Ransomware new legislation should criminalise making ransomware payments

What you need to know

• Currently, payment by a company of a ransomware demand may constitute a criminal offence. 
• Defences may be available but there is uncertainty around if, and how, they operate in practice.
• Directors may be liable if the company has committed an offence by paying the ransom.
• Directors may also be in breach of their duties if they fail to pay a ransom.
• Ransomware responses may give rise to class actions by affected shareholders.
• The new Ransomware Action Plan includes an intention to introduce a stand-alone criminal offence for all forms of cyber extortion.
• New legislation should also criminalise making a ransomware payment.

What you need to do

• Be mindful that making a ransomware payment, no matter the size, may currently constitute a criminal offence.
• Understand and monitor legal and policy changes due in 2022.
• Assess how ransomware attacks may affect your business. 
• Test the ransomware response plans at all levels of your organisation. 
• Assess Board level decision governance relating to considering ransom payments.
• Undertake Board level training for cyber risk management and ransomware  responses.

In response to the growing and persistent threat of ransomware attacks, the Minister for Home Affairs recently released the Ransomware Action Plan which includes the intention to introduce legislation in 2022 that mandates reporting of ransomware attacks and imposes a 'stand-alone offence for all forms of cyber extortion.' While it is not yet clear what activities will constitute an offence under the Government's intended legislation, it is hoped that not only will making a ransomware demand become illegal but so too will payment of a ransomware demand.

Making ransomware payments illegal would be a positive outcome for both practical and ethical reasons and would clarify the existing legal uncertainty that directors face when  having to decide whether to make a ransomware payment. If the making of ransomware payments becomes illegal and directors have discharged their duty to ensure that the company has adequate cyber-security infrastructure, procedures and systems in place, directors should not be liable (for breaching their directors' duties) if their company suffers loss as a result of non-payment of a ransom. 

Recent ransomware events

The threat of ransomware is a national security issue that now impacts the Boardroom agenda in a way that few issues have for decades. The Australian Cyber Security Centre (ACSC) warns ransomware "poses one of the most significant threats to Australian organisations." In August this year, the Office of the Australian Information Commissioner (OAIC) announced that data breaches arising from ransomware incidents have increased by 24% in the last 6 months.¹

The ACSC has reported a recent shift in the tactics used by ransomware criminals, noting that a growing number are adopting encrypted networks and using exfiltration of data, threatening to publish stolen information online if ransoms are not paid.² 

The ACSC has also observed that ransomware cybercriminals are increasingly targeting larger companies and companies which provide critical infrastructure or essential services, perceiving greater consequences and deeper pockets and demanding larger ransoms.³

Is it an offence to pay a ransom under the current laws? 

The message from ACSC and the Department of Home Affairs is consistent: companies and individuals should not pay a ransom. Beyond this, the guidance for companies as to the legality of paying a ransom and possible defences is scant.

In certain circumstances, making a ransomware payment may constitute an offence for which the company is liable..

1. Sanctions offence
   
   The Charter of United Nations Act 1945 (Cth) (UN Charter) and Autonomous Sanctions Act 2011 (Cth) and their related regulations prohibits making funds or assets available to sanctioned organisations,set out in the Department of Foreign Affairs and Trade's Consolidated List.
   
   A company that is found to have violated Australia's sanctions laws may be able to rely on the defence under section 21(2E) of the UN Charter if it proves that it took reasonable precautions and exercised due diligence to avoid the contravention. However, this may be difficult to prove and companies may face negative publicity in the process of proving this defence.
2. Money Laundering (Instrument of Crime) offences
   
   A company that makes a ransom payment when there is a risk that the funds will be used to commit a crime may be liable for a money laundering offence under Division 400 of the Federal Criminal Code Act 1995 (Cth) (Criminal Code).⁴
   
   Such a company may be able to claim the defence of duress if the company had a reasonable belief that the threat would be carried out unless the offence was committed, there was no reasonable way the threat could be rendered ineffective (such as by restoring back-up data and systems) and the conduct was a reasonable response to the threat.
   
   A company that has committed an offence by paying a ransom may also be able to plead self-defence where it is believed that payment of the ransom is necessary to protect the company's property from destruction, damage or interference by the cyber-attacker. Again, the commission of the offence (payment of the ransom) must have been a reasonable response in the circumstances.
   
   The defence of 'sudden or extraordinary emergency' may be available to a company as well but only if the conduct was carried out in response to circumstances of sudden or extraordinary emergency, if the paying of the ransom was the only reasonable way to deal with the emergency and if the conduct was a 'reasonable response' to it.
3. Terrorist Financing offence 
   
   A company that makes a ransomware payment may be liable for a Federal offence relating to financing terrorist activities.
   
   Under section 102.7 of the Criminal Code, it is an offence to intentionally provide resources that would help a terrorist organisation engage, prepare, plan, assist or foster a terrorist act even if the company is merely reckless as to whether the organisation is in fact a terrorist organisation.
   
