Help, I’ve Been Hacked! Paying Ransoms To Cyber Criminals And Australia’s Sanction Laws

We are seeing a rise in sophisticated cybercriminals attacking Australian businesses, stealing their data and disrupting their operations.

A prudent board should ensure that their company’s crisis management plan includes aspects of cyber resilience. 

If a company is inclined to pay a ransom to a group of cybercriminals, an organisation should ensure that it is not inadvertently breaking any Australian or international laws, where the organisation may find itself in hot water with regulators.

There are several laws and legal risks that an organisation should be alive to before it decides to make a ransom payment to cybercriminals.  However, we focus here specifically on Australia’s sanction regime.

Background

As the world continues to digitise, we are seeing a rise in international cybercriminal groups who have the capability and the goal of hacking into Australian companies’ computer networks.  Once they have gained access, these cybercriminals usually either:

  • steal information and threaten to release it publicly, or
  • damage your current systems, causing significant business disruption which in some circumstances can cause the loss of millions of dollars in lost productivity per day.  

Usually, these cybercriminals are conducting these frustrating works in the hope that the target organisation pays them a ransom fee in order for the cybercriminals to delete the stolen data, or so that the cybercriminals will “hand back the keys” to the organisation’s computer network.

These cybercriminals usually apply a high level of pressure to intimidate the target company for the purpose of exhorting the payment of a ransom.

Representatives of the Australian Securities and Investments Commission (ASIC) have on several occasions indicated that ASIC is on the lookout for a test case to prosecute a company’s board for failing to take reasonable steps, and ensure reasonable investments are made, to enhance its company’s cyber resilience.  ASIC Chair Joe Longo has stated:1

As I’ve said before, cyber resilience has got to be a top priority, not just for ASIC, but for every company and every board. If things go wrong, ASIC will be looking for whether company directors and boards took reasonable steps, and made reasonable investments proportionate to the risks that their business poses, to be prepared for this kind of attack. And if we have reason to believe those steps were not taken, and directors did not act with reasonable care and diligence, we will act.”

As such, a number of prudent boards are conducting their own cyber resilience review.  In the pursuit of such a review, boards should also consider their organisation’s cyber risk management framework and cyber crisis management plans.

Part of an organisation’s cyber crisis management plan should include whether the organisation is prepared to pay a ransom to a group of cybercriminals.  If it is, the organisation should consider under what circumstances it will pay a ransom.

Before an organisation pays any ransom, it should first ensure that making such payment is not contrary to any laws.

Payment of Cyber Ransoms

It should be stressed that the Australian government’s usual guideline is that one should not pay any ransom.  Further, there is no guarantee that the cybercriminal will do as they had agreed in exchange for the funds.  That said, in Australia there is currently (as at the date of this publication) no strict “blanket ban” stopping a company from paying a ransom to its cyber-attacker.

However, while ransom payments are not always strictly illegal, immense care should be taken to ensure that one does not break any other laws through the payment of the ransom.

There are several laws and legal principles that an organisation should consider prior to making any ransom, including sanction laws, counter-terrorism laws, money laundering laws, industry specific laws, certain contractual obligations, and market specific laws to name but a few.  Here, we briefly focus precisely on Australia’s sanction laws, but recognise that this is not the only risk.

Sanctions Summary

Australia’s sanction laws are based on legislation that is put in place to limit certain individuals, states, and state actors from easily gaining access to funds, assets, and commercial deals.  It is an offence of strict liability to pay money to a person or entity that is sanctioned, which means that it does not matter if there is intention, knowledge, recklessness, or negligence which caused the breach.  Previously, ASIC has even prosecuted directors personally for allowing their company to breach Australian sanction laws.

Australia implements sanctions from two legislative sources:

  • sanctions imposed as a consequence of Australia’s membership of the United Nations (UN) through Australia’s enactment of the Charter of the United Nations Act 1945 (Cth) (UN Charter Act); and
  • sanctions imposed autonomously by the Australian Government, through Australia’s enactment of the Autonomous Sanctions Act 2011 (Cth) (ASA).

