Ransomware risk is costing economies billions of dollars, at a time when economic recovery needs it least. On 21 June 2021, Labor politician Tim Watts introduced the private members Ransomware Payments Bill 2021 (Cth) (the Bill) into Parliament. If implemented, the Bill will impose reporting obligations on certain entities looking to pay cyber criminals ransom demands following a ransomware attack, with penalties for non-compliance.
These potential changes highlight the need for Australian businesses to be constantly ‘horizon scanning’ on cyber risk. Incident response plans and frameworks need to be continually reassessed for adequacy to meet the ever-changing risk landscape. Incident simulations are a must both from a technical perspective but also in terms of engagement with boards on key decisions such as payment of a ransom.
Australian entities should be taking steps now to assess whether their incident response and compliance frameworks would capture new reporting requirements if they are introduced, and otherwise prepare for a ransomware event to avoid the need to pay.
Ransomware has fast become the attack-of-choice for sophisticated cyber criminals given the lucrative payouts. In recent times, the community has witnessed several high-profile attacks that have disrupted global supply chains and impacted fuel and food security.
No industry is immune, with many well-known brands falling prey to attack. As a result, entities are paying millions of dollars in ransom demands to protect their brand, as well as incurring significant costs associated with recovering from the event. This is without calculating business interruption and claims exposure.
Against this background, there has been a groundswell of activity amongst legal, IT security, insurance, law enforcement and policy maker circles to develop a co-ordinated strategy for responding to ransomware.
Numerous government and industry-led task forces have been established. Law enforcement bodies are being beefed up. Heads of country are speaking 1:1. Cyber-domain ground rules are being established. Comparisons between ransomware and 9/11 are being made. National security rhetoric is being rolled out.
If it wasn’t already, cyber security is now a political top priority.
Our data from the many incidents we manage show that:
We discuss what the Bill means for Australian entities and the cyber-insurance industry below.
In February 2021, Tim Watts MP (Shadow Assistant Minister for Communications and Cyber Security) released a white-paper titled “Beyond the Blame Game - Time for a National Ransomware Strategy”.
A key focus on the report (and overall strategy) is to ‘impose costs’ on the cyber-crime economy to make Australia a less attractive target to cyber-criminals. Recommendations in the report include increased law enforcement action, targeted international sanctions, and offensive cyber operations. It is in line with this overall approach that the Bill has been introduced – on the basis that it will deter cyber criminals from attacking Australian entities.
We address the key features of the Bill below.
We all know what ransomware is but it’s important that the scope of the Bill applies to real-world cyber-crime activity. As such, the Bill has introduced a broad definition of “ransomware attack” that has been designed to catch a diverse range of cyber-activity.
Under the Bill, a ransomware attack will have occurred if four conditions are met.
First, a person (the attacker) must do any of the following using a computer function:
Second, the attacker must know the access, modification or impairment is unauthorised. Although victims are unlikely to be able to know the precise state of mind of attackers leading up to an attack, this will become fairly evident once contact with the attackers is made in the process of negotiating the ransom demand.
Thirdly, in the case of unauthorised modification or impairment, the attack must:
Fourthly, the attacker must demand payment to either:
The definition of “ransomware attack” is likely to capture most ransomware events that we have seen.
Practically however, targeted entities also pay attackers to provide a number of ancillary deliverables including: confirm root cause of the attack, provide copies of stolen data, delete stolen data, not attack the entity or related entities, cease contacting employees/executives/clients, and cease DDoS attacks. The definition may wish to be expanded to cover these ‘demands’.
Interestingly, the Bill as currently drafted might also capture vulnerability disclosure scenarios where ‘security researchers’ demand consultancy fees for their hard work in bringing a vulnerability to the attention of targeted entities. This remains to be seen, but emphasises the sometimes unforeseen application of legislation to novel circumstances.
The Bill will apply to all state and federal government agencies, as well as any entity that carries on business in Australia, provided the payment relates to a ransomware attack against a computer network located in Australia.
This means that, in addition to local businesses and government agencies, this Bill will potentially have implications for internationally headquartered businesses that pay ransom demands from overseas (but which have impacted assets in Australia). The extra-territorial reach of the Bill is likely to come into sharp focus for such entities.
The Bill will not apply to small businesses with an annual turnover of less than $10 million per year. Some have commented that this should be reduced to align with the Privacy Act’s threshold of $3 million turnover, however we understand that the intention of the Bill is to capture intelligence on attacks impacting larger entities and government agencies.
Given our stats above indicate that mostly private companies are targeted by ransomware, this may mean that several payments go unreported depending on the annual turnover of those entities.
It’s also a fallacy to assume that small businesses can’t afford to pay ransom demands (and therefore don’t) and so this won’t apply to them. Often – small businesses of this size have cyber insurance which typically covers ransom demands.
Whether the $10m revenue reporting threshold is appropriate remains to be seen.
Under the Bill an entity that makes a ransom payment must give written notice of the payment to the Australian Cyber Security Centre (ACSC). The notice must set out:
Although the ACSC currently seeks to collect this information from targeted entities, the provision of such information is voluntary at present.
The Bill states that an entity must notify the ACSC as soon as practicable when it makes a ransomware payment. The phrase ‘as soon as practicable’ is not defined in the Bill, however we consider that an entity will be required to notify without unreasonable delay.
In our view this timeframe is workable. Previous suggestions of a reporting framework whereby entities would need to notify and seek the approval of the ACSC (or an equivalent government agency such as DFAT) before making a payment, is simply unworkable given the short timeframes by which decisions would need to be made.
