitative factors". For example, a company should consider whether the incident will "harm…[its] reputation, customer or vendor relationships, or competitiveness". Companies also should consider "the possibility of litigation or regulatory investigations or actions, including regulatory actions by state and Federal Governmental authorities and non-U.S. authorities"'.

Additionally, on 16 May, 2024, the SEC adopted a number of significant cybersecurity amendments to Regulation S-P, which applies to broker-dealers, investment companies and registered investment advisers. The amendments establish new requirements to notify customers of data breaches meeting a certain severity threshold within 30 days, as well as obligations regarding the content of incident response programs and minimum standards of service provider oversight. Companies captured by the regulation will have 18-24 months to comply with these new requirements.

What's next?

The timing and content of market disclosures regarding cybersecurity incidents are attracting increasing scrutiny, given the growing importance of cybersecurity as an environmental, social and governance issue, as well as current high-profile class action activity in this space. The ASX's update to GN 8 provides useful guidance in this respect, and we recommend listed entities review their cyber incident response documentation, to assess any internal trigger points for ASX disclosure against the new worked example.

Our view remains that disclosure of cyber incidents for the purposes of the Listing Rules should only occur where the relevant materiality threshold is met, despite the recent series of disclosures of non-material incidents in the US, following the SEC's adoption of new rules. However, as the ASX has clarified, it is important to be prepared to inform the market if the threshold is reached, even if aspects of the investigation are still in progress at that time. In these cases, organisations should take additional care to ensure that market disclosures accurately represent the status of the in-flight investigation and the degree of certainty regarding its findings.