Ransom payments can no longer be made in the shadows, free from scrutiny, after Australia became the first country to require that sums paid to cybercriminals be reported to the government.  

Ransomware victims must name any third-party negotiator, and detail the size of the demand and communications with the criminals. Fines of almost $19,000 could apply for non-reporting.

The new ransomware payment reporting obligation, introduced on May 30, means cyber incident response and business continuity playbooks must be updated.

Willis cyber and technology industry leader for the Pacific Benjamin Di Marco says the change increases regulatory and business risks, because paying ransoms without proper due diligence can result in legal dangers for directors.

“What Australia’s done here is actually quite novel and unique,” he tells insuranceNEWS.com.au. “It adds more complexity and you’ve got to be more carefully considered if you are looking to pay a ransom.

“You’ve got to start thinking about it very early on because, ultimately, you’re going to have to share information. It’s going to be part of the fabric of what you’ve got to work through when you’ve got a ransomware event.”

Some parts of Europe have outlawed ransom payments, but Australia has stopped short of that. It has instead required notification within 72 hours of any payment by organisations with annual revenue above $3 million, or those responsible for critical infrastructure.  

“It’s a devilish problem – these bad actors and how you manage the way you’re going to respond,” Mr Di Marco said.

“All sorts of jurisdictions are dealing with similar challenges ... [criminals are] extorting and doing all this damage within the economy.

“Part of [the response] is having the information of what they’re doing and how they’re behaving, so in that sense, I think [the new law] is quite important.”

Although the ransom payment reports cannot be used in prosecutions, directors will need to be fully transparent on processes and decisions made.

Experts say this means internal policies and procedures must be shored up.

“That’s the concern – it adds a greater degree of scrutiny when directors are already quite worried about their personal liabilities,” Mr Di Marco said. “It’s really important to understand your internal decision-making, the interplay that might have with insurance, and what that might mean for directors.

“That goes to the internal policies procedures, cyber simulations or tabletops, and also how you’re thinking within an organisation of navigating innate challenges that occur during a ransom attack.”

The federal government strongly discourages payment of ransoms, and Mr Di Marco believes the new scrutiny is “likely to have a chilling effect” on caving to criminal demands.  

“They want to strongly discourage these payments, and getting visibility over who the threat actors are and how they’re being paid – it definitely has a focus on sovereign resilience, because if we know more about that, those apparatuses can be more effective.”  

Willis urges clients to reconsider their insurance programs, examining how policies respond to “consequential” ransom payment risks such as sanctions laws, and terrorism financing, money laundering and criminal provisions.

Communications need to be overhauled, and requirements of the new obligation embedded in scenario role-playing. An overall strategy document should state how organisations intend to meet mandatory notification, being mindful of restrictions on the use and disclosure of reported information and directors’ personal liability risks.

Simulated exercises should explore how entities will navigate the obligation alongside overall strategies to address cyber extortion attacks and resilience.

Underwriting agency Coalition says 44% of policyholders that suffered ransomware attacks last year opted to pay the demand, and its response service negotiated payments down by an average of 60%.

In recent years, advances in cyberattack mitigation and resilience have driven down ransom payment rates.  

Reliable data back-ups, for example, give threat actors less “pull”.  

“Ransom has always been a payment of last resort in this space,” Mr Di Marco said. “If a business can recover in a different way, they’re normally much more inclined to do that.”