Continuous disclosure during a cyberattack

Complying with continuous disclosure obligations can be difficult at the best of times for listed entities and even more so when details of the event triggering the obligations are uncertain or unknown.  In the midst of a cyberattack it can be difficult to determine what information to disclose and when to disclose it.  However, failing to do so can lead to legal and reputational issues for an entity.  

An increasingly common and practical way to manage this issue is to use trading halts and voluntary suspensions.  Traditionally these have been used in situations which are within the listed entity's control.  However, recently, trading halts and voluntary suspensions seem to have been used successfully to assist listed entities comply with their continuous disclosure obligations during cyberattacks.

The difficulty of complying with market disclosure requirements during a cyberattack 

Continuous disclosure obligations in Australia require listed entities to disclose immediately any information they become aware of that a reasonable person would expect to have a material effect on the price or value of their securities. 

In the early stages of a cyberattack, listed entities are faced with circumstances where the extent and scope of the cyberattack is not fully known and new information is continuously coming to light.  During a cyberattack a listed entity is  "in the dark" as to the next step the threat actor will take, not knowing when or if the threat actor will cripple the entity's operations or release sensitive information, or both. 

Due to these "known unknowns", it can be extremely difficult for a listed entity to know what facts exist that may have a ‘material effect on price or value’ of its traded securities.  ASX has recognised this difficulty but has indicated that it is unwilling to implement prescriptive thresholds as to what comprises a “material effect” in the context of a cyberattack.  Pleasingly, ASX has indicated that it will update Guidance Note 8 to include a cyberattack example which will hopefully provide listed entities with some much needed guidance.

For further details on continuous disclosure obligations in Australia see (1) below.

The use of trading halts and voluntary suspensions in managing continuous disclosure obligations 

In response to these issues and the substantial increase in cyberattacks on Australian companies, the ASX community seems to have developed an "action plan" to manage their disclosure obligations in a practical way.

The "action plan" appears to contain the following steps once a listed entity becomes aware of a cyberattack:

• convene the continuous disclosure committee;
• contact the entity's listings officer and request a trading halt.  The pre-prepared trading halt contains a statement similar to the following: "X requests a trading halt to enable it to manage its continuous disclosure obligations in relation to a cyber incident";
• at the end of the 48 hour trading halt period, a request is made to voluntarily suspend the entity's securities from quotation in order to "manage its continuous disclosure obligations" and "due to the implications of the cyber incident initially announced on x date"; and
• at the end of the voluntary suspension, seek reinstatement after providing some form of update to the market, noting that investigations are continuing.

The fact that trading halts and suspensions prevent trading in ASX-quoted securities and related derivatives make both trading halts and suspensions an important and effective tool for managing the risks associated with the continuous disclosure obligations under Listing Rule 3.1.  Use of trading halts and voluntary suspensions may also help to reduce the exposure of the entity and its officers to the legal and financial consequences that could follow if the entity is ultimately found to have breached its continuous disclosure obligations.

For further information on trading halts and voluntary suspensions see (2) below.

Prepare an action plan

The key for listed entities is preparedness and having a 'trading halt action plan'. This includes:

• agreeing the circumstances in which a trading halt will be sought and having a draft trading halt application prepared.  The trading halt should also be available in hard copy in case the entity's systems cannot be accessed during a cyberattack;
• agreeing the circumstances in which a voluntary suspension will be sought, and for how long;
• speaking with the entity's listings officer in advance to agree a protocol for out of hours contact; and
• considering the impact of the entity's securities being suspended for an extended period of time, including the impact this may have on the entity's ability to rely on the cleansing notice regime for future securities issues. 

It is important to remember that the continuous disclosure obligations are ongoing and extend beyond initial disclosures. Listed entities must ensure that the information provided remains accurate and updated, keeping the market sufficiently informed in the aftermath of a cyberattack. Difficult judgement calls may be required as to whether an announcement is required if a cyberattack leads to interest or action by regulators, major customers or suppliers, shareholders or other key stakeholders.

____________________________________________________________

(1) CONTINUOUS DISCLOSURE OBLIGATIONS IN AUSTRALIA

The continuous disclosure obligations in Australia require a listed entity to immediately disclose any information it becomes aware of that a reasonable person would expect to have a material effect on the price or value of the entity's securities.  The obligations extend beyond the initial disclosure- listed entities must ensure that the information disclosed remains accurate and up to date.

The following questions may assist in determining whether disclosure is required pursuant to Listing Rule 3.1:

1.1  Information

What information do we have?

‘Information’ which must be disclosed includes information necessary to prevent or correct a false market.  The court has acknowledged that 'information' required to be disclosed in each case depends heavily on the factual circumstances. 

Despite the difficulties of providing adequate disclosure in circumstances where a threat is dynamic and all information is not available, the primary requirement for a listed entity is to enhance confident and informed participation by investors in the market by providing known facts to the market.  ASX Chief Compliance Officer, Daniel Moran, states, "the goal is not perfect information, the goal is to get the information that you need to disclose to the market."

1.2  Becomes aware

Has an officer of the entity come into possession of the information in the course of the performance of their duties, or ought reasonably to have come into such possession? 

Awareness of information involves a consideration of what information the entity is actually aware of at the time it is considering whether to disclose information to the market.  Failure of an officer to have the knowledge of the relevant facts surrounding a cyberattack (when they ought reasonably to have known) will not enable an entity to avoid its continuous disclosure obligations. 

1.3  Reasonable person 

Would people who commonly invest in securities be or be likely to be influenced by this information in deciding whether or not to buy or sell the entity's securities?

A 'reasonable person' in this context is assessed by reference to 'people who commonly invest in securities'.   The reasonable person test excludes traders who trade into and out of securities during short-term price fluctuations.

