A cyber incident hits a listed company as two crises, not one. There is the breach — and there is the duty to tell the market about it, immediately, the moment it becomes material. Get the second one wrong and the bill lands twice: on the company, and on the directors personally. GetSwift’s board learned the shape of it — $15 million from the company and more than $3 million from its directors personally, one of them banned from running a company for fifteen years, for disclosure failures alone. Boards drill for the breach. Far fewer are ready for the disclosure clock that starts running beside it.
What the regime requires
Listing Rule 3.1, given statutory force by section 674 of the Corporations Act, is blunt: once a listed entity is aware of information a reasonable person would expect to move its share price, it must tell the market immediately. The test is objective — it does not care how bad management thinks the incident is — and it catches bad news exactly as it catches good.
The one release valve is narrow. Listing Rule 3.1A withholds disclosure only where a specified exception applies, the information stays confidential, and a reasonable person would not expect it out — all three at once. The moment any one fails, the obligation snaps back to immediate.
The 2021 fault element is thinner cover than it looks
Since 2021, civil liability for a disclosure breach requires proof that the entity acted with knowledge, recklessness or negligence as to materiality. Boards should not exhale. Negligence is a low bar, and it is exactly the bar class-action funders are practised at clearing in hindsight. ASIC keeps its infringement-notice power with no fault to prove at all, and the criminal offence is untouched. One avenue narrowed; the road stayed open.
Where directors are personally exposed
Continuous disclosure is one of the few areas where directors and officers face civil liability distinct from the misleading-conduct provisions — a feature of Australian law not shared by most comparable markets. A person “involved in” a contravention of section 674A can be personally liable to a civil penalty, and shareholder class actions routinely name the individuals who made or influenced the call. The practical defence is contemporaneous: a documented record of what the board knew, when it knew it, and why it reached the disclosure decision it did.
That record is far stronger when the board already holds an independent, external view of the organisation’s cyber exposure. A BlackFlag Advisory assessment establishes — passively, before any incident — what the entity exposes to the open internet, rated as risk and set out in board-ready terms. It does not make the disclosure decision for you. It gives the people who must make it, under time pressure and later scrutiny, an evidenced starting point rather than a blank page.
Sources & references
- ASX Listing Rules — Chapter 3 (Continuous Disclosure) and Guidance Note 8
- Corporations Act 2001 (Cth) — ss 674, 674A, 675A (Federal Register of Legislation)
- Treasury Laws Amendment (2021 Measures No. 1) Act 2021 (Cth)
- ASIC v GetSwift Ltd (Penalty Hearing) [2023] FCA 100 — $15M company; directors fined and disqualified (ASIC 23-029MR)
- ASIC — Continuous disclosure guidance and infringement notices