Home Insights To disclose or not to disclose? A step towards clarity on continuous disclosure
Share

To disclose or not to disclose? A step towards clarity on continuous disclosure

Navigating continuous disclosure rules is both an art and science. The decision as to when to inform the ASX about information that ‘a reasonable person would expect to have a material effect on the price or value of its securities’ is never simple, and the myriad case-specific facts only serve to highlight the complexity of advising in this area.

To add to this, the range of issues that may have material financial impacts, such as cyber incidents and ESG-related disclosures, is ever-widening.

A number of recent cases, including the Zonia Holdings case,[1] have helped to shed some light on the nature of continuous disclosure obligations and, in particular, dealing with unknowns, confidentiality and materiality. Outside the specifics of the case, the judgment provides useful guidance for a wide range of issues including the difficult issue of cyber incident disclosure and when information should be disclosed to the ASX.

The decision as to how and when to disclose investigations and threatened claims, whether they are initiated by a regulator or another party, is never simple and there are often good commercial and legal reasons why a listed entity might not disclose these matters. Sometimes the decision as to whether to disclose is impacted by the nature of the information or the status of the matter and the desire to avoid disclosing material that would ‘paint an entirely inaccurate and incomplete picture of the state of affairs’,[2] and make the disclosure of the material misleading.

In Zonia Holdings, the Court had some sympathy with that perspective and affirmed that the basic principle behind the continuous disclosure provisions was that investors must be put in a position that allows them the opportunity to assess the value of disclosed information for the purpose of making an investment decision. Here, the Court was persuaded that some of the material alleged to have been required to have been disclosed was incomplete in important respects and omitted important contextual matters. The Court found that if the Bank had disclosed the information alleged to be required to be disclosed, it would, without more information, have created a misleading picture.

Disclosure of regulatory investigations

The Zonia Holdings judgment also provides a number of useful insights for answering the question of when a listed entity needs to disclose a regulatory investigation. First, the Court held that the requirement for ‘awareness’ is not to be assessed by what information could have been discovered as the result of an internal investigation, nor does it extend to information that was discovered with the benefit of hindsight. Rather, the appropriate starting point is whether a relevant person should have ‘formed an opinion or drawn an inference’ from the facts provided.

Second, the Court’s determination of ‘materiality’ demonstrates that whether a regulatory investigation ought to be disclosed is highly fact dependent and largely informed by context. The Court recognised that a failure to uphold legislative obligations, such as those under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act), is a serious issue. However, an issue that warrants regulatory investigation does not necessarily result in a ‘financially significant’ outcome that would materially affect an entity’s share price or value. Consequently, non-compliance or the commencement of a regulatory investigation alone may not at the time meet the threshold of material regulatory information that must be disclosed.

Given the highly contextual nature of this determination, some matters that informed the Court’s decision included that:

  • although some contraventions involved a large number of transactions, the underlying cause was a single coding error (as opposed to a systematic issue), the issue was rectified and the transactions only represented a small percentage of the total transactions in the Bank’s overall monitoring process;

  • while investors can expect entities to implement measures to mitigate risks, investors would generally understand that financial institutions have operational risks;

  • some of the non-compliance was historical and not an ongoing problem; and

  • there was a lack of certainty as to whether AUSTRAC was likely to commence enforcement proceedings and impose a civil penalty, particularly when AUSTRAC’s preferred approach at that the time was cooperative engagement.

Interestingly, the Court found that the issue of disclosure turns on whether the information is going to have a ‘material effect’ on the price or value of an entity’s securities. That is, whether the information is likely to influence persons who commonly invest in shares. Materiality is a vital ‘filter’ for disclosure because it ensures that listed entities don’t over-disclose.

In Grant-Taylor v Babcock & Brown Limited (in Liquidation) [2015] FCA 149 1, the Full Court suggested it should first determine what disclosure ought to have been made. That may involve more than a simple correction but also contextual information that explains the economic effect of that information.

Materiality of information is determined at the time the alleged disclosure should have occurred. There seems to be a growing body of opinion that, in determining if the information would have had a ‘material effect’ on the price or value of an entity’s securities, it is not determinative (but may be relevant) that when the information was released the price of the entities’ securities did move in a material way.

Third, one important qualification to the continuous disclosure obligation is where the material is, and remains, ‘confidential’. The Court explored the question of confidentiality and found that information that is not generally available is not necessarily confidential information. Many aspects of a listed entity’s day-to-day business are not generally available, but that does not mean that those aspects, or information that is generated for internal management purposes, is necessarily confidential.

Disclosure of cyber incidents

Earlier this year the ASX updated ASX Listing Rules Guidance Note 8 to include a new example to demonstrate when ASX thinks information in relation to a cyber incident should be disclosed. The example supports the position adopted in Zonia Holdings whereby disclosure is not usually required where the entity cannot yet ascertain the materiality of the issue to the price or value of its securities due to limited information. Interestingly, the example suggests that incomplete information about an ongoing cyber incident is unlikely (by itself) to justify delaying disclosure of known information. However, it affirms the position in Zonia Holdings that disclosure needs to be reviewed in context and through the lens of whether the disclosure will create a misleading picture.

