Overview 

Cyber security, and especially cyber security event incident response and management isn't just about technology; it's about identifying risk, deciding what level of risk an organisation is willing to accept, mitigating the risk efficiently and commercially sensibly, and how you are prepared to respond, and be resilient to an event.

A holistic approach to cyber risk management is required. Translated, an effective approach needs to be underpinned by the understanding and practice that truly effective cyber risk management goes beyond a technical focus. Understanding regulatory obligations, is a key aspect of a resilience led and focused approach.

In the context of an evolving cyber security event - whilst all organisations need to prepare for a potential event - ASX listed companies face an increased burden when it comes to responding to cyber events, and needing to make decisions about how to discharge their continuous disclosure obligations. These obligations – in our experience – are often accompanied with little, or a suboptimal level of information, during evolving and complex circumstances, and under real time pressure.

ASX Guidance

To that point, the ASX (on 16 May 2024) released “Guidance Note 8: Continuous Disclosure: Listing Rules 3.1 - 3.1B”, providing practical guidance for listed organisations on how to appropriately manage continuous disclosure obligations in the circumstances of a data breach.

Taking effect from 27 May, it is a must read for all listed entities, with it walking through various steps of a cyber incident, recognising the need for a company to work through what has happened before disclosure may be required, and further discusses the implications of engaging with regulators before the incident has been disclosed. Non listed entities would be equally well placed to read, and use the document as guidance and as part of their playbook.

SEC Guidance

Looking abroad, the Guidance note is timely given the SEC’s recent stance to clarify the materiality definition when it comes to reporting cyber events. The U.S. Securities and Exchange Commission has attempted to clear up when it expects public companies to report a cyber-attack/event under their own new rules that came into force in December 2023.

The SEC requires public companies to report a cyberattack four business days after it is determined that the attack will have a material impact to its operations, but critics have queried how companies should make such a determination.

The SEC released its stance on filing "placeholder" 8-Ks (which was becoming a more common occurrence due to the uncertainty around the materiality test and reaching the threshold), noting in summary, it believing registrants should refrain from filing Item 1.05 8-Ks if they cannot explain the materiality of an incident, but they may file Item 8.01 8-Ks. This decision aims to prevent market confusion over potentially contradictory financial disclosures.

Overview/Conclusion

Links to both are below, however both positions taken from the regulators serve as good insight into the intentions in the broader regulatory space when it comes to cyber events. It also speaks to the importance – specific to insurance – of ensuring an organisation’s insurance program, specifically their D&O, Cyber, and if applicable Tech E&O/IT program is aligned to appropriately respond in such instances. The insurance market is responding in various manners, dictating  the need for specialist expertise.

References

• https://www.kwm.com/au/en/insights/latest-thinking/asx-provides-welcome-cyber-breach-disclosure-guidance-update-to-guidance-note-8.html
• https://www.claytonutz.com/insights/2024/may/asx-decodes-data-breach-continuous-disclosure-obligations
• SEC.gov | Disclosure of Cybersecurity Incidents Determined To Be Material and Other Cybersecurity Incidents[*]