Ransomware new legislation should criminalise making ransomware payments
26 November 2021
26 November 2021
In response to the growing and persistent threat of ransomware attacks, the Minister for Home Affairs recently released the Ransomware Action Plan which includes the intention to introduce legislation in 2022 that mandates reporting of ransomware attacks and imposes a 'stand-alone offence for all forms of cyber extortion.' While it is not yet clear what activities will constitute an offence under the Government's intended legislation, it is hoped that not only will making a ransomware demand become illegal but so too will payment of a ransomware demand.
Making ransomware payments illegal would be a positive outcome for both practical and ethical reasons and would clarify the existing legal uncertainty that directors face when having to decide whether to make a ransomware payment. If the making of ransomware payments becomes illegal and directors have discharged their duty to ensure that the company has adequate cyber-security infrastructure, procedures and systems in place, directors should not be liable (for breaching their directors' duties) if their company suffers loss as a result of non-payment of a ransom.
The threat of ransomware is a national security issue that now impacts the Boardroom agenda in a way that few issues have for decades. The Australian Cyber Security Centre (ACSC) warns ransomware "poses one of the most significant threats to Australian organisations." In August this year, the Office of the Australian Information Commissioner (OAIC) announced that data breaches arising from ransomware incidents have increased by 24% in the last 6 months.1
The ACSC has reported a recent shift in the tactics used by ransomware criminals, noting that a growing number are adopting encrypted networks and using exfiltration of data, threatening to publish stolen information online if ransoms are not paid.2
The ACSC has also observed that ransomware cybercriminals are increasingly targeting larger companies and companies which provide critical infrastructure or essential services, perceiving greater consequences and deeper pockets and demanding larger ransoms.3
The message from ACSC and the Department of Home Affairs is consistent: companies and individuals should not pay a ransom. Beyond this, the guidance for companies as to the legality of paying a ransom and possible defences is scant.
In certain circumstances, making a ransomware payment may constitute an offence for which the company is liable..
A major difficulty for companies and their Boards when considering how to respond to a ransomware attack is the absence of clear judicial guidance on how the courts will interpret and apply the possible defences to ransomware payments that constitute an offence. As a result many companies are reluctant to disclose whether they have made ransom payments and the bases on which they decided to do so. In the absence of precedent, clear legislative action is required.
Directors are obliged to act in the best interests of their company and to discharge their duties with care and diligence.
In the context of ransomware and cybersecurity, the duty of care and diligence is likely to require that directors inform themselves of cyber and ransomware risks facing their business, in order to manage imminent threats and make informed assessments on their company's behalf.
The ASX Corporate Governance Principles and Recommendations advises boards to regularly review their company's risk management framework and to ensure that the framework in place aligns with the board's risk appetite. This includes directors satisfying themselves that the current risk management framework adequately deals with cyber-security related risks.5
Directors may be liable for an offence associated with payment of a ransom if they assist with the commission of the offence.
In addition, directors' failure to stay appropriately informed of cyber and ransomware risks may cause them to fail in the discharge of their directors' duties. Directors must have a sufficient level of knowledge of ransomware risks so that they are able to challenge and assess the decisions of management.
As the law currently stands, payment of a ransomware demand by a company may lead to a director being found personally liable for the company's offence as a result of 'stepping stone liability', a construct the Australian Securities and Investments Commission (ASIC) has used to find directors liable for failing to prevent a company's contravention where a foreseeable risk of harm was present.
Conversely, if a company does not pay a ransom and, as a result of not doing so, the company suffers loss and possibly a significant drop in its share price, directors could face a class action or other shareholder action alleging a breach of their duty to act in good faith in the best interests of the company by failing to pay the ransom.
The legal and regulatory landscape around ransomware payment, disclosure and associated directors' duties differs between countries. Companies with global operations must become familiar with the different regulatory and reporting requirements in each of the countries in which they operate, to ensure compliance with the various regulatory models.
The Ransomware Action Plan indicates that there will be a tightening of regulations, expectations and accountabilities regarding cyber security.
It seems inevitable that the Government will legislate to criminalise making a ransomware demand. There are strong ethical and practical reasons why the Government should go further and make payment of a ransomware demand illegal as well.
Ransomware payments produce one clear outcome: they enrich organised crime and rogue states who can then use the funds to develop more harmful technologies, circumventing government and corporate cyber security controls. Studies have shown that payment of ransoms effectively encourage and facilitate future ransomware attacks and increase the intensity and frequency of ransomware attacks.6
Legislation needs to rule out making a ransomware payment as an option for directors and their companies except in the most extreme and exceptional circumstances.
Directors who comply with new lillegality laws and do not pay a ransomware demand should not be liable for that, even if non-payment causes damage to the company, such as the leakage of commercially sensitive or personal data, or operational shutdowns or difficulties, perhaps accompanied by reputational damage and a drop in the company's share price.
