Disgraced software company GetSwift was ordered on Friday (17 February) to pay a $15 million fine, while its directors were also hit with hefty multi-million dollar fines and disqualified from running corporations for up to 15 years. The GetSwift case has been before the courts since 2018 after the company made misleading claims about predictions and business partners.

Presiding over the matter, Judge Michael Lee was scathing of GetSwift’s marketing practices.

According to Justice Lee, GetSwift’s chief executive, Bain Hunter, “had a laser focus on making money for himself and Mr McDonald and if that involved breaking the law governing financial markets or exposing GetSwift to liability to a third party , that was a little care for him”.

And while GetSwift's problems did not stem from a cyber attack, ASIC Deputy Chair Sarah Court has a lot on cyber's mind following the landmark decision. Speaking of The Australian Financial Review regarding the alarming statistic that only 11 out of 36 cyber-attacks were reported to investors of ASX-listed companies, the Court did not mince its words.

"We are very familiar with these types of issues and cyber is a law enforcement priority that we continue to elevate and focus on," Ms Court told AFR.

“The ASX is already in it. There is a problem with the weather. We recognize that it may be difficult in the early hours and days of an attack to truly understand the extent and impact of an attack.

"But from our point of view in relation to continuous disclosure, a cyberattack or breach can be a material event that needs to be disclosed."

Talking about the amount of the fine imposed on GetSwift, the Court was also optimistic.

"This is really what the court is saying to us ... that it will be prepared to impose both very high sentences against individuals and very high or long-term disqualification orders, so absolutely that is something we will consider in future cases she said.

Sean Duca, vice president and regional chief security officer - Asia Pacific and Japan at Palo Alto Networks, welcomed the more aggressive approach from Australia's corporate regulator.

"Organisations have a duty of care to their customers, employees and other stakeholders to protect their personal information," Mr Duca said. “Companies have an ethical and legal responsibility to protect this data to the best of their ability. Rapid disclosure is key to mitigating the effects of a data breach on those whose data has been compromised.”

“In our experience, most data breaches will eventually become public. Companies risk eroding hard-earned trust and goodwill if they do not proactively disclose breaches in a timely manner.”