This element of the reasoning suggests there is real value in preparing a ‘dummy’ announcement and reviewing it critically to ensure that it doesn’t create a misleading picture of the circumstances. It would be beneficial for the disclosure team to put themselves in the shoes of an investor who is likely to ask, ‘Why am I being told this? What is the significance of what I’m being told, and what are the consequences for the issuer?’

Where the issue being considered involves a possible regulatory breach, Zonia Holdings makes it clear that the regulator’s then known attitude to the issue is significant information for an investor’s decision-making. Context is important because the reasonable investor is not concerned with ‘mere theoretical possibilities’. The reasonable investor wants meaningful information on the significance and consequences of what they are being told in order to make an informed and rational decision on whether to acquire or dispose of securities. The absence of such material from an announcement can ‘paint a misleading picture’.[3] When considering the regulator’s known attitude to the issue, it is important to keep in mind that the Office of the Australian Information Commissioner (OAIC) is becoming increasingly vigilant with respect to cyber incidents, as highlighted by recent enforcement activity and OAIC’s prioritisation of data breaches.

In the context of cyber incident disclosure, it is interesting that the example in ASX Listing Rules Guidance Note 8 suggests that confidentiality is maintained when dealing with a relevant regulator on a confidential basis. However, given the ability for data and privacy regulators such as the OAIC to impose civil penalty provisions, it may not be possible to maintain confidentiality once affected individuals are notified. The Court’s consideration of confidentiality in relation to regulatory investigations in Zonia Holdings is instructive for listed entities determining when they should disclose potential cyber-related regulatory investigations. The Court indicated that the Bank’s potential exposure to regulatory enforcement action was confidential information given it was ‘insufficiently definite to warrant disclosure’.

Key takeaways

In Zonia Holdings, the Court found it relevant that, when assessing if a particular matter if disclosed would be likely to have a material effect the price or value of securities, market participants understand that regulatory issues (including matters of non-compliance) arise in respect of large organisations and that regulators conduct investigations in relation to those issues on a regular basis. In most cases there would not be an expectation in the market that these engagements would, as a matter of course, be disclosed by ASX announcements. Instead, what is required is greater certainty regarding a financially significant outcome that will be a consequence of the investigation.

Similarly, when confronted with a cyber incident, an entity’s ASX disclosure obligation needs to be assessed by reference to the entity’s actual knowledge at the time. This can be assessed by preparing a draft announcement based on the facts as far as they are known.

Those ‘facts’ might include:

  • a description of the incident;

  • the material facts;

  • any material impact on operations or financial position;

  • the action the entity is taking in response to the breach;

  • whether the incident is continuing; and

  • when the entity expects to be in a position to update the market.

The draft should then be carefully reviewed, having consideration to the following questions:

  • How helpful is it to an investor and is it material?

  • Is the information confidential and is it likely to remain so?

  • Does the announcement create a misleading picture?

  • Can the picture be enhanced to help investors be put in a position that allows them the opportunity to assess the value of disclosed information for the purpose of making an investment decision?

It is also important to keep in mind that the 2021 amendments to the continuous disclosure laws introduced state of mind into the test. For a listed entity to be liable to compensate security holders, it needs to be shown that the issuer knew or was reckless or negligent about whether the information would, if generally known, have a material effect on the price or value of its securities. The key question is then which individual(s) must have the requisite state of mind for the entity’s state of mind to be established. Recognising that this question is not easily answered, the Federal Government has recently agreed to amend the Corporations Act to expressly provide how state of mind can be attributed to the entity within the continuous disclosure regime.

***

While the Zonia Holdings class action did not directly bear on climate-related disclosure or ESG, the case could be interesting for listed entities as they begin to consider how a regulatory investigation touching on these issues may impact on their continuous disclosure obligations. The question of when an organisation became aware of relevant information and what inferences it drew, or should have drawn, from the information will likely be relevant for these two issues as well as cyber incidents.


[1] Zonia Holdings Pty Ltd v Commonwealth Bank of Australia Limited (No 5) [2024] FCA 477.

[2] Zonia Holdings, [577].

[3] Zonia Holdings, [606].


Authors

GILL Abigail SMALL
Abigail Gill

Head of Investigations and Inquiries

NORTH-james-highres_SMALL
James North

Head of Technology, Media and Telecommunications


Tags

Board Advisory Class Actions Corporate/M&A Litigation and Dispute Resolution Technology, Media and Telecommunications

This publication is introductory in nature. Its content is current at the date of publication. It does not constitute legal advice and should not be relied upon as such. You should always obtain legal advice based on your specific circumstances before taking any action relating to matters covered by this publication. Some information may have been obtained from external sources, and we cannot guarantee the accuracy or currency of any such information.