Menu Search through site content What are you looking for?
Menu

Ransomware payment reporting framework – Will this make Australia a less attractive target for ‘big game’ hunter cyber criminals?

  • Legal Development 24 June 2021 24 June 2021
  • Asia Pacific

  • Cyber Risk

Ransomware risk is costing economies billions of dollars, at a time when economic recovery needs it least. On 21 June 2021, Labor politician Tim Watts introduced the private members Ransomware Payments Bill 2021 (Cth) (the Bill) into Parliament. If implemented, the Bill will impose reporting obligations on certain entities looking to pay cyber criminals ransom demands following a ransomware attack, with penalties for non-compliance.

The 30 second snapshot of this update:

  • Ransomware is rapidly becoming a top political priority for governments which are framing the risk as a national security threat.
  • Tim Watts MP has introduced legislation proposing a mandatory ransomware reporting framework, requiring notice to be provided to the Australian Cyber Security Centre upon payment of a ransom demand.
  • The information provided in notifications will be shared with the infosec community to advise of the risk of current attacks and for the purpose of law enforcement activity.
  • The proposed reporting framework will apply to Commonwealth and State and Territory Government Agencies and private entities that turnover more than $10million.
  • Entities that fail to comply with the reporting framework will be subject to fines of up to $222,000.

These potential changes highlight the need for Australian businesses to be constantly ‘horizon scanning’ on cyber risk. Incident response plans and frameworks need to be continually reassessed for adequacy to meet the ever-changing risk landscape. Incident simulations are a must both from a technical perspective but also in terms of engagement with boards on key decisions such as payment of a ransom.

Australian entities should be taking steps now to assess whether their incident response and compliance frameworks would capture new reporting requirements if they are introduced, and otherwise prepare for a ransomware event to avoid the need to pay.

Current ransomware landscape

Ransomware has fast become the attack-of-choice for sophisticated cyber criminals given the lucrative payouts. In recent times, the community has witnessed several high-profile attacks that have disrupted global supply chains and impacted fuel and food security.

No industry is immune, with many well-known brands falling prey to attack. As a result, entities are paying millions of dollars in ransom demands to protect their brand, as well as incurring significant costs associated with recovering from the event. This is without calculating business interruption and claims exposure.

Against this background, there has been a groundswell of activity amongst legal, IT security, insurance, law enforcement and policy maker circles to develop a co-ordinated strategy for responding to ransomware.

Numerous government and industry-led task forces have been established. Law enforcement bodies are being beefed up. Heads of country are speaking 1:1. Cyber-domain ground rules are being established. Comparisons between ransomware and 9/11 are being made. National security rhetoric is being rolled out.

If it wasn’t already, cyber security is now a political top priority.

Our own statistics

Our data from the many incidents we manage show that:

  • In any given month, financially motivated ransomware events account for up to 30% of total overall incidents, as compared to other incident types (business email compromise, vendor data breaches, nation state activity).
  • This trend has been increasing year on year. In 2021, ransomware incidents have accounted for an average of 25% of total incidents, whereas in 2018 ransomware events accounted for only 18% of total incidents.
  • 10% of impacted entities are publicly listed, with 90% of targets being privately held companies or government agencies. The top 5 industries impacted are professional services, technology, financial services, healthcare, and government agencies.
  • Initial ransom demands vary (some more than AUD $10m) but are typically negotiated down from the starting price by up to 50-70% depending on the threat actor group and the urgency around payment. 
  • Most companies don’t pay. Those that do are typically driven by a duty to protect the interests of individuals and clients whose data was taken by cyber-criminals, restoring critical operations to prevent greater public harm, and mitigating overall business interruption exposure.

We discuss what the Bill means for Australian entities and the cyber-insurance industry below.

What is the Bill all about?

In February 2021, Tim Watts MP (Shadow Assistant Minister for Communications and Cyber Security) released a white-paper titled “Beyond the Blame Game - Time for a National Ransomware Strategy”.[1]

A key focus on the report (and overall strategy) is to ‘impose costs’ on the cyber-crime economy to make Australia a less attractive target to cyber-criminals. Recommendations in the report include increased law enforcement action, targeted international sanctions, and offensive cyber operations. It is in line with this overall approach that the Bill has been introduced – on the basis that it will deter cyber criminals from attacking Australian entities.

We address the key features of the Bill below.

What is a ransomware attack?

We all know what ransomware is but it’s important that the scope of the Bill applies to real-world cyber-crime activity. As such, the Bill has introduced a broad definition of “ransomware attack” that has been designed to catch a diverse range of cyber-activity.

Under the Bill, a ransomware attack will have occurred if four conditions are met.

First, a person (the attacker) must do any of the following using a computer function:

  • access data held in a computer;
  • modify data held in a computer;
  • impair electronic communications between computers; or
  • impair the reliability, security or operation of any data held on a computer (or electronic storage device).

