Corporate Finance Update - Issue 16

Issue 16, March 2024

Cyber vulnerabilities exposed by simulated attacks

Companies and licensees should ensure they have adequate access controls in place after recent simulated attacks exposed critical vulnerabilities – in particular, inadequate password management. 

Together with the Council of Financial Regulators (CFR), we’ve been conducting cyber and operational resilience intelligence-led exercises (CORIE) with large organisations across the financial services and markets sectors.

CORIE is a framework used to simulate realistic and coordinated cyber attacks on an organisation, based on current threats. Recent attack simulations have highlighted a concerning trend of inadequate password management, including:

• insecure storage of passwords in clear text or other easily decoded formats
• data located on file shares and wikis easily accessible to all users
• saving credentials within third-party applications. 

Many participants had improper access controls for network file shares, allowing employees across the organisation to access to confidential information. These vulnerabilities enabled the attack teams to move between systems in the internal network, compromising critical business services.

Accounts with privileges that were not required, as well as weak and recycled passwords across multiple accounts, allowed attack teams to gain further access within the network. In some cases, attack teams could use these accounts to escalate their level of access to domain administrator – allowing attack teams to effectively control authorisation and authentication of confidential information and critical business services.

Properly implemented access controls and multifactor authentication can prevent access to sensitive data or resources – restricting administrative privileges is one of the most effective mitigation strategies to ensure the security of systems.

Act now to find out if you are using a known compromised password and take steps to strengthen your passwords. Visit the Australian Signals Directorate’s Australian Cyber Security Centre for guidance on securing accounts and multifactor authentication.

Back to top

Vigilance required to combat ransomware threats

Ransomware continues to be a significant threat to all organisations because of its profitable nature for various criminal organisations and state actors. We remind entities that the Australian Government has published numerous resources to help organisations deal with this continually evolving threat.

Ransomware involves the use of malicious software to encrypt, exfiltrate or deny an organisation access to data and systems – with threat actors demanding payment of a ransom to return access or not publish stolen data.

The Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) publishes advisories that empower organisations to act on up-to-date intelligence to harden their systems. In December 2023, the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA) and the ASD’s ACSC published a joint advisory calling on organisations to help mitigate cyber threats from Play ransomware as part of its #stopransomware campaign. The advisory provides technical details and mitigations that can be employed to shore up an organisation’s defences. 

Numerous other advisories have been published notifying organisations of other critical vulnerabilities. We encourage all organisations to become an ASD partner or sign up for alerts to receive actionable intelligence to enhance their cyber resilience. This is an easy step that all organisations – including those with obligations under the market integrity rules – can take to stay on top of known risks and respond appropriately.

Back to top

Further infringement notices issued for alleged greenwashing

We’ve issued infringement notices for alleged greenwashing misconduct to Morningstar, Northern Trust Asset Management Australia Pty Ltd (Northern Trust) and Melbourne Securities Corporation Limited (MSC). Each of these infringement notices were paid, totaling $72,960.

Issues raised with each of the entities are summarised below.

Morningstar

ASIC was concerned that investors in Morningstar’s International Shares (Unhedged) Fund (the Fund) may have been exposed to controversial weapons investments, despite Morningstar’s Environmental Social and Corporate Governance policy representing publicly that such investments would be excluded.

ASIC’s infringement notice alleged the Fund was directly exposed for short periods of time to weapons companies such as Honeywell International Inc, General Dynamics Corp and Leidos Holdings Inc.

• Read the media release

Northern Trust

The investment manager for the NT World Green Transition Index Fund (Index Fund), Northern Trust, represented publicly in its product disclosure statement (PDS) that the Index Fund excluded companies that ‘derive 5% or more of their total annual revenues (either reported or estimated) from thermal coal-based power generation’ and have a score of 3 or 4 in the low carbon transition management score quartile.

We allege that this statement was potentially misleading because there was an error in how the third-party index provider applied the investment screen. This resulted in investor funds being exposed to DTE Energy, NiSource and Power Assets Holding, even though these companies had failed the low carbon transition management score quartile.

• Read the media release

MSC

ASIC was concerned that the trustee and responsible entity of the Bloom Climate Impact Fund (Bloom Fund), MSC, represented publicly in its PDS that the Bloom Fund would seek to avoid investments in a range of excluded activities, including fossil fuels.