It is important to consider if the information would influence a reasonable person's decision to trade securities at current market prices or raise concerns about insider trading due to possession of non-public information.

1.4  Material effect

Is the information non-trivial and would it (or would it be likely to) influence a decision to buy or sell securities in the entity? 

The test of whether information has a material effect on the price or value of an entity's securities must be determined with reference to the anticipated magnitude of the event on the entity's affairs.

ASX does not prescribe a threshold for determining "material effect" and requires entities to assess investor reaction when disclosing information.  Evidence of the impact of disclosed information on the share price may be relevant to a consideration of whether the continuous disclosure obligations have been breached. 

1.5  Exceptions to disclosure 

There are various exceptions to the continuous disclosure obligations, including if the information comprises matters of supposition or is insufficiently definite to warrant disclosure.  However, for an exception to apply, it must also be proven that the information is confidential and the ASX has not formed the view that the information has ceased to be confidential and that a reasonable person would not expect the information to be disclosed. 

(2) TRADING HALTS AND VOLUNTARY SUSPENSIONS 

2.1 What is a trading halt?

A trading halt is a temporary break in trading which does not involve a formal suspension from quotation. 

When ASX agrees to a trading halt in an entity’s securities under Listing Rule 17.1, those securities are placed into the “trading halt session state” on the ASX trading platform.  ASX market participants are still able to place, amend or cancel orders for, but are not able to trade in, the securities.  Existing orders for the securities in the ASX trading platform are not automatically purged, as they are in the case of a voluntary suspension.  They remain in the trading platform with the same price/time priority and are available for execution when trading resumes after the halt has been lifted.

The ASX may agree to a request for a trading halt or voluntary suspension where: 

• trading in the affected security might occur while the market as a whole is not reasonably informed;
• there could be a false or disorderly market in the affected security; or
• it is otherwise reasonably required by a listed entity to manage its continuous disclosure obligations.

2.2  How to request a trading halt

An entity should contact its home branch to request a trading halt.

ASX may require a request for a trading halt to be in writing.  In practice, ASX will consider a verbal request from an entity for a trading halt but will require the request to be confirmed in writing as soon as practicable.  The entity’s written request for a trading halt will be released on the ASX Market Announcements Platform.  It should take the form of a letter to ASX on the entity’s letterhead that includes the information required by Listing Rule 17.1

An entity should give ASX the earliest possible notification that it may or will be requesting a trading halt, especially if it has advance warning of the possible need for the trading halt or if it wants the trading halt to be in place by a particular time.

If the request for a trading halt is made during normal office hours for the entity’s home branch, the entity should telephone its home branch first to alert ASX to the request for the trading halt and to discuss the reasons for the halt, before emailing a letter requesting the halt to ASX.

If the request for a trading halt is made outside normal office hours and the entity does not have the opportunity to discuss the matter first with its home branch, the entity should email a letter requesting the halt to ASX but follow up that email by telephone at the earliest opportunity to confirm that the email has been received.

2.3  What needs to be included in the letter requesting a trading halt?

A letter requesting a trading halt must include the information required by Listing Rule 17.1:

• the entity’s reasons for the trading halt;
• how long it wants the trading halt to last;
• the event it expects to happen that will end the trading halt;
• that it is not aware of any reason why the trading halt should not be granted; and
• any other information necessary to inform the market about the trading halt, or that ASX asks for.

2.4  What is a voluntary suspension?

If an entity cannot come out of its trading halt within 2 business days (for example, because it cannot update the market), the entity will need to request a voluntary suspension.  If ASX agrees to a voluntary suspension in an entity’s securities under Listing Rule 17.2, those securities are placed into the “suspend state” on the ASX trading platform.  In that state, ASX market participants are not able to place or amend orders for, or trade in, the securities. They can, however, cancel existing orders. At some point after the suspension, ASX will purge all of the existing orders for the securities from the ASX trading platform.  

2.5  How to make a suspension request

The entity must make a written request for the suspension that includes the information required under Listing Rule 17.2, including the reasons for the suspension (or continued suspension) and a proposed timetable for trading in its securities to resume, for release to the market. 

The stated reasons for the suspension must include the entity’s current financial situation, details of the issue that the entity says is critical to its continued financial viability, and an affirmation that, in the entity’s opinion, continued trading of its securities is likely to be materially prejudicial to its ability to deal with that issue.

Listing Rule 17.2 provides that ASX may require a request for a voluntary suspension to be in writing. Again, in practice, ASX will consider a verbal request from an entity for a voluntary suspension but will require the request to be confirmed in writing as soon as practicable.  The entity’s written request for a suspension will be released on the ASX Market Announcements Platform.  It should take the form of a letter to ASX on the entity’s letterhead that includes the information required by Listing Rule 17.2.

Listing Rule 17.2 requires the written request for a voluntary suspension to include:

• the entity’s reasons for the suspension;
• how long it expects the suspension to last;
• the event it expects to happen that will end the suspension;
• that it is not aware of any reason why its securities should not be suspended; and
• any other information necessary to inform the market about the suspension, or that ASX asks for.

ASX may end a voluntary suspension at any time.  It will usually do so once the entity makes the announcement about the event it said would result in the lifting of the suspension, without the need for the entity to take any further action on its part.  If for any reason an entity is not in a position to make the announcement about the event it said would result in the lifting of the suspension within the time that it originally anticipated, the entity is expected to make an announcement to inform the market of the reasons for the delay, and the new date by which it expects the suspension to be able to be lifted.

Authors: Rob Hanley, Partner; Miriam Kleiner, Partner; Maxine Viertmann, Lawyer; and Ingrid Tam, Graduate.