The Australian Securities and Investments Commission (ASIC) has issued a warning that it plans to impose unprecedented penalties for violations of market disclosure requirements, following recent revelations that publicly listed companies are breaking the law by neglecting to disclose significant cyber attacks.
The announcement came on the heels of a $15 million penalty imposed on logistics software start-up GetSwift, the largest fine ever for a breach of market disclosure rules in Australia. According to Sarah Court, ASIC’s deputy chairman, the regulator intends to pursue even steeper fines going forward.
“ASIC submitted what we thought was a very high penalty against the two directors most implicated of $1 million each and 12-year disqualifications,” Ms Court said. “We couldn’t find any similar case that went that far but Justice [Michael] Lee said ‘no, that wasn’t enough’ and doubled the penalty to $2 million and increased the disqualification to 15 years [against one of the directors].
“That is really the court telling us … that it will be prepared to impose both very high penalties against individuals, together with very high or lengthy disqualification orders, so absolutely that is something we will be considering in cases going forward.” – Said ASIC deputy chair Sarah Court
The University of Wollongong’s Professor Alex Frino has reported that, in the past decade, only 11 of the 36 cyber-attacks against ASX-listed companies that were covered by the media were first reported to share market investors.
Despite this, his research has shown that when investors find out that a company has been “successfully” cyber-attacked, its market value declines by an average of 5%, which translates to an average loss of $500 million per company.
This suggests that the companies are violating their market disclosure obligations since the cyber-attacks seem to be significant events. Notable ASX-listed companies that have suffered cyber-attacks in the past decade include ANZ, CBA, Telstra, and Wesfarmers.
However, Professor Frino has declined to specify which companies he believes may have broken the law.
The recent hack of Medibank Private, which occurred after his study, resulted in a two-day trading halt after the insurer informed the market of “unusual activity” on October 13. Initially, Medibank stated that no customer data had been breached, but subsequent disclosures revealed that the situation was more severe.
Ms Court said the regulator was well aware of the issue.
“We are well aware of these kinds of issues and cyber is an enforcement priority that we are continuing to elevate and focus on,” she said.
“The ASX is already onto this. There is an issue with timing. We accept it can be difficult in the early hours and days of an attack to really understand the extent and impact of the attack.
“But from our perspective in relation to the continuous disclosure, a cyber-attack or breach could well be a material event which needs to be disclosed.”
Following the cyber attacks on Medibank Private and Optus last November, Daniel Moran, the ASX’s chief compliance officer, issued a warning that publicly listed entities must report all known information about cyber attacks as early as possible. However, to avoid providing false or incomplete information, companies should consider implementing brief trading halts. This approach will provide the necessary time to gather accurate information and disclose it to the market in a timely manner, ensuring investors have all the relevant information needed to make informed decisions.
“This doesn’t mean a company can go into a trading halt to defer disclosing market sensitive information, just where the relevant facts aren’t known due to an unfolding situation,” he said
How can Oper8 Global Help?
- Cybersecurity Management: Oper8 Global can assist ASX-listed companies in creating and managing a robust cybersecurity program. This program will include security assessments, risk management, security operations, and incident response planning to help prevent cyber-attacks or reduce their impact.
- Compliance Management: Oper8 Global can assist companies in complying with market disclosure obligations and other regulatory requirements related to cybersecurity. This includes ensuring that all material events, such as cyber-attacks, are promptly reported to investors and relevant authorities.
- Cloud and Data Center Solutions: Oper8 Global provides cloud and data centre solutions that can enhance the security and resilience of an organization’s IT infrastructure. This includes secure hosting, data backup, disaster recovery, and other services that can help minimize the impact of a cyber-attack.
- User Training and Awareness: Oper8 Global can provide employee training and awareness programs to help reduce the risk of a successful cyber-attack caused by human error, such as phishing attacks or social engineering.
By engaging Oper8 Global’s services, ASX-listed companies can improve their cybersecurity posture, comply with regulatory requirements, and minimize the impact of cyber-attacks.