Ransomware has been described as the highest cyber threat that Australian businesses face today. Worryingly, the Australian Cyber Security Centre (ACSC) has observed recent trends indicating an increase in ransomware attacks on large companies that provide critical infrastructure or essential services in Australia. With the rapid development of technology, ransomware groups have become highly sophisticated and are able to significantly and maliciously impact an organisation’s IT system and ability to operate. Such attacks have been estimated to cost Australian businesses approximately $1 billion per year.
The ACSC does not condone the making of ransomware payments to cyber criminals, however there is no express legislative ban to actually making a ransomware payment. Rather, ransomware payments may be illegal in Australia where a company either; makes a payment to sanctioned organisation, where there’s a risk that ransom funds would be used to commit a crime, or whereby payment or resources are intentionally made available that would assist a terrorist organisation or activity.
While the Bill expressly states that a ransomware payment must be disclosed, directors’ duties are likely to extend beyond mere disclosure in this context. The core directors’ duties require directors to discharge their duties with care and diligence, act in good faith and in the best interests of the company, and not use information, or their position, for their personal, or someone else’s advantage.
A study conducted by KPMG in 2021 involving 1,300 Chief Executive Officers from around the world found that only 78% of Australian companies had a plan to deal with a ransomware attack. If a company is faced with a ransomware attack and they do not have a response plan, directors run the risk of breaching their duty to act with care and diligence, as they have not adequately prepared for, or informed themselves of, the risks of such cyber-attacks to the company.
Legal commentary suggests that there is strong argument in support of criminalising the demand and making of ransom payments. If legislation is proposed in support of this, it would provide some certainty to directors and companies facing the dilemma of deciding whether or not to pay. So long as directors have complied with their duties to ensure that the company has adequate plans to respond to a ransomware attack, it is unlikely that they will be found to have breached their directors’ duties, should the company suffer a loss as a result of not making the ransom payment. In light of the proposed Bill and the potential for further legislative reform, directors need to monitor this area closely and remain aware of their reporting obligations, as well as how they are appropriately discharging their directors’ duties when it comes to planning for and responding to ransomware attacks.
 Ransomware Payments Bill 2021 (Cth).
 See Criminal Code Act 1995 (Cth) and Charter of United Nations Act 1945 (Cth).
This article provides general commentary only. It is not legal advice. Before acting on the basis of any material contained in this article, seek professional advice.
Claire Slade, Lawyer in our Transactions Team
Phone: +61 8 8210 2226