Two Crises, One Clock.
A material cyber incident is a disclosure event — and the hardest call your board will make under pressure.

Could your board assess the materiality of a cyber incident in hours, not days? That call is easier when you already know your own attack surface. A passive external assessment is where that knowledge begins.

Assess Your Exposure →

A cyber incident hits a listed company as two crises, not one. There is the breach — and there is the duty to tell the market about it, immediately, the moment it becomes material. Get the second one wrong and the bill lands twice: on the company, and on the directors personally. GetSwift’s board learned the shape of it — $15 million from the company and more than $3 million from its directors personally, one of them banned from running a company for fifteen years, for disclosure failures alone. Boards drill for the breach. Far fewer are ready for the disclosure clock that starts running beside it.

Now
The trigger. A material cyber incident is price-sensitive — Listing Rule 3.1 gives you no grace period to disclose
Source: ASX Listing Rules; Corporations Act s674
$3M
The directors pay. GetSwift’s directors, fined personally for disclosure failures — one banned for 15 years, with $15M more from the company
Source: ASIC v GetSwift (Penalty) [2023] FCA 100
#1
The exposure. Shareholder claims are the most common class action in the Federal Court — Medibank’s is pleaded on exactly this
Source: ALRC; Medibank proceedings

What the regime requires

Listing Rule 3.1, given statutory force by section 674 of the Corporations Act, is blunt: once a listed entity is aware of information a reasonable person would expect to move its share price, it must tell the market immediately. The test is objective — it does not care how bad management thinks the incident is — and it catches bad news exactly as it catches good.

The one release valve is narrow. Listing Rule 3.1A withholds disclosure only where a specified exception applies, the information stays confidential, and a reasonable person would not expect it out — all three at once. The moment any one fails, the obligation snaps back to immediate.

The 2021 fault element is thinner cover than it looks

Since 2021, civil liability for a disclosure breach requires proof that the entity acted with knowledge, recklessness or negligence as to materiality. Boards should not exhale. Negligence is a low bar, and it is exactly the bar class-action funders are practised at clearing in hindsight. ASIC keeps its infringement-notice power with no fault to prove at all, and the criminal offence is untouched. One avenue narrowed; the road stayed open.

The judgment that gets made under pressure A cyber incident forces the hardest version of the disclosure question. What do we know? Is it material? Are we “aware” within the meaning of the rule? An entity that already understands its own attack surface — what was exposed, what data sits behind it, what a compromise would plausibly reach — can assess materiality faster and defend the decision it makes. An entity discovering its own environment mid-incident is making a market-sensitive call blind, on a clock, with a class action pricing the outcome in arrears.

Where directors are personally exposed

Continuous disclosure is one of the few areas where directors and officers face civil liability distinct from the misleading-conduct provisions — a feature of Australian law not shared by most comparable markets. A person “involved in” a contravention of section 674A can be personally liable to a civil penalty, and shareholder class actions routinely name the individuals who made or influenced the call. The practical defence is contemporaneous: a documented record of what the board knew, when it knew it, and why it reached the disclosure decision it did.

That record is far stronger when the board already holds an independent, external view of the organisation’s cyber exposure. A BlackFlag Advisory assessment establishes — passively, before any incident — what the entity exposes to the open internet, rated as risk and set out in board-ready terms. It does not make the disclosure decision for you. It gives the people who must make it, under time pressure and later scrutiny, an evidenced starting point rather than a blank page.

Sources & references

Is Your Disclosure Judgment
Evidenced, or Improvised?

A BlackFlag Advisory assessment gives your Board an independent, external view of what your entity exposes — so a materiality call under Listing Rule 3.1 starts from evidence, before an incident forces the decision.

Request an Assessment →
Passive Only — No Systems Accessed

All BlackFlag Advisory assessments use exclusively passive OSINT techniques and publicly available data sources. No systems, networks, or accounts are accessed, probed, or tested at any time. Board-ready output delivered within three to seven business days.