ASIC and the courts have shown they are serious about clamping down on companies that breach continuous disclosure laws. This includes companies which do not notify their shareholders of a cyber attack.
Record fine for not following market disclosure laws
The corporate regulator Australian Securities & Investments Commission recently levied a record $15 million fine against a company, signalling a hard line against businesses that do not follow market disclosure laws.
ASIC deputy chair Sarah Court said the watchdog had also originally sought a penalty of $1 million and a 12-year disqualification for each of the directors of the logistics software company GetSwift, but for one of the directors the judge doubled the penalty to $2 million and made the disqualification for 15 years. (Please see Federal Court sanctions GetSwift with record continuous disclosure penalty, ASIC, 17 February 2023.)
The court found the software start-up had falsely told investors it had made agreements with major clients including Amazon, but in reality they were only trials, or even trials which were being contemplated. (Please see Australian Securities and Investments Commission v GetSwift Limited (Liability Hearing) [2021] FCA 1384.)
These misleading claims led to GetSwift’s share price rising by 800 per cent. The company has since gone into voluntary liquidation.
Companies reluctant to comply with cyber attack disclosure rules
The punishment demonstrates ASIC and the courts are serious about taking strong action against companies that breach continuous disclosure laws. This includes notifying shareholders of a cyber attack. (Please see ASIC to get tough on cyber attack disclosure, CyberSecurity Connect, 21 February 2023.)
The crackdown comes as research by the University of Wollongong found only 11 of 36 incidents of cyber attack against ASX-listed companies reported by the media were first reported to share market investors, as required by law.
Professor Alex Frino told the Australian Financial Review a company that has been the target of a cyber attack loses about five per cent in market value – an average loss of $500 million per company – when the attack becomes public knowledge.
Government toughening cyber attack laws
The federal government has also announced it will toughen laws over the next year to combat the threat of cyber attack. This will include widening the types of businesses required to comply with cyber security measures, new cyber security obligations and standards across industry and government, and the new post of national cyber security co-ordinator.
The existing Cyber and Infrastructure Security Centre (CISC) requires businesses in telecommunications, defence, energy, financial services, food, water, hospitals, education and transport to put in place critical infrastructure risk management programs. (Please see Risk management program rules of critical infrastructure assets guidance, Department of Home Affairs, February 2023.)
Following the disastrous hacks of Medibank and Optus in 2022, the aim is to ensure companies have installed adequate anti-hacking measures to protect the personal data they hold from being stolen.
Tough penalties for failing to implement adequate cyber security
The CISC rules came into force on 17 February 2023. Businesses must implement them within six months. Companies will have to submit an annual report to CISC within 90 days of the end of the financial year, starting from 30 June 2024.
Even tougher cyber security laws are expected to be introduced in the future. Businesses will have to keep abreast of these changes or they could face serious consequences.
One financial services company which failed to have adequate cyber security as required under section 912A of the Corporations Act was recently fined $750,000. (Please see Australian Securities and Investments Commission v RI Advice Group Pty Ltd (No 2) [2021] FCA 877.)
Cyber Security Minister Clare O’Neil said existing cyber laws will be strengthened by adding customer data and systems to the definition of critical infrastructure. This will give government authorities the power to intervene in major data breaches.
Development of 2023-2030 cyber security strategy
The government is developing a 2023-2030 cyber security strategy for Australia. (Please see 2023-2030 Australian Cyber Security Discussion Paper.)
ASIC provides information, including links to a number of resources, to help organisations and individuals improve their cyber resilience. (Please see Cyber resilience.)
The Australian Cyber Security Centre also provides advice on protecting yourself from a cyber attack and reporting a cyber security incident.