As AFSLs cite cyber security as their biggest compliance fear, law firm Hopgood Ganim has shared the four steps firms need to take if they suffer a breach.
Yesterday, Money Management covered a licensee report from compliance firm Holley Nethercote that cyber security is the “greatest identified compliance risk and concern” for advice firms.
Law firm Hopgood Ganim described the duties as the four R’s of readiness, response, recovery and remediation.
Failure to promptly notify of a data breach is a breach of ASX listing rules and could have serious legal consequences for contravening the Corporations Act.
“Accurate and timely disclosure of a data breach will be required as part of the ‘response’ phase of a cyber crisis. However, boards should also take steps during the ‘readiness’ phase to ensure they are prepared to discharge their continuous disclosure obligations easily and effectively during the ‘response’ phase,” the firm said.
Earlier this year, financial technology platform Iress suffered a cyber incident and issued three statements to the ASX: one detailing unauthorised access to Iress code repository, followed by two subsequent updates about it affecting OneVue customers and statements made by an alleged threat actor.
The decision whether disclosure is required or not hinges on an exception regarding confidentiality and whether the matter is sufficiently definite to warrant disclosure.
At the time of the discovery of a data breach or when a ransom email is received, no disclosure is required as it is not yet possible to determine if the breach is material to the share price, but the ASX does expect the company to undertake forensic work “with urgency”.
By the time the firm is in discussion with the regulator, they should have at least drafted a statement ready for the market in the event that the breach ceases to be confidential.
Although they may not be required to disclose, Hopgood Ganim still recommended engaging with the ASX as early as possible and to seek legal advice. This would not breach confidentiality for the purpose of the exception so long as the engagement is on a confidential basis.
If the firm’s investigation discovers personal information has been exfiltrated, then it is required to notify the Office of the Australian Information Commission that sensitive information has been taken, but the extent is not yet known.
The need for disclosure to the market kicks in once affected customers are notified as this means it is no longer confidential, which could materially affect the share price, or when the extent of the data breach is so large that it warrants immediate disclosure. They may also need to make a disclosure if a journalist approaches for a comment about an alleged incident.
The statement needs to include:
- A description of what has occurred.
- The material facts known about the data breach.
- Any material impact on operations or financial position that the entity is aware of at the relevant time.
- The action that the entity is taking in response to the data breach.
- When the entity expects to be in a position to update the market.
The company needs to have sufficient information regarding the circumstances of the data breach and potential implications even if they have not yet completed the full investigation. In certain circumstances, a trading halt may be needed to allow time to prepare an accurate and complete disclosure which includes all material information known at the time.
Subsequent ransom requests do not require disclosure as the ASX considers the company has already shared the relevant price-sensitive information, but it would be required if the cyber criminal went ahead and released a large volume of data publicly.
