By Sekuro Hackcelerator 2021 Mentee, Adam Sesel
Introduction
If your business has been targeted in a ransomware attack, it is likely that you are considering the option of paying the ransom in order to regain access to your business records, offset disruption and minimise reputational damage. [1] Paying a cyber-ransom [2] is a business decision that many have taken in Australia; of the two thirds of Australian businesses that experienced a ransomware attack in 2020, 54% paid the ransom.[2]
This blog post aims to provide some food for thought as to the legal considerations Australian businesses should take into account before making the decision to pay a cyber-ransom demand.
What is Ransomware?
Ransomware is a form of malicious software that infects computers, encrypts hard drives and denies access to users of a system. [3]
In a typical ransomware attack, users of a system may select a link within a phishing email or unknowingly visit an infected website. Malware is then downloaded, installed on the user’s system and cybercriminals can extort victims, by threatening to release data publicly or deny access to business records until demands for payment (often in cryptocurrency) are met.[4] Cybercriminals as a show of good faith may decrypt a single file for free and increase the price of the ransom as a payment deadline approaches. If demands for payment have been met, the cybercriminals responsible may or may not provide a decryption key for the affected business to regain access and control over their files. [5]
What Are The Legal Considerations?
Whilst currently there is no legislation in Australia which directly prohibits cyber-ransom payments, making such a payment could constitute an offence in certain circumstances.
Money Laundering Offence
Paying a cyber-ransom could constitute a money-laundering offence under Division 400 of the Criminal Code Act 1995 (Cth), [6] where the person ‘deals with money or property’,[7] ‘there is a risk that the money or property will become an instrument of crime’ [8], and the person is ‘reckless’ [9]or ‘negligent as to the fact that the money or property is proceeds of indictable crime.’ [10]Depending on the specific circumstances however, such a business could claim the defence of duress, self-defence or ‘sudden/extraordinary emergency’. [11][12]
offence of financing terrorism [13]
As per Section 102.7 of the Criminal Code Act 1995 (Cth) [14] it is an offence to ‘recklessly’ [15] provide resources to support a terrorist organisation. As above, the defences of duress, self-defence or ‘sudden/extraordinary emergency’ [16] may be available. [13]
Australia’s sanctions regime, implemented under the Autonomous Sanctions Act 2011 (Cth), [18] prohibits the funding of an organisation proscribed by a United Nations (UN) sanction. Recent amendments under the Autonomous Sanctions (Magnitsky-style and Other Thematic Sanctions) Amendment Regulations 2021,[19] now enable sanctions to be imposed on individuals and entities in relation to particular thematic issues including ‘malicious cyber activity’. [20] Therefore, by paying a cyber-ransom, an organisation could be in breach of the Autonomous Sanctions Act [21] by funding an individual or entity sanctioned for their involvement in ‘malicious cyber activity’.
breach of director’s duties.
In accordance with the Corporations Act 2001 (Cth), [22] directors of companies have a range of duties including to act in good faith, [23] to exercise care, skill and diligence, [24] and to prevent insolvent trading. [25][26] If found to have breached these duties, directors can be found personally liable and subject to civil [27] and criminal penalties. [28]
In the context of directors’ duties, paying a cyber-ransom could lead to a Court finding a director to have breached their duties owed to their company. In the instance that a cyber-ransom is paid, and as a result the company suffers from major financial loss or becomes insolvent, shareholders could initiate a class action alleging a breach of the director’s duties to act in good faith, exercise care skill/diligence and prevent insolvency. [12] Likewise, if the decision is made not to pay the cyber-ransom, and the company suffers as a result, directors could be faced with the same predicament.
Conclusion
Although the message from the Australian Cyber Security Centre and Department of Home Affairs is clear that cyber-ransoms should not be paid, to pay or not to pay is certainly a difficult business decision to make. From a legal perspective, paying cyber-ransoms is a double-edged sword. On the one hand businesses could be found liable for money-laundering, terrorism-financing, or sanctions offences. [29] Conversely directors could be found to have breached their duties in failing to pay a cyber-ransom, if resulting business disruption exacerbates financial losses or leads to insolvency. [12] Given that there is not yet any case law or judicial guidance providing clarification on this issue, it is recommended that if your business has been impacted by a ransomware attack, seek legal advice prior to making the decision to pay or not to pay.
Sekuro's ransomware readiness assessment
Simulating real-world Tactics, Techniques, and Procedures (TTPs) utilised by ransomware adversaries and cyber-criminal organisations to compromise and deploy ransomware throughout corporate Windows environments, Sekuro’s Ransomware Readiness Assessment enables your organisation to understand gaps and remediate ransomware exposure risk with this common and growing risk.
related post:
Growing regulatory scrutiny over the use of facial recognition technology
references
[1] https://www.ey.com/en_au/consulting/ransomware-to-pay-or-not-to-pay
[2] https://www.afr.com/politics/federal/ransomware-becomes-a-million-dollar-menace-for-aussie-firms-20201117-p56ffu
[3] https://www.homeaffairs.gov.au/cyber-security-subsite/files/tackling-ransomware-threat.pdf
[4] Kalaimannan E (2016) Influences on ransomware’s evolution and predictions for the future challenges. Journal of Cyber Security Technology 1(1): 23-31
[5] Wilner A, Jeffery A, Lalor J, Matthews K, Robinson K, Rosolska A, and Yorgoro C (2019) On the social science of ransomware: Technology, security, and society. Comparative Strategy 38(1): 347-370.
[6] Criminal Code Act 1995 (Cth) div 400.
[7] Criminal Code Act 1995 (Cth) s402B(4)(a)(i).
[8] Criminal Code Act 1995 (Cth) s402B(4)(b)(ii).
[9] Criminal Code Act 1995 (Cth) s402B(4)(c) (Tier 2 Offence).
[10] Criminal Code Act 1995 (Cth) s402B(7)(c) (Tier 3 Offence).
[11] Criminal Code Act 1995 (Cth) s10.3.
[12] https://www.ashurst.com/en/news-and-insights/insights/ransomware-new-legislation-should-criminalise-making-ransomware-payments
[13] Herbert Lowe S (2020) Cyber Extortion: legal and ethical considerations if you receive a ransom demand. Law Society of NSW (70): 85.
[14] Criminal Code Act 1995 (Cth) s102.7.
[15] Criminal Code Act 1995 (Cth) s102.7(2)(c).
[16] Criminal Code Act 1995 (Cth) s10.3.
[17] https://www.afr.com/chanticleer/ransomware-s-dilemma-for-boards-20211125-p59c1l
[18] Autonomous Sanctions Act 2011 (Cth).
[19] Autonomous Sanctions (Magnitsky-style and Other Thematic Sanctions) Amendment Regulations 2021.
[20]https://www.aph.gov.au/About_Parliament/Parliamentary_Departments/Parliamentary_Library/FlagPost/2021/November/Autonomous_Sanctions_Bill
[21] Autonomous Sanctions Act 2011 (Cth).
[22] Corporations Act 2001 (Cth).
[23] Corporations Act 2001 (Cth) s181.
[24] Corporations Act 2001 (Cth) s180(1).
[25] Corporations Act 2001 (Cth) s588G.
[26 ] https://legalvision.com.au/what-are-my-responsibilities-as-a-director/
[27] ASIC v Rich [2009] NSWSC 1229.
[28] Adler v R[2006] NSWCCA 158.
[29] Herbert Lowe S (2020) Cyber Extortion: legal and ethical considerations if you receive a ransom demand. Law Society of NSW (70): 85.