We allege that the statement was misleading on the basis MSC applied a negative screening process which allowed companies to derive up to 33% revenue from excluded activities such as fossil fuels. The infringement notice alleged that as a result, the Bloom Fund acquired and held a direct investment in General Electric Co which derived 16% of its revenue from fossil fuels in the 2022 financial year.

• Read the media release

We’ve issued a total of 17 infringement notices for alleged greenwashing misconduct to date.

Back to top

Update on proposed climate-related disclosure reforms

The Australian Government recently consulted on exposure draft legislation that seeks to introduce mandatory climate-related financial disclosure requirements for large businesses and financial institutions through proposed amendments to the Australian Securities and Investments Commission Act 2001 and Corporations Act 2001. The consultation period closed on 9 February 2024.

The Australian Government also released an accompanying draft explanatory memorandum and policy position statement that set out the Government’s current position on the proposed climate-related reforms, including on the proposed scope, content and assurance requirements for disclosures.

The Australian Accounting Standards Board (AASB) has also concluded its consultation on its draft Australian climate-related disclosure standards on 1 March 2024. Until the proposed climate-related reforms are passed and the AASB finalises the Australian standards, we continue to encourage entities with material climate-related risks to report voluntarily in line with the recommendations of the Taskforce on Climate-related Financial Disclosures. It may also be useful for entities to begin engaging with the International Sustainability Standards Board standards through the report preparation process to test and/or assess capabilities, data availability and requirements against the new standard. This will help inform entities of future requirements.

Back to top

Supplementary expert reports and changes in consideration

We remind independent experts and commissioning parties that failure to provide a supplementary independent expert report (IER) in the case of a material change in circumstances may constitute misleading or deceptive conduct.

We recently reviewed an off-market takeover bid where the IER concluded that the transaction was ‘not fair’ because the consideration was less than the assessed value of the target’s shares. The bidder subsequently increased the cash consideration offered to target shareholders by 23.5%.

The target considered that the substantial increase in the offer consideration did not constitute a material change in circumstances and instructed the expert that a supplementary IER was not necessary.

We reminded the target that failure to provide a supplementary report to target shareholders may constitute misleading or deceptive conduct and could possibly result in an application being made to the Takeovers Panel (see Regulatory Guide 111 Content of expert reports, paragraphs 119 to 121).

The target subsequently engaged the independent expert to prepare a supplementary IER.

Back to top

Removal of non-JORC estimate from life of mine production target

We remind listed companies and their advisers that forward-looking statements must be based on reasonable grounds or they may be deemed by law to be misleading. We recently intervened in a mining company initial public offering (IPO) to require non-JORC estimates from mineralisation to be removed from a life of mine (LOM) production target.

We were concerned that the independent technical specialist report (ITSR) in the prospectus prepared in connection with the IPO referred to an LOM plan of 15 years which was based on non-classified and projected depth extension material. As neither of these are defined in the JORC Code, the LOM projection did not comply with the ASX Listing Rules.

In response, the independent technical specialist amended the ITSR so that the LOM plan was only based on mineralisation that is defined in the JORC Code. This reduced the LOM to six years.

As LOMs comprise, or are based on, statements about future matters, they must be based on reasonable grounds. The uncertainty associated with early estimates of mineralisation, that do not otherwise fall within the definitions of the JORC Code, mean that it is unlikely there will be reasonable grounds for including these early estimates in an LOM plan.

Listed companies and their advisers should ensure that mining company disclosures, including ITSRs, comply with relevant industry codes such as the JORC Code, market operator listing rules, and ASIC publications such as Information Sheet 214 Mining and resources: Forward-looking statements.

Back to top

Giving notice for small shareholder sale facilities

We’ve recently observed small holding sale facility notices that do not provide fulsome and timely notice to shareholders that they may ‘opt out’ of a sale facility. We may intervene where we consider sale facility notices do not clearly disclose the actions available to shareholders.

Small shareholdings may involve high costs for companies in maintaining registers and dispatch of required materials to members. These parcels can also incur significant brokerage costs if members seek to sell the parcel themselves.

Sale facilities or minimum holding buybacks can be a convenient and cost-effective way for shareholders, especially those with small holdings under $500, to sell their shares or interests at or near their current market value without incurring any brokerage costs while also benefiting the companies by reducing administrative and registry costs.

These sale facilities or buybacks most often operate on an ‘opt out’ basis and require affected shareholders to be given timely and proper notice of the upcoming sale and the actions available to them.

