ASIC has issued a strong warning for listed companies regarding their continuous disclosure obligations regarding cyber security incidents.
Recent findings have revealed that only 11 out of 36 cyber-attacks against listed companies in the past decade were initially disclosed to investors, a cause for concern for ASIC. As a result, deputy Chairman Sarah Court has stated that the regulator is elevating and focusing on cybersecurity as an enforcement priority.
The warning from ASIC follows the $15 million fine imposed on GetSwift by the Federal Court for continuous disclosure breaches, the largest fine in Australia for a company’s failure to follow market disclosure rules. Ms Court has signalled that the regulator will consider pursuing higher fines in cases in the future and has emphasised that listed companies must immediately disclose a cyber incident or data breach to the ASX when a reasonable person would expect it to have a material effect on the price or value of the company’s securities.
Although determining the extent and impact of a cyber-attack in its early stages can be challenging, listed entities must remember the continuous nature of their obligations and that a cyber-attack or breach may reach the threshold of a material event requiring disclosure.
Listed entities should review their continuous disclosure plans, engage with their ASX adviser quickly in the event of a cyber incident, and consider if more than one announcement is necessary when additional information becomes known regarding the nature and extent of a cyber incident.
Furthermore, where a company is unaware of market-sensitive information, it is reasonable to seek a brief voluntary suspension while conducting investigations to gather facts for disclosure to the market.
In conclusion, planning is critical for cyber security incidents, and listed entities must take their continuous disclosure obligations seriously.
ASIC’s warning emphasises the need for listed entities to review and comply with their continuous disclosure plans and promptly engage with their advisers in the event of a cyber incident.