Practically, entities should prepare to notify the ACSC once a payment has been made (at which point the crypto-wallet and exchange details will be available). This will be important for the ACSC/law enforcement to identify the attacker and trace the ransomware funds (if that is what they intend to do).
The Bill clearly states that entities that pay must identify themselves when submitting a notification. As a result, it is unlikely that entities will be able to anonymously notify the ACSC of a ransom payment.
We will keep this under close review as anonymity/confidentiality is a key concern for entities that pay – despite the ‘public good’ in sharing information to the wider community. In our view, there is scope for the reporting framework to remove this requirement and allow representatives (such as law firms) to report on behalf of entities, and still achieve the desired outcomes of the reporting framework.
An individual is not excused from giving a notice on the grounds of claiming privilege against self-incrimination, and companies are not entitled to claim privilege against self-incrimination. However, the notice cannot be used against an individual in criminal proceedings (unless the notice is misleading – itself an offence under the Criminal Code).
The intention is to empower the ACSC to warn Australian businesses/government agencies of the risk of current attacks so that they can take steps to protect their networks. As such, the Bill grants the ACSC significant discretion to decide whether and whom to disclose data provided to it under the reporting framework
For example, the ACSC can disclose information in the notice to any person (including the public) to inform them of the cyber threat environment (typically this will occur through the JCSC partner network, or on the ACSC’s website). The ACSC can also disclose information in the notice to assist law enforcement bodies (i.e. the AFP / State / Territory police forces) with law enforcement activities.
The ACSC can’t disclose personal information (i.e. details of individuals listed in the notice) but the Bill is silent as to whether it can disclose the name of the targeted entity. Practically, while the ACSC presently seeks to preserve the confidentiality of reporting entities in its information sharing activities, this Bill does not guarantee that will occur and so there is a risk that reporting entities will have their details disclosed to others and/or the public as a result.
Also – given the report to the ACSC and follow up information sharing to the infosec community will coincide with whatever headline event is in the news that week, the public (and the media) will be able to easily speculate which entities have paid the ransom demand even if the ACSC is discreet in its information sharing.
The Bill has introduced penalty measures for entities that do not comply with reporting, with fines of up to $222,000 if they fail to notify the ACSC after a ransom payment is made.
We have already been asked to comment on whether these fines are insurable under cyber insurance and other insurance policies such as statutory liability policies – which is something we are keeping under close review.
From our early review of the proposed Bill, Australian entities should be taking the following steps to ensure they are ready to comply with the reporting framework if introduced:
Clearly something needs to be done to curb the sheer frequency and scale of ransom attacks. The Bill, if introduced – will be a world first example of how this can be achieved.
If it works as intended, the Bill will assist in deterring attackers from targeting Australia. This is because the attackers will (in theory) be at risk of persecution from law enforcement bodies in Australia (and their international counterparts) making attackers more likely to be apprehended. Early reports are that the AFP are scaling up their teams to respond to the influx of investigatory work required, though a long-term public funding commitment to this pursuit remains to be seen.
Secondly, the Bill will undoubtedly deter some entities from paying, on the basis that they will need to disclose the payment to government officials. Without any statutorily enshrined confidentiality/anonymity protections, companies will be less inclined to pay unless there is significant public interest in doing so. This disinclination to pay will mean less return on investment for cyber criminals as they will need to attack more victims to find an eligible paying candidate. As a result (as the economic theory goes) they will move onto other countries which present as a softer (or more lucrative) target.
Thirdly, the intelligence gained from the reporting framework can be provided to the infosec community for action. This will allow them to build up the network defences of the entities and agencies they are employed to protect, and guard against known attack groups and their activities. Like the second point above, even if Australia remains a hot target, Australian entities themselves will be harder to attack thereby reducing the overall return on investment. The cost of doing business will dissuade some cyber-criminal groups.
Arguably, this reporting framework will funnel attackers into focussing their efforts on high priority targets that will pay irrespective of reporting obligations. This means critical infrastructure providers (think hospitals, energy providers, transport). As we have seen in recent attacks, the impacts will not only be felt in the digital realm but also in the physical realm.
Alternatively, companies will continue to pay despite the reporting requirements, however they will simply have an additional regulatory burden. Whether any positive impacts are yielded turns on what the ACSC and law enforcement bodies do with that information, and whether the infosec community builds its collective defences following any information sharing to effectively deter criminal activity.
It will be interesting to see if the Bill receives bipartisan support, and whether the topic of cyber-security will become an election issue. We will continue to work with the cyber security, legal and insurance communities to track and report on the impacts of this reporting framework in coming months.
We are currently working with several entities to improve their ransomware resilience so please reach out to us if you would like to discuss what your industry is doing and what steps you can take.
Clyde & Co has the largest dedicated and rapidly expanding cyber-attack response practice in Australia and New Zealand. Our experienced team has dealt with thousands of data breach and technology related disputes in recent times, including several the largest and most complex incidents in Asia Pacific to date.
From pre-incident readiness, breach response, through to defence of regulatory investigations and proceedings, as well as recovery actions against wrongdoers, we assist clients globally across the full cyber lifecycle. Our team is also highly regarded for their expertise and experience in managing all forms of disputes across sectors including advising on some of the most newsworthy class actions commenced in Australia.
Our 24 hour cyber-attack response hotline or email allows you to access our team directly around the clock.
For more information, contact us on: