We are seeing a rise in sophisticated cybercriminals attacking Australian businesses, stealing their data and disrupting their operations.
A prudent board should ensure that their company’s crisis management plan includes aspects of cyber resilience.
If a company is inclined to pay a ransom to a group of cybercriminals, an organisation should ensure that it is not inadvertently breaking any Australian or international laws, where the organisation may find itself in hot water with regulators.
There are several laws and legal risks that an organisation should be alive to before it decides to make a ransom payment to cybercriminals. However, we focus here specifically on Australia’s sanction regime.
As the world continues to digitise, we are seeing a rise in international cybercriminal groups who have the capability and the goal of hacking into Australian companies’ computer networks. Once they have gained access, these cybercriminals usually either:
Usually, these cybercriminals are conducting these frustrating works in the hope that the target organisation pays them a ransom fee in order for the cybercriminals to delete the stolen data, or so that the cybercriminals will “hand back the keys” to the organisation’s computer network.
These cybercriminals usually apply a high level of pressure to intimidate the target company for the purpose of exhorting the payment of a ransom.
Representatives of the Australian Securities and Investments Commission (ASIC) have on several occasions indicated that ASIC is on the lookout for a test case to prosecute a company’s board for failing to take reasonable steps, and ensure reasonable investments are made, to enhance its company’s cyber resilience. ASIC Chair Joe Longo has stated:1
“As I’ve said before, cyber resilience has got to be a top priority, not just for ASIC, but for every company and every board. If things go wrong, ASIC will be looking for whether company directors and boards took reasonable steps, and made reasonable investments proportionate to the risks that their business poses, to be prepared for this kind of attack. And if we have reason to believe those steps were not taken, and directors did not act with reasonable care and diligence, we will act.”
As such, a number of prudent boards are conducting their own cyber resilience review. In the pursuit of such a review, boards should also consider their organisation’s cyber risk management framework and cyber crisis management plans.
Part of an organisation’s cyber crisis management plan should include whether the organisation is prepared to pay a ransom to a group of cybercriminals. If it is, the organisation should consider under what circumstances it will pay a ransom.
Before an organisation pays any ransom, it should first ensure that making such payment is not contrary to any laws.
It should be stressed that the Australian government’s usual guideline is that one should not pay any ransom. Further, there is no guarantee that the cybercriminal will do as they had agreed in exchange for the funds. That said, in Australia there is currently (as at the date of this publication) no strict “blanket ban” stopping a company from paying a ransom to its cyber-attacker.
However, while ransom payments are not always strictly illegal, immense care should be taken to ensure that one does not break any other laws through the payment of the ransom.
There are several laws and legal principles that an organisation should consider prior to making any ransom, including sanction laws, counter-terrorism laws, money laundering laws, industry specific laws, certain contractual obligations, and market specific laws to name but a few. Here, we briefly focus precisely on Australia’s sanction laws, but recognise that this is not the only risk.
Australia’s sanction laws are based on legislation that is put in place to limit certain individuals, states, and state actors from easily gaining access to funds, assets, and commercial deals. It is an offence of strict liability to pay money to a person or entity that is sanctioned, which means that it does not matter if there is intention, knowledge, recklessness, or negligence which caused the breach. Previously, ASIC has even prosecuted directors personally for allowing their company to breach Australian sanction laws.
Australia implements sanctions from two legislative sources:
At times, these sanctions may overlap, but that is not always the case.
The Charter of the United Nations does not expressly define 'sanctions', but Article 41 is generally understood as providing a definition. It refers to:
'measures not involving the use of armed force', including a 'complete or partial interruption of economic relations.’
The Explanatory Memorandum to the Autonomous Sanctions Bill 2010 defines 'sanctions' as:
'measures not involving the use of armed force' imposed 'in situations of international concern', including 'the grave repression of the human rights or democratic freedoms of a population by a government, or the proliferation of weapons of mass destruction or their means of delivery, or internal or international armed conflict.'
The main types of sanctions employed by the Australian Government are:
In Australia, there are currently over 20 separate sanction regimes in force, targeting specific industries, crimes, countries and regions to various degrees.2
Cyber-specific sanctions may be, and have been, imposed under Australia’s autonomous thematic sanctions criteria in the ASA and the Autonomous Sanctions Regulations 2011 (Cth) (Cyber Sanctions Framework).
Following the passing of the Autonomous Sanctions Amendment (Magnitsky-style and Other Thematic Sanctions) Bill 2021 (Cth), the Australian Government now has the power to impose autonomous sanctions to address particular issues (known as “thematic sanctions”) which specifically include malicious cyber activity, as well as threats to international peace and security, serious violations or serious abuses of human rights, or activities that undermine good governance or the rule of law.
The Minister for Foreign Affairs may impose a sanction under this Cyber Sanctions Framework, (i.e. a cyber sanction) if satisfied that a person or entity has caused, assisted with causing, or been complicit in, a cyber incident or an attempted cyber incident that is significant or which, had it occurred, would have been “significant”. Regulation 6A of the Autonomous Sanctions Regulations 2011 (Cth) sets out the matters the Minister for Foreign Affairs may have regard to in deciding whether a cyber incident was, or would have been, significant.
Once sanctioned, a person or entity is referred to as a 'designated person' or 'designated entity'.
If a targeted financial sanction has been imposed on a designated entity, then all Australians and Australian businesses are prohibited from ‘dealing with’ the designated persons or entities.
“Dealing with” designated persons or entities includes making any asset, including money, directly or indirectly available to them.
There are currently some known ransom hackers and cybercriminal entities who have engaged in malicious cyber activity, and who are now “sanctioned persons” by way of the mechanism of the Cyber Sanctions Framework. These entities and individuals are listed on the Australian Sanctions Office’s (ASO) “consolidated list”.
It is an offence to contravene any of Australia’s sanction laws, with penalties ranging from a combination of:
All offences under the UN Charter Act and the ASA are strict liability,7 meaning that contravention does not require a state of mind (such as intent, knowledge or recklessness) to satisfy the commission of an offence. An individual or body corporate commits an offence if it engages in conduct that contravenes a sanction law, or a condition of an authorisation made under a sanction law.
There is a defence available to one who has breached a sanction law, which includes certain individuals proving that due diligence and other reasonable precautions were taken to avoid such a breach.8 However, it is important to note that the corporation bears the onus of proving this defence. Therefore, the corporation should take steps to prepare such a legal defence prior to making a payment to a cybercriminal in the event that a breach should occur.
Directors of companies have also been prosecuted by ASIC personally for allowing their company to breach sanction laws.
In the case of Australian Securities & Investments Commission v Flugge and Geary (2016) 342 ALR 1 (Flugge and Geary), ASIC prosecuted two directors of AWB Limited (AWB) for breaching a sanction under the UN Charter Act. While ASIC attempted prosecution against two directors, it was only successful in the prosecution of the first of the two directors.
In Flugge and Geary, the Supreme Court of Victoria ordered that the former chairman, Mr Flugge of AWB, pay a pecuniary penalty of $50,000 and be disqualified from managing corporations for a period of five years following the Court's finding that he contravened s180(1) of the Corporations Act. The sentence followed a finding that he had breached his duties as a director of AWB in connection with payments made to the Government of Iraq while that country was subject to UN sanctions under the UN Charter Act. As part of that judgment, the Court found that Mr Flugge failed to make adequate enquiries about the propriety of the payment of inland transportation fees and, as a consequence, failed to stop AWB from engaging in improper conduct in paying the inland transportation fees to the Government of Iraq.
In that same case, ASIC failed to establish that a second director, Mr Geary, knew that AWB was making payments to Iraq contrary to UN sanctions and, therefore, the Court was not satisfied that Mr Geary had breached his director’s duties (ASIC appealed this decision in relation to Mr Geary, but the Court’s finding in Flugge and Geary was later confirmed on appeal by the Supreme Court of Victoria’s Court of Appeal 9).
Notwithstanding the case of Flugge and Geary, we have not seen any prosecutions made against directors where their company has breached a sanction made under the Cyber Sanctions Framework because the company made a ransom payment to a cybercriminal – yet.
An organisation should ensure that it takes serious measures to ensure that it maintains adequate cyber protection. However, failing such protection, the organisation should consider if and when it may be required to pay a ransom to a cybercriminal.
If your organisation is currently considering whether to pay a ransom or it is in the middle of conducting a review of its cyber crisis management plan, and you are concerned about whether or not there may be a risk of inadvertently breaching any Australian laws, feel free to contact Iain Freeman, lead Partner in Lavan’s Cyber & Data Protection Team.
Longo, Joe, Speech at the ASIC Annual Forum, “Navigating disruption: Setting a direction for ASIC in 2024”, 21 November 2023.
See Sanctions regimes | Australian Government Department of Foreign Affairs and Trade (dfat.gov.au)
See ASA s 16(4); see also UN Charter Act s 27 (4).
The value of a penalty unit is prescribed by the Crimes Act 1914 (Cth) and is currently $313 for offences committed on or after 1 July 2023.
See ASA s 16(9); see also UN Charter Act s 27 (9).
See ASA s 16; see also UN Charter Act s 27; see also case of R v Choi (No 10) [2021] NSWSC 891 where an individual was sentenced to a fixed term of three years and six months for providing sanctioned services to North Korean entities.
See ASA s 16(8); see also UN Charter Act s 27 (8).
See ASA s 16(7); see also UN Charter Act s 27 (7).
See Australian Securities and Investments Commission (ASIC) v Geary (2018) 126 ACSR 310; [2018] VSCA 103