For more information about notice requirements and ASIC’s policy on sale facilities please see ASIC Corporations (Share and Interest Sale Facilities) Instrument 2018/99 and Regulatory Guide 161 Share and interest sale facilities as well as ASX Listing Rule 15.13.

Back to top

ASIC’s guidance on pre-hedging

We’ve sent a letter (PDF 266 KB) to market intermediary CEOs setting out our guidance on pre-hedging practices in Australia.

Pre-hedging may assist with the management of market intermediaries’ risk associated with anticipated client orders. It is a strategy that is used by parties to manage exposure in large, more complicated transactions.

However, it can also create significant conflicts of interest between a client and the entity making the hedge which actively trades in possession of confidential information about the client’s anticipated order or trade, and may impact market transparency.

Market intermediaries need to manage confidential client information very carefully and have robust, closely monitored and frequently tested arrangements for ensuring conflicts of interest are appropriately managed and in compliance with the Corporations Act.

If pre-hedging is not carried out in an appropriate manner it can be unfair, unconscionable and result in poor client outcomes. Further, this may adversely impact investor confidence and undermine market integrity.

• Read the news item

Back to top

Updated guidance on relief for takeovers, compulsory acquisitions and relevant interests

We’ve updated our regulatory guidance following relief introduced in recent legislative instruments issued on takeovers, compulsory acquisitions and relevant interests.

Regulatory Guide 9 Takeover bids

Regulatory Guide 9 Takeover Bids contains new guidance on ASIC Corporations (Takeover Bids) Instrument 2023/683 and ASIC Corporations (Replacement Bidder’s and Target’s Statements) Instrument 2023/688, in relation to:

• the operation of section 617(2) of the Corporations Act 2001 (Corporations Act) over derivatives
• accelerated payment of bid consideration
• replacement bidder’s and target’s statements.

Regulatory Guide 10 Compulsory acquisitions and buyouts

Regulatory Guide 10 Compulsory acquisitions and buyouts also contains new guidance on ASIC Corporations (Compulsory Acquisitions and Buyouts) Instrument 2023/684, explaining that securities acquired on-market by the bidder in reliance on the exemption provided in item 2 of section 611 are included for the purposes of the 75% acquisition test in section 661A(1)(b)(ii) of the Corporations Act.

Regulatory Guide 5 Relevant interests and substantial holding notices

We note that on 21 September 2023, Schedule 5 of the Treasury Laws Amendment (2023 Law Improvement Package No. 1) Act 2023 (Treasury Laws Amendment Act) commenced and moved into the Corporations Act relief previously contained in ASIC Class Order [CO 13/520] Relevant interests, voting power and exceptions to the general prohibition. Regulatory Guide 5 Relevant interests and substantial holding notices has been updated to reflect the Treasury Laws Amendment Act.

Back to top

Related party notices and FY23 AGM season

During the annual general meeting (AGM) season for the year ended 30 June 2023, we received 181 related party notices of meeting (NOM) lodged under Chapter 2E of the Corporations Act 2001 (Corporations Act). Many transactions involved remuneration to directors in the form of performance rights/options and incentive shares.

We observed that 81% of the NOMs involved a corresponding request for an abridgement of the 14-day period in section 218. Of these, 85% sought abridgement of seven days or less.

We remind companies that:

• related party meeting materials must provide sufficient information to members to enable them to decide if the financial benefit to the related party is in the best interests of the company, and satisfy the requirements in Chapter 2E of the Corporations Act and Regulatory Guide 76 Related party transactions (RG 76)
• meeting materials and abridgement applications must be lodged in final form via the ASIC Regulatory Portal (not in hard copy or via email) at the earliest possible opportunity
• we cannot guarantee that abridgement applications will be approved where related party meeting materials are lodged with ASIC with less than seven days’ notice, as some meeting materials may require more time for ASIC to complete its review. Applicants should consider the nature and complexity of the proposed transaction before applying for an abridgement
• where there are amendments, the proposed notice of meeting materials and any associated application for abridgement will need to be relodged with new fees payable, as the notice convening the meeting must be the same in all material respects as the notice lodged under section 218 of the Corporations Act. This applies even if the changes do not relate to the related party resolutions. See section 221 of the Corporations Act and paragraphs 120 and 127 of RG 76 for further details.

Back to top