By Karissa A. Breen
In recent months, the Australian corporate regulator ASIC has warned that it will be seeking record penalties for breaches of market disclosure, and in particular, those related to cyber attacks.
This is an issue of particular concern given the prevalence of cyber attacks in Australia, which is one of the most targeted countries in the world. The financial cost of a cyber attack is considerable, and the potential reputational damage can be even greater.
It is therefore essential that financial markets remain transparent and that investors are provided with information about any material risks that could affect the performance of a listed company.
Unfortunately, recent research from the University of Wollongong has found that only 11 out of the 36 cyber attacks against ASX-listed companies in the past decade were reported to sharemarket investors before being reported by the media.
This means that many investors were unaware of potential risks to their investments and could have been adversely affected by the lack of information.
Sean Duca, VP and Regional Chief Security Officer – Asia Pacific & Japan at Palo Alto Networks commented,
“Australians are becoming increasingly aware of the value of their personal information, so it makes sense that the corporate regulator treats duty of care towards data protection in a similar way to fiduciary duty.
It is encouraging to see ASIC taking this issue seriously, and in its enforcement priorities for 2023 it has indicated that a “strong focus” on cyber and operational resilience will be adopted.
It appears that ASIC is looking to send a strong message to companies that they must adhere to disclosure rules and that significant penalties may be imposed if they are not observed.
This is a positive step forward in protecting investors, as it will help ensure that they are adequately informed and protected against potential risks.
It will also act as a deterrent to those companies that may be tempted to hide or delay the disclosure of cyber attacks in order to protect their share price.
Ultimately, the aim of ASIC’s crackdown on market disclosure breaches is to ensure that investors are better informed and their investments are protected. This is a welcome development and one that investors should take seriously.
“Organisations have a duty of care to their customers, employees, and other stakeholders to protect their personal information. Companies have an ethical and legal responsibility to protect this data to the best of their abilities. Swift disclosure is key to mitigating the effects of a data breach on the individuals whose data is compromised’, comments Duca.
“In our experience, most data breaches will eventually become public. Companies risk eroding hard-earned trust and goodwill if they don’t proactively disclose breaches in a timely fashion.” Duca responds.
In conclusion, it is clear that cyber attacks pose a significant risk to the financial markets in Australia. Investments in listed companies can be significantly impacted by cyber attacks, and it is therefore essential that investors are provided with all material information related to cyber security risks. ASIC is right to pursue record penalties for breaches of market disclosure and it is encouraging that some progress has been made in increasing the levels of disclosure of cyber attacks. Nevertheless, there is still a long way to go to ensure that all ASX-listed companies are adequately reporting all cyber security risks to investors.