New Guidance Released for Australian Listed Companies on Continuous Disclosure Obligations During a Cyber Incident
By: Cameron Abbott, Andrew Gaffney, Harry Kingsley, Rob Pulham, and Stephanie Mayhew
Australia’s corporate regulator, ASIC, has released new guidance on how to comply with market disclosure requirements when a listed company is in the middle of investigating and responding to a cyber incident.
The example appears in updated Guidance Note 8 Continuous Disclosure: Listing Rules 3.1 – 3.1B. It illustrates how existing ASX policy applies to a hypothetical data breach scenario, including commentary on the Listing Rule 3.1A exception, contents of the company’s potential announcements, confidential engagement with relevant authorities, and trading halts/voluntary suspensions, in the context of the hypothetical scenario which unfolds throughout the example (much like the continuous developments and unfolding knowledge that occurs throughout a real data breach).
A marked up copy of the Guidance Note can also be viewed here. The potentially different scenarios (and ASX commentary) which often arise in a data breach as regards the requirement for compliance with the ASX Continuous Disclosure obligations commences at page 90 in this link.
The updated Guidance Note takes effect from 27 May 2024.
In part this is a reminder of yet another layer of complexity in the increasing compliance obligations on companies facing cybersecurity risks; but if saved in your data breach response plan it may in time prove a valuable and repeatedly visited resource for leaders of public companies to help guide them through a crisis.