Directors will, however, still have to comply with their duties to act with care and diligence by ensuring that their company has implemented adequate cyber-security processes, systems and frameworks to manage cyber security risks. This aligns with ASX Corporate Governance requirements that directors ensure their company's current risk management framework adequately deals with cyber-security related risks. It is also consistent with the Government's initiative to consider legislative reforms in relation to directors' duties around a minimum cyber security baseline,7 and recent hints by ASIC as to benchmark standards for cyber security.8
In most instances payment of a ransomware demand is not an effective means of retrieving stolen or encrypted data or rapidly restoring system access. A recent report from IT security company, Sophos, has found that as few as 8% of the companies surveyed globally retrieved all of their stolen data after paying the ransom.9
Concern by directors (and shareholders) about the effect on their company's share price if a ransomware demand is not met is also misplaced. The key variables impacting share price after an attack is not whether a payment was made, but rather the effectiveness of the company's preparation and response.
For the benefit of companies and their directors the legislative position on ransomware payments needs to be clarified urgently and the proposed reforms should be debated in consultation with industry. Without considered legislative reform, covert and divergent responses to ransomware attacks are likely to continue in an uncertain legal environment, hindering law enforcement and funding future threats.
Cyber criminals who perpetrate ransomware attacks are very good at pretending to be honest brokers, helping companies out of a bad situation, or "small timers" just looking for a way to feed their family.
Let's be clear – in nearly all cases they are part of a multi-billion dollar, highly sophisticated network of transnational criminals and rogue states. By paying ransomware demands, companies are not only encouraging more attacks, they are providing the funding to develop technology that increases the threat to company operations, private data and critical infrastructure.
It is not too difficult to imagine scenarios where the terrorists of the future have been enabled by technology advances funded via today's ransomware payments. In this respect, ransomware may be a future social licence issue. It is certainly one that sits uneasily with good corporate values and ethics.
The question, to pay or not to pay, is an immediate problem. Ahead of legislative changes that provide clarity on the illegality of making ransomware payments, directors need to be actively preparing and discussing how to react to a ransomware demand.
Directors play an essential role in stress-testing the assumptions used in recovery planning, in setting their company's recovery priorities and in determining how effective a ransomware payment might be in meeting recovery objectives. Probing questions will help shape the company's response to key questions such as:
An added dimension to the current ransomware dilemma is the increasing trend of attackers to hunt for sensitive data relating to senior executives. Attackers use both private (and potentially embarrassing) information or highly confidential company information to blackmail executives and directors personally. This can result in tension between corporate and personal decision making, balancing privacy, discretion and personal reputations against organisational obligations and objectives.
Exercising good decision governance is critical. This includes:
All of these matters must be discussed and debated as part of an organisation's ransomware response plan, and that plan should be in place and ready to be activated if needed.
Most large organisations have some form of a ransomware response plan that includes critical actions for detection, containment, analysis, eradication and recovery. As plans are often developed by or within an IT function, directors play a key role in assessing "whole of company" readiness. This includes:
War-gaming is one of the most effective risk mitigant returns on investment. Simulations can identify critical vulnerabilities, cross-functional dependencies, and anticipate disagreement over key decisions, which improves the speed and quality of decision making in a ransomware crisis.
Ultimately, increasing vigilance and targeted risk planning is paramount to proactive stewardship in the evolving cyber threat environment.
Authors: Rob Hanley, Partner (Legal Governance Advisory); John Macpherson, Director (Risk Advisory); Maxine Viertmann, Lawyer (Legal Governance Advisory)
The services provided by the Ashurst Risk Advisory practice do not constitute legal services or legal advice, and are not provided by Australian legal practitioners. The laws and regulations which govern the provision of legal services in the relevant jurisdiction do not apply to the provision of non-legal services.
1. Notifiable Data Breaches Report, Office of Australian Information Commissioner, 23 August 2021,
2. ACSC Annual Cyber Threat Report 1 July 2020 to 30 June 2021
3. ibid p.31.
4. See for example, section 193D Crimes Act 1900 (NSW) (A person is guilty of an offence if they deal with property being reckless as to whether the property will become an instrument of crime, and the property subsequently becomes an instrument of crime).
5. ASX Corporate Governance Principles and Recommendations, 4th Edition, February 2019
https://www.asx.com.au/documents/regulation/cgc-principles-and-recommendations-fourth-edn.pdf p. 27.
6. Dey and Lahiri, Should we Outlaw Ransomware Payments?, Proceedings of the 54th Hawaii International Conference on System Sciences, January 2021 https://scholarspace.manoa.hawaii.edu/bitstream/10125/71414/0646.pdf p.6611.
7. Australia's Cyber Security Strategy 2020
8. Australian Securities and Investments Commission v RI Advice Group Pty Ltd Statement of Claim
9. Sophos, The State of Ransomware 2021, April 2021