investor daily logo

ASIC to get tough on cyber attack disclosure

3 minute read

In the wake of the largest fine for failing to follow market disclosure rules, the Australian Securities and Investments Commission (ASIC) has come out swinging, promising that higher fines are to come — especially for those failing to report cyber attacks.

Disgraced software company GetSwift was ordered on Friday (17 February) to pay a $15 million fine, while its directors were also hit with hefty million-dollar fines and disqualified from managing corporations for up to 15 years. The GetSwift case has been before the courts since 2018 after the company made misleading claims regarding forecasts and business partners.

Presiding over the matter, Justice Michael Lee was scathing of GetSwift’s marketing practices.

According to Justice Lee, GetSwift’s chief executive, Bane Hunter, “had a laser-like focus on making money for himself and Mr Macdonald and if that involved breaking the law regulating financial markets, or exposing GetSwift to third-party liability, that was of little concern to him”.

And while GetSwift’s troubles do not stem from a cyber attack, ASIC deputy chair Sarah Court has cyber very much in mind after the landmark ruling. Speaking to The Australian Financial Review regarding the alarming statistic that just 11 out of 36 cyber attacks were reported to investors of ASX-listed companies, Court did not mince words.

“We are well aware of these kind of issues, and cyber is an enforcement priority that we are continuing to elevate and focus on,” Ms Court told the AFR.

“The ASX is already onto this. There is an issue with timing. We accept it can be difficult in the early hours and days of an attack to really understand the extent and impact of the attack.

“But from our perspective in relation to the continuous disclosure, a cyber attack or breach could well be a material event which needs to be disclosed.”

Speaking to the size of the fine handed down to GetSwift, Court was similarly bullish.

“That is really the court telling us ... that it will be prepared to impose both very high penalties against individuals, together with very high or lengthy disqualification orders, so absolutely that is something we will be considering in cases going forward,” she said.

Sean Duca, vice-president and regional chief security officer – Asia-Pacific and Japan at Palo Alto Networks, welcomes a more aggressive approach from Australia’s corporate regulator.

“Organisations have a duty of care to their customers, employees, and other stakeholders to protect their personal information,” Mr Duca said. “Companies have an ethical and legal responsibility to protect this data to the best of their abilities. Swift disclosure is key to mitigating the effects of a data breach on the individuals whose data is compromised.”

“In our experience, most data breaches will eventually become public. Companies risk eroding hard-earned trust and goodwill if they don’t proactively disclose breaches in a timely fashion.”