   Similarly the USA Patriot Act 2001, which has extra-territorial reach, prohibits companies from providing material support to terrorist organisations.
   
   A company potentially liable for an offence under section 102.7 of the Criminal Code may be able to plead duress, self-defence or the defence of sudden or extraordinary emergency, as outlined above.

A major difficulty for companies and their Boards when considering how to respond to a ransomware attack is the absence of clear judicial guidance on how the courts will interpret and apply the possible defences to ransomware payments that constitute an offence.  As a result many companies are reluctant to disclose whether they have made ransom payments and the bases on which they decided to do so. In the absence of precedent, clear legislative action is required.

Directors' duties in relation to ransomware attacks 

Directors are obliged to act in the best interests of their company and to discharge their duties with care and diligence. 

In the context of ransomware and cybersecurity, the duty of care and diligence is likely to require that directors inform themselves of cyber and ransomware risks facing their business, in order to manage imminent threats and make informed assessments on their company's behalf. 

The ASX Corporate Governance Principles and Recommendations advises boards to regularly review their company's risk management framework and to ensure that the framework in place aligns with the board's risk appetite. This includes directors satisfying themselves that the current risk management framework adequately deals with cyber-security related risks.⁵  

Directors may be liable for an offence associated with payment of a ransom if they assist with the commission of the offence.

In addition, directors' failure to stay appropriately informed of cyber and ransomware risks may cause them to fail in the discharge of their directors' duties. Directors must have a sufficient level of knowledge of ransomware risks so that they are able to challenge and assess the decisions of management.

As the law currently stands, payment of a ransomware demand by a company  may lead to a director being found personally liable for the company's offence as a result of 'stepping stone liability', a construct the Australian Securities and Investments Commission (ASIC) has used to find directors liable for failing to prevent a company's contravention where a foreseeable risk of harm was present.

Conversely, if a company does not pay a ransom and, as a result of not doing so, the company suffers loss and possibly a significant drop in its share price, directors could face a class action or other shareholder action alleging a breach of their duty to act in good faith in the best interests of the company by failing to pay the ransom. 

The legal and regulatory landscape around ransomware payment, disclosure and associated directors' duties differs between countries. Companies with global operations must become familiar with the different regulatory and reporting requirements in each of the countries in which they operate, to ensure compliance with the various regulatory models. 

Making ransomware payments illegal 

The Ransomware Action Plan indicates that there will be a tightening of regulations, expectations and accountabilities regarding cyber security.

It seems inevitable that the Government will legislate to criminalise making a ransomware demand. There are strong ethical and practical reasons why the Government should go further and make payment of a ransomware demand illegal as well.

Ransomware payments produce one clear outcome: they enrich organised crime and rogue states who can then use the funds to develop more harmful technologies, circumventing government and corporate cyber security controls. Studies have shown that payment of ransoms effectively encourage and facilitate future ransomware attacks and increase the intensity and frequency of ransomware attacks.⁶  

Legislation needs to rule out making a ransomware payment as an option for directors and their companies except in the most extreme and exceptional circumstances. 

Directors who comply with new lillegality laws  and do not pay a ransomware demand should not be liable for that, even if non-payment causes damage to the company, such as the leakage of commercially sensitive or personal data, or operational shutdowns or difficulties, perhaps accompanied by reputational damage and a drop in the company's share price. 

Directors will, however, still have to comply with their duties to act with care and diligence by ensuring that their company has implemented adequate cyber-security processes, systems and frameworks to manage cyber security risks. This aligns with ASX Corporate Governance requirements that directors ensure their company's current risk management framework adequately deals with cyber-security related risks.  It is also consistent with the Government's initiative to consider legislative reforms in relation to directors' duties around a minimum cyber security baseline,⁷  and recent hints by ASIC as to benchmark standards for cyber security.⁸ 

In most instances payment of a ransomware demand is not an effective means of  retrieving stolen or encrypted data or rapidly restoring system access. A recent report from IT security company, Sophos, has found that as few as 8% of the companies surveyed globally retrieved all of their stolen data after paying the ransom.⁹  

Concern by directors (and shareholders) about the effect on their company's share price if a ransomware demand is not met is also misplaced. The key variables impacting share price after an attack is not whether a payment was made, but rather the effectiveness of the company's preparation and response.

For the benefit of companies and their directors the legislative position on ransomware payments needs to be clarified urgently and the proposed reforms should be debated in consultation with industry. Without considered legislative reform, covert and divergent responses to ransomware attacks are likely to continue in an uncertain legal environment, hindering law enforcement and funding future threats. 

It's an ethical issue as well as a legal issue

Cyber criminals who perpetrate ransomware attacks are very good at pretending to be honest brokers, helping companies out of a bad situation, or "small timers" just looking for a way to feed their family.

Let's be clear – in nearly all cases they are part of a multi-billion dollar, highly sophisticated network of transnational criminals and rogue states. By paying ransomware demands, companies are not only encouraging more attacks, they are providing the funding to develop technology that increases the threat to company operations, private data and critical infrastructure.

