The Australian Securities Exchange (ASX) has recently updated its continuous disclosure Guidance Note with new Data Breach Examples, effective from 27 May 2024. These examples aim to assist ASX listed entities in determining whether a data breach scenario constitutes market-sensitive information or falls within exceptions from continuous disclosure rules.
The Data Breach Examples outline various hypothetical data breach scenarios, such as breaches of encrypted versus unencrypted data, blackmail threats, disclosure to regulators, ransom payments, and more. These scenarios help clarify when disclosure to the market is necessary under ASX rules.
The new guidance is particularly timely given the increased scrutiny on how entities respond to cybersecurity incidents. The ASX’s focus on data breach disclosure is crucial in light of recent high-profile breaches that have raised concerns among shareholders, regulators, and the media.
While the Data Breach Examples provide valuable guidance, it’s essential to remember that each data breach is unique, and a one-size-fits-all approach may not apply. Entities must carefully consider the consequences of non-disclosure, including the risk of private litigation or regulatory enforcement action.
Moreover, anticipated reforms to the Australian Privacy Act may impose stricter reporting requirements on entities experiencing data breaches. These reforms could shorten the time frame for notifying regulators and affected individuals, necessitating faster assessment and decision-making by ASX entities.
In response to these potential changes, ASX entities are advised to have a data breach rapid response plan in place. This plan should include draft announcements for various scenarios and establish a rapid response team to address breaches promptly.
When preparing an ASX announcement in the event of a disclosable data breach, entities should ensure the announcement contains all material facts, the impact on operations or financial position, actions being taken, and expected updates. Care should be taken when referencing independent investigations in announcements to avoid jeopardizing legal privilege.
In conclusion, the ASX’s updated guidance on data breach disclosure provides valuable insights for listed entities facing cybersecurity incidents. By following the outlined principles and preparing in advance, ASX entities can navigate data breaches effectively and meet their disclosure obligations in a timely manner.