At times, these sanctions may overlap, but that is not always the case.

The Charter of the United Nations does not expressly define 'sanctions', but Article 41 is generally understood as providing a definition. It refers to:

'measures not involving the use of armed force', including a 'complete or partial interruption of economic relations.

The Explanatory Memorandum to the Autonomous Sanctions Bill 2010 defines 'sanctions' as:

'measures not involving the use of armed force' imposed 'in situations of international concern', including 'the grave repression of the human rights or democratic freedoms of a population by a government, or the proliferation of weapons of mass destruction or their means of delivery, or internal or international armed conflict.'

The main types of sanctions employed by the Australian Government are:

  • targeted financial sanctions regarding specific individuals or entities who may be subject to financial sanctions (including the freezing of their assets).  Targeted financial sanctions prohibit directly or indirectly making an asset available to (or for the benefit of) a designated person or entity.  Unlike trade restrictions which usually apply to specific goods and services, targeted financial sanctions prohibit the supply of any asset whatsoever (including funds or economic resources, such as crypto assets) to designated persons or entities.
  • travel bans on certain persons preventing them from entering or transiting through Australia.
  • restrictions on trade or procurement in goods and services (i.e. prohibiting the export or the import of certain goods or services).
  • restrictions on engaging in commercial activities or dealing with assets (for example, purchasing shares, granting intellectual property rights or establishing a joint venture).
  • sanctioning vessels, including preventing them from entering Australia.

In Australia, there are currently over 20 separate sanction regimes in force, targeting specific industries, crimes, countries and regions to various degrees.2

Cyber Security Sanctions

Cyber-specific sanctions may be, and have been, imposed under Australia’s autonomous thematic sanctions criteria in the ASA and the Autonomous Sanctions Regulations 2011 (Cth) (Cyber Sanctions Framework).

Following the passing of the Autonomous Sanctions Amendment (Magnitsky-style and Other Thematic Sanctions) Bill 2021 (Cth), the Australian Government now has the power to impose autonomous sanctions to address particular issues (known as “thematic sanctions”) which specifically include malicious cyber activity, as well as threats to international peace and security, serious violations or serious abuses of human rights, or activities that undermine good governance or the rule of law.

The Minister for Foreign Affairs may impose a sanction under this Cyber Sanctions Framework, (i.e. a cyber sanction) if satisfied that a person or entity has caused, assisted with causing, or been complicit in, a cyber incident or an attempted cyber incident that is significant or which, had it occurred, would have been “significant”.  Regulation 6A of the Autonomous Sanctions Regulations 2011 (Cth) sets out the matters the Minister for Foreign Affairs may have regard to in deciding whether a cyber incident was, or would have been, significant.

Once sanctioned, a person or entity is referred to as a 'designated person' or 'designated entity'.

If a targeted financial sanction has been imposed on a designated entity, then all Australians and Australian businesses are prohibited from ‘dealing with’ the designated persons or entities.

“Dealing with” designated persons or entities includes making any asset, including money, directly or indirectly available to them.

There are currently some known ransom hackers and cybercriminal entities who have engaged in malicious cyber activity, and who are now “sanctioned persons” by way of the mechanism of the Cyber Sanctions Framework.  These entities and individuals are listed on the Australian Sanctions Office’s (ASO) “consolidated list”. 

Potential Penalties and Defence for Breaching a Sanction

It is an offence to contravene any of Australia’s sanction laws, with penalties ranging from a combination of:

  • fines for individuals,equating to the greater of:
    • three times the value of the transaction; or
    • 2,500 penalty units.4
  • fines for corporations,5 equating to the greater of:
    • three times the value of the transaction; or
    • 10,000 penalty units.
  • imprisonment, with the maximum penalty of 10 years available.6

All offences under the UN Charter Act and the ASA are strict liability,7 meaning that contravention does not require a state of mind (such as intent, knowledge or recklessness)  to satisfy the commission of an offence. An individual or body corporate commits an offence if it engages in conduct that contravenes a sanction law, or a condition of an authorisation made under a sanction law.

