All businesses are susceptible to cyberattack and 2022 demonstrated that even companies with multiple layers of cybersecurity protection are no exception. With each cyberattack comes the likelihood of a ransomware demand — a scenario that Australians have lately become all too familiar with. One recent cyberattack target is believed to have had its data dumped on the dark web by the threat actors for failing to pay a ransom demand of around $15m.
Urgent action is needed. The 2022 Cyber Threat Report published by the Australian Cyber Security Centre (ACSC) states, “ransomware remains the most destructive cybercrime threat”.
Last November, the Australian government indicated it will consult on making the payment of a ransomware demand illegal. Given the present uncertainty surrounding both the legality of paying a ransom and the availability of certain defences, such consultation is very welcome. Directors of companies faced with a ransomware demand are, by virtue of this legal uncertainty, placed in a difficult position as they try to discharge the duty to act in the best interests of their company. Indeed, directors often feel they are “damned if they do and damned if they don’t”.
In most cases of a ransomware attack, the identity of the threat actor is not known. Consequently, it is extremely difficult for directors and their advisers to make an informed decision on whether payment of a ransom would breach sanctions, anti-money laundering or terrorist financing laws — which may have civil and criminal consequences for companies and directors alike.
To provide directors with certainty in these circumstances, there are strong arguments in favour of making payment of a ransom demand illegal. However, for such a regime to work in practice there would need to be clear — but limited — exceptions to enable payments to be made. The exceptions should be confined to situations involving the imminent threat to life or destruction or serious damage to certain critical infrastructure.
One of the principal concerns around making ransomware payments illegal is that threat actors may target organisations and operations where damage to critical infrastructure or imminent threat of loss of life is more likely. Flexible and subjective “safe harbour” exceptions — which rely on the discretion or business judgement of directors — might lead to both directors and threat actors focusing on the safe harbour exceptions rather than the offence. Therefore, exceptions to a new offence of making a ransomware payment would need to be applied in an objective manner.
A key strategic benefit of introducing a new offence is to shift the decision of whether to make a ransomware payment “outside the room” — to reduce the negotiation leverage cybercriminals may have over companies and their directors. Leaving decisions to pay a ransom to the discretion of boards would give threat actors leverage and potentially increase the incentive to target individual board members.
One way of moving the ransomware payment decision “out of the room” and relieving directors of the decision dilemma is through the creation of a “cyber panel”, an independent body, perhaps modelled on the Takeovers Panel. A cyber panel, comprised of part-time industry, business and legal members, could be convened at very short notice to provide informed advice to directors faced with a ransom demand. The cyber panel could confirm whether a safe harbour exception applies in the specific circumstances and, accordingly, if a ransom demand could lawfully be paid.
The deterrent effect of such a decision making process should not be under estimated. If it is clear to potential threat actors that the decision to pay a ransomware demand would not be in the hands of company directors, they would have less incentive to target such companies and their directors.
A cyber panel could also serve other related functions, such as advising the minister on the step-in rights (termed “intervention requests”) under the critical infrastructure laws as well as setting and updating cybersecurity standards and advising on compliance with those standards.
The main objectives of prohibiting ransomware payments and having a cyber panel to oversee exceptions to that prohibition are to give companies and directors certainty in discharging their legal obligations and to protect them from potential civil and criminal liability. An additional benefit would be to make Australia a less attractive target for ransomware attacks. It might also prevent strong candidates being discouraged from taking up directorships of public companies by removing concerns around director liability on this issue.
Unfortunately, cyberattacks and related ransomware threats are ever present aspects of corporate life. Taking steps now to reform cyber legislation and create an advisory cyber panel would provide directors with greater legal certainty and perhaps help to dissuade cybercriminals from targeting corporate Australia.
A Company Directors Opinion article authored by Rob Hanley MAICD who leads Ashurst’s legal governance advisory and John Macpherson the head of its cyber advisory.