It feels more like ‘when’ and not ‘if’ companies will face data breaches. In the last week, reports are emerging of a hacker trying to sell data from 30 million Ticketek customers following the announcement of a data breach by Ticketek on 31 May 2024.  With the growing prevalence of data breaches the ASX has updated its guidance around a listed entity’s disclosure obligations around data breaches to include to an example of how and when a company should respond.

While a company must immediately disclose information that might reasonably be expected to have a material effect on its share price, what constitutes ‘market sensitive information’ is often open to debate, but it will likely include information relating to data breaches.

The responsibility for overseeing a company’s response to a cyber security issue, such as a data breach, rests with the Board, whose members are expected to be proactive in establishing appropriate cyber security systems and controls. The Australian Institute of Company Directors (AICD) has developed a Cyber Crisis Guidance framework to help Boards respond to and recover from a cyber security incident. The framework is built around four areas – Readiness, Response, Recovery and Remediation. Disclosure to the market of a cyber breach sits within the Response phase, but thought should be given to how best to meet disclosure obligations arising from a data breach during the Readiness phase.

The ASX’s is proposing to include an example of how a data breach might trigger the need for market disclosures, as part of an updated Guidance note 8. Notably, in their view, the discovery of the data breach; receipt of a ransom demand; engagement with regulators and even confirmation that personal information has been exfiltrated are not, in and of themselves, necessarily reasons to disclose a data breach to the market. The key consideration is at what point does the impact of the data breach become public, most likely the point at which the company notifies affected individuals or the point at which the perpetrators of the data breach go public or when details of the data breach are leaked to a journalist.

As soon as a breach has been identified a company is expected to bring in, on a confidential basis, a forensic expert to assess its extent of the breach and an IR and Corporate communications expert, such as FIRST Advisers, to begin developing a data breach market release. Then, if knowledge of that data breach makes its way is into the public domain, a company is expected to immediately release a market announcement.

As the full extent and potential impact of a data breach is explored it is important the IR and Communications advisors scenario plan for the different ways in which breach confidentially may be compromised, e.g. the perpetrator releasing sensitive personal information or a journalist writing a story about the breach. This scenario planning should include a continuous process of updating draft data breach market announcements that reflect the evolving and often complex issues related to the breach, e.g. what level of detail is required around how a company’s systems were compromised or when to disclose plans to remediate affected customers? Once the initial market announcement has been released the ASX example indicates there will likely be a requirement for further disclosures as new material information is uncovered, e.g. confirmation sensitive personal information has been made public on the Dark web, that will also need to be carefully crafted.

Each instance of a data breach will need to be assessed on an individual basis. The ASX example, however, provides some key actions the board should consider which include:

• • Immediately engage a forensic expert to assess the extent of the data breach.
  • Maintain confidentiality to allow the forensic expert time to assess the data breach.
  • Preparation and continuous updating a draft data breach announcement.
  • Engage with the ASX to ensure disclosure obligations are being properly managed.
  • Ensure there is sufficient, verified information prior to disclosing the breach.
  • Consider a trading halt to provide time to finalise details prior to releasing a draft release.
  • Continued release of market updates as new material information is confirmed.

Fast, accurate and accessible market communications around a data breach will help provide confidence to investors that the issue is being well managed. The support of advisers from an integrated investor relations and corporate communications agency, such as a FIRST Advisers, can be invaluable. The combination of the rigour and precision of an IRO and the art of positioning a story of a corporate communicator can help create an effective continuum of market communications that place a data breach in the appropriate context.