Second, the attacker must know the access, modification or impairment is unauthorised. Although victims are unlikely to be able to know the precise state of mind of attackers leading up to an attack, this will become fairly evident once contact with the attackers is made in the process of negotiating the ransom demand.  

Thirdly, in the case of unauthorised modification or impairment, the attack must:

  • restrict access to data held in a computer; or
  • give an unauthorised person the ability to modify, damage or destroy data (or electronic storage device).

Fourthly, the attacker must demand payment to either:

  • end the unauthorised access, modification or impairment;
  • prevent the publication of data;
  • end the restriction on access to data;
  • prevent damage or destruction of data; or
  • otherwise remediate the impact of the unauthorised access, modification or impairment.

Application to real-world attacks

The definition of “ransomware attack” is likely to capture most ransomware events that we have seen.

Practically however, targeted entities also pay attackers to provide a number of ancillary deliverables including: confirm root cause of the attack, provide copies of stolen data, delete stolen data, not attack the entity or related entities, cease contacting employees/executives/clients, and cease DDoS attacks. The definition may wish to be expanded to cover these ‘demands’.

Interestingly, the Bill as currently drafted might also capture vulnerability disclosure scenarios where ‘security researchers’ demand consultancy fees for their hard work in bringing a vulnerability to the attention of targeted entities. This remains to be seen, but emphasises the sometimes unforeseen application of legislation to novel circumstances.

What entities are subject to the Bill?

The Bill will apply to all state and federal government agencies, as well as any entity that carries on business in Australia, provided the payment relates to a ransomware attack against a computer network located in Australia.

This means that, in addition to local businesses and government agencies, this Bill will potentially have implications for internationally headquartered businesses that pay ransom demands from overseas (but which have impacted assets in Australia). The extra-territorial reach of the Bill is likely to come into sharp focus for such entities.  

The Bill will not apply to small businesses with an annual turnover of less than $10 million per year. Some have commented that this should be reduced to align with the Privacy Act’s threshold of $3 million turnover, however we understand that the intention of the Bill is to capture intelligence on attacks impacting larger entities and government agencies.

Given our stats above indicate that mostly private companies are targeted by ransomware, this may mean that several payments go unreported depending on the annual turnover of those entities.

It’s also a fallacy to assume that small businesses can’t afford to pay ransom demands (and therefore don’t) and so this won’t apply to them. Often – small businesses of this size have cyber insurance which typically covers ransom demands.

Whether the $10m revenue reporting threshold is appropriate remains to be seen.

What kind of notification is required?

Under the Bill an entity that makes a ransom payment must give written notice of the payment to the Australian Cyber Security Centre (ACSC). The notice must set out:

  • the name and contact details of the entity paying the ransom demand;
  • the identity of the attacker (or what information is known about the purported attacked); and
  • the details of the ransomware attack (including the cryptocurrency wallet, the amount of the ransom payment, and any indicators of compromise known to the entity).

Although the ACSC currently seeks to collect this information from targeted entities, the provision of such information is voluntary at present.

What is the timeframe for notification?

The Bill states that an entity must notify the ACSC as soon as practicable when it makes a ransomware payment. The phrase ‘as soon as practicable’ is not defined in the Bill, however we consider that an entity will be required to notify without unreasonable delay.
In our view this timeframe is workable. Previous suggestions of a reporting framework whereby entities would need to notify and seek the approval of the ACSC (or an equivalent government agency such as DFAT) before making a payment, is simply unworkable given the short timeframes by which decisions would need to be made.

Practically, entities should prepare to notify the ACSC once a payment has been made (at which point the crypto-wallet and exchange details will be available). This will be important for the ACSC/law enforcement to identify the attacker and trace the ransomware funds (if that is what they intend to do).

Are notifications anonymous?

The Bill clearly states that entities that pay must identify themselves when submitting a notification. As a result, it is unlikely that entities will be able to anonymously notify the ACSC of a ransom payment.

We will keep this under close review as anonymity/confidentiality is a key concern for entities that pay – despite the ‘public good’ in sharing information to the wider community. In our view, there is scope for the reporting framework to remove this requirement and allow representatives (such as law firms) to report on behalf of entities, and still achieve the desired outcomes of the reporting framework.

An individual is not excused from giving a notice on the grounds of claiming privilege against self-incrimination, and companies are not entitled to claim privilege against self-incrimination. However, the notice cannot be used against an individual in criminal proceedings (unless the notice is misleading – itself an offence under the Criminal Code).

How can the ACSC use information?

The intention is to empower the ACSC to warn Australian businesses/government agencies of the risk of current attacks so that they can take steps to protect their networks. As such, the Bill grants the ACSC significant discretion to decide whether and whom to disclose data provided to it under the reporting framework

For example, the ACSC can disclose information in the notice to any person (including the public) to inform them of the cyber threat environment (typically this will occur through the JCSC partner network, or on the ACSC’s website). The ACSC can also disclose information in the notice to assist law enforcement bodies (i.e. the AFP / State / Territory police forces) with law enforcement activities.

