This is an HTML version of an attachment to the Freedom of Information request 'Cyber Security Incidents/Cybercrimes/Data Breaches incurred Businesses'.


Australian Securities 
and Investments Commission 

 
Office address (inc courier deliveries): 
 
Level 7, 120 Col ins Street, 
 
Melbourne VIC 3000 
 
Mail address for Melbourne office: 
 
GPO Box 9827, 
 
Brisbane QLD 4001 
 
Tel: +61 1300 935 075 
Steven Roddis 
 
Fax: +61 1300 729 000  
By email: foi+request-6877-
xxxxxxxx@xxxxxxxxxxx.xxx.xx 

www.asic.gov.au 
 
 
 
Our Reference: 
FOI 226-2020 
 
 
23 November 2020 
 
Dear Mr Roddis 
 
Freedom of Information Request No. 226-2020 
Notice to Identify Documents under Section 24AB of the Act 
 
I refer to your request dated 7 November 2020 under the Freedom of Information Act 
1982 
(FOI Act) in which you seek access to documents in the possession of the 
Australian Securities and Investments Commission (ASIC). I apologise for the delay in 
responding to you, however this was due to our searches conducted, which is 
explained in more detail below. 
 
You seek access to the fol owing: 
 
“I'd like to request documents relating to: 
 
Cyber Security Incidents/Cybercrimes/Data Breaches incurred by companies 
and financial services reported to or discovered by ASIC during the period: 
1st Nov 2015-1st Nov 2020 

 
The terms "Cyber Security Incidents/Cybercrimes/Data Breaches" for this 
request as an act that would fal  under 10.7 and 10.8 of the Criminal Code Act 
1995 and include: 

•  Computer intrusions 
•  Unauthorised modification of data, including destruction of data 
•  Unauthorised impairment of electronic communications, including 
denial of service attacks 
 
This request excludes documents relating to Cyber Security Incidents incurred 
by ASIC itself and focus on 3rd parties only.” 
(the Request
 
Section 15(2)(b) of the FOI Act 
 
I advise that your request does not satisfy the requirement set out in section 15(2)(b) 
of the FOI Act which states that a request for access to a document must ‘provide 
such information concerning the document as is reasonably necessary to enable a 
responsible officer of an agency… to identify it
’. As section 15(2)(b) has not been met 
ASIC may, in line with section 24(1)(b) of the Act, refuse to process your application. 


 
In its current form, it would be my intention to refuse access to the documents sought 
in the Request on this practical refusal ground. However, to assist you to make a valid 
request I make the fol owing comments. 
 
Why your request is unclear 
 
In your request you seek ‘documents relating to… the terms "Cyber Security 
Incidents/Cybercrimes/Data Breaches"… that would fal  under 10.7 and 10.8 of the 
Criminal Code Act 1995’. 
 Your request stating that any ‘documents relating to’ the 
terms of your requests in any way is too broad and would capture any document 
related to the terms, regardless of how weak that link to the terms might be. This 
means it is unclear to me how extensive the scope of your request is because 
currently, even documents that simply mention the term ‘cybercrimes’ could 
potential y fal  into the scope even though the term is incidentally mentioned as part 
of a broader discussion. This interpretation renders your request hopelessly broad by 
capturing al  documents containing any incidental mentions of the matters relevant 
to your request. 
 
I find it difficult to identify the documents you are seeking given the broad and 
ambiguous nature of your request.   
 
In view of the issues identified above, I consider that your request, in its current form, 
does not adequately identify the documents sought and that a practical refusal 
reason exists within the meaning of section 24AA(1)(b) of the FOI Act. 
 
Section 24AA(1)(a) FOI Act 
 
I am also writing to tell you that I believe that the work involved in processing your 
request in its current form would substantial y and unreasonably divert the resources 
of this agency from its other operations due to its size and broad scope. This is cal ed 
a ‘practical refusal reason’ (section 24AA of the FOI Act). 
 
On this basis, I intend to refuse access to the documents you requested. However, 
before I make a final decision to do this, you have an opportunity to revise your 
request. 
 
This is cal ed a ‘request consultation process’ as set out under section 24AB of the FOI 
Act. You have 14 days to respond to this notice in one of the ways set out below. 
 
I decided that a practical refusal reason exists because I have done preliminary 
searches and have considered the work involved in processing your request. 
 
ASIC has undertaken preliminary searches to ascertain the number of documents 
that potential y fal  within the scope of your request and has identified over 500,000 
documents. These searches were conducted by ASIC’s Misconduct & Breach 
Reporting team (M&BR) who handle reports of misconduct and breaches from 
companies and financial services licensees using search parameters such as 
“cybercrime”, “cyber security” and “data breach” between the timeframe of 2015-
2020. These parameters were used in ASIC’s digital records.  
 
Your request also requires further ASIC teams to conduct additional searches in other 
databases not utilised by M&BR to ascertain further documents that may fal  within 
the scope of your request. To conduct a search across such a large number of 
individuals would be excessively burdensome and, in my view, would unreasonably 
interfere with ASIC’s day-to-day activities. 
 


The Office of the Australian Information Commissioner recommends that agencies 
examine a representative sample of 10-15% of documents to assess the complexity of 
the material against whether the work involved in processing the request would 
constitute a substantial and unreasonable diversion of resources from the agency’s 
other operations. In this instance, the sample size would be approximately 52,000 
documents and assessing this sample size alone would constitute a substantial and 
unreasonable diversion of resources from the agency’s other operations. 
 
Furthermore, at this point in time, the difficulty in conducting searches that are 
responsive to the terms of your request further prevents us from quantifying the effort 
required to process your request in its current form. 
 
However, I can further advise that any request that captures information relating to 
the affairs of any third parties would require extensive consultation with these parties 
under sections 27 and 27A of the FOI Act and that this consultation is likely to 
substantial y add to the burden of processing your request. 
 
Request consultation process 
 
The purpose of this letter is to provide you with an opportunity to revise your request so 
that the practical refusal reason no longer exists before a final decision is made. 
Should you wish to submit a revised request please take into consideration the issues 
raised in this notice to ensure that they are addressed. 
 
Revising your request can mean narrowing the scope of the request to make it more 
manageable. 
 
You may wish to identify more accurately the documents that you are looking for and 
reduce the time frame to search for. You may also wish to consider if it is ASIC 
documents that you are interested in, noting that some data breaches are required 
to be reported to the Office of the Australian Information Commissioner and cyber 
incidents to ReportCyber at the Australian Cyber Security Centre. 
 
You may also wish to refer to ASIC’s resources on cyber resilience which may help 
explain the type of documents ASIC may hold about this subject matter and wil  assist 
you to revise your request. 
 
Before the end of the consultation period, you must do one of the fol owing, in writing: 
 
1.  withdraw your request; 
2.  make a revised request; or 
3.  tell us that you do not wish to revise your request. 
 
The consultation period runs for 14 days and starts on the day after you receive this 
notice. 
 
During this period, you are welcome to seek my assistance. If you revise your request 
in a way that adequately addresses the practical refusal grounds outlined above, we 
wil  start processing it. Please note that the time taken to consult you regarding the 
scope of your request is not considered for the purposes of the 30-day time limit for 
processing your request. 
 
If you do not do one of the three things listed above during the consultation period or 
you do not consult me during this period, your request wil  be taken to have been 
withdrawn.  
 
 



If you have any questions or wish to discuss, please contact me at 
xxxxxxx.xxxx@xxxx.xxx.xx  
 
Yours sincerely, 
 
Krystal Fung 
(Authorised decision maker pursuant to subsection 23(1) of the FOI Act) 
For the Australian Securities and Investments Commission