It is not too difficult to imagine scenarios where the terrorists of the future have been enabled by technology advances funded via today's ransomware payments. In this respect, ransomware may be a future social licence issue. It is certainly one that sits uneasily with good corporate values and ethics.

What should Directors do now?

The question, to pay or not to pay, is an immediate problem. Ahead of legislative changes that provide clarity on the illegality of making ransomware payments, directors need to be actively preparing and discussing how to react to a ransomware demand.

Directors play an essential role in stress-testing the assumptions used in recovery planning, in setting their company's recovery priorities and in determining how effective a ransomware payment might be in meeting recovery objectives. Probing questions will help shape the company's response to key questions such as:

• How likely is it that the attackers will have the technical capability to fully restore systems?
• What are the viable alternative paths and timelines for recovery?
• Can the attackers be trusted not to release stolen data?

Ransomware gets personal

An added dimension to the current ransomware dilemma is the increasing trend of attackers to hunt for sensitive data relating to senior executives. Attackers use both private (and potentially embarrassing) information or highly confidential company information to blackmail executives and directors personally. This can result in tension between corporate and personal decision making, balancing privacy, discretion and personal reputations against organisational obligations and objectives. 

Exercising good decision governance is critical.  This includes:

• enabling experts and leaders to give transparent, frank and fearless advice; 
• planning for (rather than denying) probable worst case scenarios; and 
• having clear decision making processes, delegation of decision making authority and reporting requirements.

All of these matters must be discussed and debated as part of an organisation's ransomware response plan, and that plan should be in place and ready to be activated if needed.

Assessing ransomware readiness

Most large organisations have some form of a ransomware response plan that includes critical actions for detection, containment, analysis, eradication and recovery.  As plans are often developed by or within an IT function, directors play a key role in assessing "whole of company" readiness. This includes: 

• ensuring cross-functional interdependencies and priorities are addressed (for example, does the ransomware response plan align with privacy breach response planning managed by the legal team, and with shareholder communication planning managed by the investor relations team?);
• a clear articulation of escalation, communication and decision making protocols at all levels, including between the senior executives and the Board;
• impact analysis and response planning across the business for a range of ransomware scenarios; and 
• a measurable and accountable training and testing programme, including Board level cyber simulations, at least annually.

War-gaming is one of the most effective risk mitigant returns on investment. Simulations can identify critical vulnerabilities, cross-functional dependencies, and anticipate disagreement over key decisions, which improves the speed and quality of decision making in a ransomware crisis. 

Ultimately, increasing vigilance and targeted risk planning is paramount to proactive stewardship in the evolving cyber threat environment.

Authors: Rob Hanley, Partner (Legal Governance Advisory); John Macpherson, Director (Risk Advisory); Maxine Viertmann, Lawyer (Legal Governance Advisory)

The services provided by the Ashurst Risk Advisory practice do not constitute legal services or legal advice, and are not provided by Australian legal practitioners. The laws and regulations which govern the provision of legal services in the relevant jurisdiction do not apply to the provision of non-legal services.

_{1. Notifiable Data Breaches Report, Office of Australian Information Commissioner, 23 August 2021,
https://www.oaic.gov.au/__data/assets/pdf_file/0013/2803/oaic-notifiable-data-breaches-report-jan-june-2021.pdf  p.17.} 

_{2. ACSC Annual Cyber Threat Report 1 July 2020 to 30 June 2021
https://www.cyber.gov.au/sites/default/files/2021-09/ACSC%20Annual%20Cyber%20Threat%20Report%20-%202020-2021.pdf p.23,}

_{3. ibid p.31.}

_{4. See for example, section 193D Crimes Act 1900 (NSW) (A person is guilty of an offence if they deal with property being reckless as to whether the property will become an instrument of crime, and the property subsequently becomes an instrument of crime).} 

_{5. ASX Corporate Governance Principles and Recommendations, 4th Edition, February 2019
https://www.asx.com.au/documents/regulation/cgc-principles-and-recommendations-fourth-edn.pdf p. 27.} 

_{6. Dey and Lahiri, Should we Outlaw Ransomware Payments?, Proceedings of the 54th Hawaii International Conference on System Sciences, January 2021 https://scholarspace.manoa.hawaii.edu/bitstream/10125/71414/0646.pdf p.6611.} 

_{7. Australia's Cyber Security Strategy 2020
https://www.homeaffairs.gov.au/cyber-security-subsite/files/cyber-security-strategy-2020.pdf [36].} 

_{8. Australian Securities and Investments Commission v RI Advice Group Pty Ltd Statement of Claim
https://download.asic.gov.au/media/svwcjdn3/20-191mr-asic-v-ri-soc-amended.pdf} 

_{9. Sophos, The State of Ransomware 2021, April 2021
https://secure2.sophos.com/en-us/medialibrary/pdfs/whitepaper/sophos-state-of-ransomware-2021-wp.pdf p.11.}