After a landmark case against now-collapsed software start up GetSwift culminated in a record $15 million fine, Australia's national corporate regulator, ASIC, has signalled higher penalties for breaches of market disclosure rules.
The former ASX-listed GetSwift was handed its $15 million penalty (dubbed "the largest ever penalty against a company for breaching continuous disclosure laws") in relation to some decidedly misleading statements it made in its announcements on the ASX, and a range of breaches to its continuous disclosure obligations during 2017.
In an unsparing 70-page judgement, the court outlined a series of ASX announcements where GetSwift shared news of agreements with major clients such as Amazon, the Commonwealth Bank of Australia and Yum Brands – however, these clients were only trialling or contemplating a trial of the GetSwift platform and were not revenue-generating when announced.
The long-running case further concluded with two of GetSwift's former directors receiving two of the "highest penalties" ordered against directors for corporate misconduct: a $2 million penalty with disqualification from managing corporations for 15 years for former director, CEO and executive chairman Bane Hunter; and a $1 million penalty with disqualification for 12 years for former director and AFL footballer Joel Macdonald.
Now, statements from ASIC deputy chairman Sarah Court suggest those similarly in breach of market disclosure laws may also face higher fines in future cases.
“ASIC submitted what we thought was a very high penalty against the two directors most implicated of $1 million each and 12-year disqualifications,” Court said.
“We couldn’t find any similar case that went that far but Justice Lee said ‘no, that wasn’t enough’ and doubled the penalty to $2 million and increased the disqualification to 15 years.
"That is really the court telling us ... that it will be prepared to impose both very high penalties against individuals, together with very high or lengthy disqualification orders, so absolutely that is something we will be considering in cases going forward.”
Fines for cyber negligence
ASIC has already announced a range of enforcement priorities for 2023, stating it will "have a strong focus on enforcement activity" targeting a range of areas, including "cyber and operational resilience".
This statement comes amid two alarming trends in Australia's main stock exchange, the ASX, namely: a decline in market value after investors find a company has experienced a cyber attack; and a seemingly low rate of self-reporting by ASX-listed companies following a cyber attack.
According to the Australian Cyber Security Centre's annual threat report, financial year 2020-2021 saw over 76,000 cybercrime reports made to the agency.
During this same period, however, Australia's mandatory data breach notification scheme – which dictates reporting requirements for organisations in the event of a data breach – received only 853 notifications.
Furthermore, recent findings by University of Wollongong Professor Alex Frino suggest only 11 of the 36 cyber attacks against ASX-listed companies in the past decade were reported to sharemarket investors before being reported by media.
These figures can likely be attributed to a reluctance to report cyber attacks to the market – if investors know about a cyber attack it can often entail a negative impact on an ASX-listed company's market value.
"No one hopes to deliver bad news, they all hope it will go away,” said Frino.
“Companies tend to hope it might not be as bad as they think but then the grim reality drips out and it hits the share price."
Such was the case for Medibank in the weeks following its landmark 2022 security incident.
After the company conceded all Medibank customers were impacted by its data breach, shares plummeted 18.1 per cent in a single afternoon, and its market value sunk $1.6 billion.
While Medibank was quick to report the incident, Court suggests lacklustre disclosure of cyber attacks or data breaches could potentially land ASX-listed companies on the wrong side of disclosure requirements.
"From our perspective in relation to the continuous disclosure, a cyber attack or breach could well be a material event which needs to be disclosed," said Court.
Last year, financial services company RI Advice was sued by ASIC for $750k over poor cyber security practices – namely, the company had reportedly contravened laws which require financial services companies to implement "adequate risk management systems".
"We take our role to protect consumers and investors seriously and won’t hesitate to take action to protect consumers where we identify poor conduct," said ASIC.
The regulator shows no signs of slowing down in coming months. When reporting on the 2022 calendar year, ASIC said a total 312 criminal charges were laid and $222.1 million in civil penalties were imposed by the courts.