The 4 Rs of cyber security

cybercrime cyber security law data breaches compliance

18 June 2024
| By Laura Dew |
expand image

As AFSLs cite cyber security as their biggest compliance fear, law firm Hopgood Ganim has shared the four steps firms need to take if they suffer a breach. 

Yesterday, Money Management covered a licensee report from compliance firm Holley Nethercote that cyber security is the “greatest identified compliance risk and concern” for advice firms.

Law firm Hopgood Ganim described the duties as the four R’s of readiness, response, recovery and remediation.

Failure to promptly notify of a data breach is a breach of ASX listing rules and could have serious legal consequences for contravening the Corporations Act.

“Accurate and timely disclosure of a data breach will be required as part of the ‘response’ phase of a cyber crisis. However, boards should also take steps during the ‘readiness’ phase to ensure they are prepared to discharge their continuous disclosure obligations easily and effectively during the ‘response’ phase,” the firm said.

Earlier this year, financial technology platform Iress suffered a cyber incident and issued three statements to the ASX: one detailing unauthorised access to Iress code repository, followed by two subsequent updates about it affecting OneVue customers and statements made by an alleged threat actor.

The decision whether disclosure is required or not hinges on an exception regarding confidentiality and whether the matter is sufficiently definite to warrant disclosure. 

At the time of the discovery of a data breach or when a ransom email is received, no disclosure is required as it is not yet possible to determine if the breach is material to the share price, but the ASX does expect the company to undertake forensic work “with urgency”. 

By the time the firm is in discussion with the regulator, they should have at least drafted a statement ready for the market in the event that the breach ceases to be confidential. 

Although they may not be required to disclose, Hopgood Ganim still recommended engaging with the ASX as early as possible and to seek legal advice. This would not breach confidentiality for the purpose of the exception so long as the engagement is on a confidential basis.

If the firm’s investigation discovers personal information has been exfiltrated, then it is required to notify the Office of the Australian Information Commission that sensitive information has been taken, but the extent is not yet known.

The need for disclosure to the market kicks in once affected customers are notified as this means it is no longer confidential, which could materially affect the share price, or when the extent of the data breach is so large that it warrants immediate disclosure. They may also need to make a disclosure if a journalist approaches for a comment about an alleged incident.

The statement needs to include:

  • A description of what has occurred.
  • The material facts known about the data breach.
  • Any material impact on operations or financial position that the entity is aware of at the relevant time.
  • The action that the entity is taking in response to the data breach.
  • When the entity expects to be in a position to update the market.

The company needs to have sufficient information regarding the circumstances of the data breach and potential implications even if they have not yet completed the full investigation. In certain circumstances, a trading halt may be needed to allow time to prepare an accurate and complete disclosure which includes all material information known at the time.

Subsequent ransom requests do not require disclosure as the ASX considers the company has already shared the relevant price-sensitive information, but it would be required if the cyber criminal went ahead and released a large volume of data publicly.


Read more about:


Add new comment

The content of this field is kept private and will not be shown publicly.

Recommended for you

sub-bgsidebar subscription

Never miss the latest news and developments in wealth management industry



Get rid of the rest of the old guard to clean up the culture, then you might have a chance....

3 days 4 hours ago
Ray Mitchell

The previous directors and managers of both Dixon Advisory and the ultimate holding company Evans and Partners should be...

3 days 16 hours ago
Old Fella

Why would any Licensee invest in educating and training new advisers, when as soon as the handcuffs come off, they will ...

3 days 20 hours ago

Insignia Financial has unveiled a new operating model and executive team, including a new head of advice, while three senior executives are set to depart the licensee....

4 days 6 hours ago

ASIC has obtained interim orders from the Federal Court to freeze the assets of a registered managed fund and prevent its former director from leaving Australia. ...

3 weeks 5 days ago

The $280 billion Australian Retirement Trust is the first superannuation fund off the block to report its performance for the 2023-24 financial year....

2 weeks ago