There is a defence available to one who has breached a sanction law, which includes certain individuals proving that due diligence and other reasonable precautions were taken to avoid such a breach.8  However, it is important to note that the corporation bears the onus of proving this defence.  Therefore, the corporation should take steps to prepare such a legal defence prior to making a payment to a cybercriminal in the event that a breach should occur. 

Case note: ASIC v Flugge & Geary

Directors of companies have also been prosecuted by ASIC personally for allowing their company to breach sanction laws.

In the case of Australian Securities & Investments Commission v Flugge and Geary (2016) 342 ALR 1 (Flugge and Geary), ASIC prosecuted two directors of AWB Limited (AWB) for breaching a sanction under the UN Charter Act.  While ASIC attempted prosecution against two directors, it was only successful in the prosecution of the first of the two directors.

In Flugge and Geary, the Supreme Court of Victoria ordered that the former chairman, Mr Flugge of AWB, pay a pecuniary penalty of $50,000 and be disqualified from managing corporations for a period of five years following the Court's finding that he contravened s180(1) of the Corporations Act.  The sentence followed a finding that he had breached his duties as a director of AWB in connection with payments made to the Government of Iraq while that country was subject to UN sanctions under the UN Charter Act.  As part of that judgment, the Court found that Mr Flugge failed to make adequate enquiries about the propriety of the payment of inland transportation fees and, as a consequence, failed to stop AWB from engaging in improper conduct in paying the inland transportation fees to the Government of Iraq.

In that same case, ASIC failed to establish that a second director, Mr Geary, knew that AWB was making payments to Iraq contrary to UN sanctions and, therefore, the Court was not satisfied that Mr Geary had breached his director’s duties (ASIC appealed this decision in relation to Mr Geary, but the Court’s finding in Flugge and Geary was later confirmed on appeal by the Supreme Court of Victoria’s Court of Appeal 9).

Notwithstanding the case of Flugge and Geary, we have not seen any prosecutions made against directors where their company has breached a sanction made under the Cyber Sanctions Framework because the company made a ransom payment to a cybercriminal – yet.

Lavan Comment

An organisation should ensure that it takes serious measures to ensure that it maintains adequate cyber protection.  However, failing such protection, the organisation should consider if and when it may be required to pay a ransom to a cybercriminal.

If your organisation is currently considering whether to pay a ransom or it is in the middle of conducting a review of its cyber crisis management plan, and you are concerned about whether or not there may be a risk of inadvertently breaching any Australian laws, feel free to contact Iain Freeman, lead Partner in Lavan’s Cyber & Data Protection Team.

 


 


 

 

Disclaimer – the information contained in this publication does not constitute legal advice and should not be relied upon as such. You should seek legal advice in relation to any particular matter you may have before relying or acting on this information. The Lavan team are here to assist.
AUTHOR
Iain Freeman
Partner
AUTHOR
Jethro Schoeman
Associate
SERVICES
Cyber & Data Protection


FOOTNOTES
  1. Longo, Joe, Speech at the ASIC Annual Forum, “Navigating disruption: Setting a direction for ASIC in 2024”, 21 November 2023.

  2. See Sanctions regimes | Australian Government Department of Foreign Affairs and Trade (dfat.gov.au)

  3. See ASA s 16(4); see also UN Charter Act s 27 (4).

  4. The value of a penalty unit is prescribed by the Crimes Act 1914 (Cth) and is currently $313 for offences committed on or after 1 July 2023.

  5. See ASA s 16(9); see also UN Charter Act s 27 (9).

  6. See ASA s 16; see also UN Charter Act s 27; see also case of R v Choi (No 10) [2021] NSWSC 891 where an individual was sentenced to a fixed term of three years and six months for providing sanctioned services to North Korean entities.

  7. See ASA s 16(8); see also UN Charter Act s 27 (8).

  8. See ASA s 16(7); see also UN Charter Act s 27 (7).

  9. See Australian Securities and Investments Commission (ASIC) v Geary (2018) 126 ACSR 310; [2018] VSCA 103