government unveils plan to combat ransomware threat

The occurrence and severity of ransomware incidents is increasing in Australia; mirroring global trends. The Australian Cyber Security Centre reported a 15 per cent increase in ransomware attacks over the past 12 months, while an industry estimate put the cost of ransomware to the Australian economy at $1.4 billion in 2020.

Ransomware is where cybercriminals use malicious software to encrypt electronic devices, folders and files that render systems inaccessible to users. Once files are encrypted, criminals demand a ransom from the system owner in return for the decryption keys, with the ransom to paid in the form of a cryptocurrency. Whether to pay a ransom raises difficult legal and ethical questions for directors, including whether payment promotes further ransomware attacks on the organisation.

Ransomware is just one component of broader cybersecurity risks that organisations of all sizes face. The AICD’s latest Director Sentiment Index for the first half of 2021 indicated that the percentage of directors nominating cyber-crime has increased to the second highest issue ‘keeping directors awake at night.’

Ransomware Action Plan

The Ransomware Action Plan, published by the Department of Home Affairs on 13 October 2021, comprises a series of proposed measures that seek to combat the threat of ransomware attacks.

A number of the proposed measures focus on legislative reform to introduce new or strengthened laws that criminalise activities associated with ransomware attacks:

  • introducing a stand-alone offence for all forms of cyber extortion;
  • criminalising the buying or selling of malware for the purposes of undertaking computer crimes;
  • criminalising the act of dealing with stolen data knowingly obtained in the course of committing a separate criminal offence, so that cybercriminals who deprive a victim of their data, or publicly release a victim’s sensitive data, face increased penalties;
  • introducing a new stand-alone aggravated offence for cybercriminals seeking to target critical infrastructure (as captured under the Security of Critical Infrastructure Act 2018); and
  • legislative reform to ensure law enforcement agencies can investigate and seize ransomware payments in cryptocurrency.

Mandatory reporting regime

The plan also contains a proposal that businesses with a turnover greater than $10 million per annum will be required to report ransomware incidents. This is the measure in the plan that is likely to have a greatest impact on directors and organisations.

There is very limited detail on the reporting proposal contained in the plan, with the $10 million threshold appearing in the accompanying media release from the Minister for Home Affairs. For instance, there is no detail on how an incident would be defined, whether not-for-profits would be captured or how a report would be made. Currently organisations can voluntarily report ransomware incidents to the Australian Cyber Security Centre, an agency of the Australian Signals Directorate.

We expect there will be technical challenges in drafting an effective reporting framework and ensuring that organisations are aware and understand any new reporting obligation. In addition, the proposed $10 million per annum threshold appears to be low and will capture thousands of organisations.

There are no timeframes for development and consultation on the reporting proposal.  The AICD will closely monitor developments and update members when further information is available.

While the plan does not prohibit the payment of ransoms, it does make it clear that the government does not condone payments, as there is no guarantee the hackers will restore information or not leak or sell stolen data.

AICD Resources to support directors

  • The AICD offers the short online course The Board's Role in Cyber which is intended to enable directors to effectively identify evolving cyber threats and risks to their organisations, as well as maximising opportunities to innovate. Further information on this course is available here.
  • The October 2021 edition of Company Director contained the article Held to ransom on the threat posed by ransomware, while the June 2021 edition contained a detailed article on cyber threats Surprise attack including questions directors should ask management about preparing for a cyber-attack.
  • The AICD has also published director tools on cybersecurity, including Managing a data breach: 10 oversight questions for directors and National security compliance for directors.