Cyber security incidents and data breaches are becoming increasingly common. Whilst initial responses to cyber incidents and data security breaches will be operationally driven, the company’s continuous disclosure obligations must be met at the same time. A common challenge at this point is that the full scale and implications of the incident are not known.
Initial response announcements are a common approach and, generally, they detail that an incident has occurred, the persons affected and that an investigation has commenced. However, there is no ‘one size fits all’ approach and materiality is key to this assessment such that it is not always the case that disclosure is required.
In the M&A context, risk allocation for cyber and data security incidents are also under increasing scrutiny and we expect to see more examples of transactions expressly dealing with the implications of them.
Companies which are subject to the continuous disclosure regime know the rules: they must make immediate disclosure of material non-public price sensitive information unless the “confidentiality carve out” applies.
Data security is an important concern for company directors and management teams. This is on account not only of the greater amounts of data that companies are holding and using for their operational purposes but also the growing prevalence of malicious intrusion into the systems that hold and safeguard the data as well as the risk of mere human error which could result in a data leak.
Where a cyber security incident or data breach occurs, operationally there will be a number of considerations at play – for example, are customers, employees or other stakeholders affected? How can the immediate consequences of the security breach be stopped, mitigated, and remedied?
At the same time, it is critical to consider the company’s continuous disclosure obligations and whether an ASX announcement is required. Of course, as is the case with any potential disclosure issue, quantitative and qualitative factors should be considered.
A major challenge for a company that has discovered a cyber security incident or data breach is that the scale and significance of the security breach may not be immediately apparent – or it may be ongoing. In many cases, it may be necessary to engage cyber security experts on a program of work in order to ascertain the potential implications and the scale of the impact of the security breach. At that point, knowing what to say so as to give a full enough picture without causing undue alarm if it turns out to be a contained issue can be as challenging t as resolving the problem itself.
A number of companies have released an announcement that explains that a disruption has occurred, its general nature and that further investigation is required. There are also examples of companies which have not made ASX announcements following a cyber attack. In these cases, whilst the “confidentiality carve out” may not have been available, from a factual perspective, the company will have formed the view that the issue is not materially price sensitive in light of all of the circumstances.
Companies should also consider if a notification obligation arises in other contexts, such as privacy laws for data breaches involving personal information or requirements under contract.
There is currently no specific obligation to report a cyber attack or cyber ransom payment. However, Parliament is currently considering new legislation which, if passed, would involve incident reporting obligations. The Ransomware Payments Bill 2021 would require reporting to the Australian Cyber Security Centre and the amendments made on 22 November 2021 to the Security of Critical Infrastructure Act 2018 detailed in the Security Legislation Amendment (Critical Infrastructure) Bill 2021 create an enhanced cyber regulatory framework across an expanded set of essential services, which includes incident reporting obligations.
As part of a company’s usual activities to prepare for what to do in the event of a cyber attack, the company’s approach to its continuous disclosure obligations should also be mapped out.
Risk allocation for cyber and data security incidents in the context of deals
With increasing consciousness of the scale of the potential effects of cyber security and data incidents we expect to see more express allocation of risk relating to the effects of a cyber security incident.
That said, there is no one approach to that risk allocation and, where it is allocated, the question can also turn for certain types of businesses to the nature of cyberattacks or data breaches that should qualify.
For example, the scheme implementation deed relating to PEP’s acquisition of The Citadel Group included a condition precedent relating to no cyber security incident having occurred that resulted in:
- a shutdown of Citadel’s systems or operations for more than one week that resulted in a breach of the customer service level requirements and where the shutdown was likely to have a material adverse effect on the business, assets, operations, performance or prospects of the Citadel Group as a whole; or
- customer confidential data or information received by Citadel Group as a pursuant to a contract which was material to the business of the Citadel Group being accessed by an unauthorised third party (unless it would not be likely to have a material adverse effect or the customer acknowledged that it was not caused by Citadel).
By contrast, in the scheme implementation deed for the Afterpay / Square Inc merger “cyberattacks” on either Afterpay or Square, Inc were excluded as a Material Adverse Effect and the term was not defined.
There is no one right approach, but what is needed where the risk of cyber and data security incidents is expressly allocated is careful consideration of the nature of the incidents that the relevant business may be subject to and the level of materiality at which the relevant consequences, such as termination rights should be enlivened.