Share this article on:
Only a small portion of publicly listed companies inform the ASX of cyber attacks and incidents, according to new findings.
University of Wollongong’s Professor Alex Frino analysed 36 cyber attacks across 27 companies that occurred between 2011 to 2021, finding that only a minority of companies reported cyber attacks to the exchange.
Frino’s list compiled attacks listed from ASX announcements by attacked companies, the Dow Jones Factiva news database and the Webber Insurance Database. Eighty per cent of the attacks are related to IT, consumer, financial and communication services.
Of the 36 incidents analysed, “25 of the cyber attacks were only reported in the press, while only 11 were made public via ASX announcements”, said Frino.
He also found that several companies delayed announcing breaches to the public.
“There is substantial evidence of leakage of the information in the announcement for up to 30 days before it is formally announced by the ASX or media,” he said.
“This is not surprising, as cyber breaches can occur months before a company finds out, and companies may race to engage customers to rectify the impact of breaches before any announcement — hence there is significant opportunity for information leakage to occur.”
Frino has said that the average decline a business suffers when investors hear of a cyber attack is 5 per cent, which on average equates to a loss of $500 million.
Responding to the findings, the ASX has said that it plans to introduce new penalties for those that violate its market disclosure requirements.
Currently, as Frino pointed out, “there is currently no specific rule for a company to report cyber attacks to the market either in Australia or the USA”. The ASX’s disclosure policies do, however, require the announcement of any price-sensitive information.
Publicly listed logistics software start-up GetSwift recently faced a $15 million penalty, the largest faced by any company that has breached the ASX disclosure rules. Now, the ASX intends to increase fines further.
“ASIC submitted what we thought was a very high penalty against the two directors most implicated of $1 million each and 12-year disqualifications,” said ASX deputy chairman Sarah Court.
“We couldn’t find any similar case that went that far but Justice Lee said ‘no, that wasn’t enough’ and doubled the penalty to $2 million and increased the disqualification [for one of the directors] to 15 years.
“That is really the court telling us … that it will be prepared to impose both very high penalties against individuals, together with very high or lengthy disqualification orders, so absolutely that is something we will be considering in cases going forward.”
Referring to the Medibank hack, and the fact that a two-day trading halt occurred after the insurer notified the ASX of the breach, Court has said that the regulator is aware of the issue.
“The ASX is already onto this. There is an issue with timing. We accept it can be difficult in the early hours and days of an attack to really understand the extent and impact of the attack.
“But from our perspective in relation to the continuous disclosure, a cyber attack or breach could well be a material event which needs to be disclosed.”
ASX chief compliance officer Daniel Moran has issued a public warning, saying that all listed entities must report any information regarding a cyber attack as soon as possible.
He does, however, acknowledge that when not all information is known, this could lead to incorrect or incomplete information being provided.
In this case, organisations should consider halting trade temporarily before disclosing information later when it is confirmed.