The ACSC can’t disclose personal information (i.e. details of individuals listed in the notice) but the Bill is silent as to whether it can disclose the name of the targeted entity. Practically, while the ACSC presently seeks to preserve the confidentiality of reporting entities in its information sharing activities, this Bill does not guarantee that will occur and so there is a risk that reporting entities will have their details disclosed to others and/or the public as a result.

Also – given the report to the ACSC and follow up information sharing to the infosec community will coincide with whatever headline event is in the news that week, the public (and the media) will be able to easily speculate which entities have paid the ransom demand even if the ACSC is discreet in its information sharing.

What are the Penalties?

The Bill has introduced penalty measures for entities that do not comply with reporting, with fines of up to $222,000 if they fail to notify the ACSC after a ransom payment is made.

We have already been asked to comment on whether these fines are insurable under cyber insurance and other insurance policies such as statutory liability policies – which is something we are keeping under close review.

What should Australian entities be doing to prepare?

From our early review of the proposed Bill, Australian entities should be taking the following steps to ensure they are ready to comply with the reporting framework if introduced:

  • conduct a table-top exercise to simulate a ransomware event to determine what an impaired version of your operations would look like while you recover for an extended outage period;
  • have a pre-determined decision-making framework that helps guide the business through the decision on whether to engage with a cyber-criminal, whether to pay a ransom demand, and a strategy for dealing with cyber-attackers;
  • take preventative steps to avoid the need to pay a ransom (including having adequate back-ups, security of core systems, manual work-arounds to withstand extended outages, encrypted sensitive data, and a communications plan);
  • ensure that if a payment is going to be made, certain steps are taken to report to the ACSC in a timely manner (and ensure other sanctions requirements are met); and
  • be prepared to work with law enforcement agencies following payment, and address public scrutiny.

Our take on the reporting framework?

Clearly something needs to be done to curb the sheer frequency and scale of ransom attacks. The Bill, if introduced – will be a world first example of how this can be achieved.

If it works as intended, the Bill will assist in deterring attackers from targeting Australia. This is because the attackers will (in theory) be at risk of persecution from law enforcement bodies in Australia (and their international counterparts) making attackers more likely to be apprehended. Early reports are that the AFP are scaling up their teams to respond to the influx of investigatory work required, though a long-term public funding commitment to this pursuit remains to be seen. 

Secondly, the Bill will undoubtedly deter some entities from paying, on the basis that they will need to disclose the payment to government officials. Without any statutorily enshrined confidentiality/anonymity protections, companies will be less inclined to pay unless there is significant public interest in doing so. This disinclination to pay will mean less return on investment for cyber criminals as they will need to attack more victims to find an eligible paying candidate. As a result (as the economic theory goes) they will move onto other countries which present as a softer (or more lucrative) target.

Thirdly, the intelligence gained from the reporting framework can be provided to the infosec community for action. This will allow them to build up the network defences of the entities and agencies they are employed to protect, and guard against known attack groups and their activities. Like the second point above, even if Australia remains a hot target, Australian entities themselves will be harder to attack thereby reducing the overall return on investment. The cost of doing business will dissuade some cyber-criminal groups.

So what are the downsides?

Arguably, this reporting framework will funnel attackers into focussing their efforts on high priority targets that will pay irrespective of reporting obligations. This means critical infrastructure providers (think hospitals, energy providers, transport). As we have seen in recent attacks, the impacts will not only be felt in the digital realm but also in the physical realm.

Alternatively, companies will continue to pay despite the reporting requirements, however they will simply have an additional regulatory burden. Whether any positive impacts are yielded turns on what the ACSC and law enforcement bodies do with that information, and whether the infosec community builds its collective defences following any information sharing to effectively deter criminal activity.

It will be interesting to see if the Bill receives bipartisan support, and whether the topic of cyber-security will become an election issue. We will continue to work with the cyber security, legal and insurance communities to track and report on the impacts of this reporting framework in coming months.

How can we help?

We are currently working with several entities to improve their ransomware resilience so please reach out to us if you would like to discuss what your industry is doing and what steps you can take.

Clyde & Co has the largest dedicated and rapidly expanding cyber-attack response practice in Australia and New Zealand. Our experienced team has dealt with thousands of data breach and technology related disputes in recent times, including several the largest and most complex incidents in Asia Pacific to date.

From pre-incident readiness, breach response, through to defence of regulatory investigations and proceedings, as well as recovery actions against wrongdoers, we assist clients globally across the full cyber lifecycle. Our team is also highly regarded for their expertise and experience in managing all forms of disputes across sectors including advising on some of the most newsworthy class actions commenced in Australia.

Our 24 hour cyber-attack response hotline or email allows you to access our team directly around the clock.

For more information, contact us on:

End

Themes:

Additional authors:

Menaka Vasudevan (Senior Associate) Daniel Saouma (Associate) and Jack Hile (Graduate)

Stay up to date with Clyde & Co

Sign up to receive email updates straight to your inbox!