‘Blanket ban’ on ransomware payments not beneficial, says lawyer

A partner at Hicksons Lawyers has cautioned against banning companies from paying a ransom if they’re subject to ransomware but asked for clarity on how to manage this threat.

In April, Latitude Financial announced that it would not “reward criminal behaviour” by paying a ransom to the cyber criminals that stole client data stored by the company in mid-March.

It reasoned that paying the ransom would spur further criminal activity and place more Australian businesses at risk.

According to a company statement, around 7.9 million driver’s licences from Australia and New Zealand and 53,000 passport numbers were stolen during this breach. The breach triggered debates on whether the Commonwealth should introduce new legislative frameworks to govern ransomware payments to hackers.

Ahead of her session at the inaugural Cyber Security Summit 2023 about Australia’s cyber security posture amid global threats, Hicksons Lawyers partner Persia Navidi advised against issuing a “blanket ban” on paying the ransom until there is further clarity on ransomware policies and what position a business should take.

“This issue of ransomware attacks is high on the agenda for the government at the moment,” she told Cyber Security Connect.

“We’ve seen large-scale attacks over the last 12 months. But we don’t yet have clarity in Australia and globally around how we combat and manage this threat if a business is subject to ransomware attacks.”

Ms Navidi — who specialises in insurance law and litigation and has acted in a range of cyber matters — pointed to the Insurance Council of Australia’s submission to the 2023–2030 Australian Cyber Security Strategy consultation, in which it urged the government to evaluate the move to outlaw paying cyber ransom demands with caution, and instead look to set standardised cyber security requirements for businesses.

Insurance companies would stand to lose if ransomware payments became illegal, as many provide coverage for ransom demands in the event of a cyber attack, something council managing director and chief executive Andrew Hall admitted.

VIEW ALL

“It’s not a black and white issue, and I’m not saying that there should be a ban on ransomware,” Ms Navidi stressed.

“But I think one of the questions we have at the moment is whether paying a ransom is legal. Arguably, in certain circumstances, paying a nation that has sanctions against it is already illegal under certain existing legislation.

“But in certain other circumstances, there may be exceptions where it is necessary for a ransom to be paid, especially if there is a threat to life or the business. It might be more beneficial for the business to pay the ransom than incur the costs of losing everything, particularly if it’s a small business. The decision to pay the ransom should stay with the victim right now until there’s further clarity around policy.”

‘Information is power’

When asked what aspects of the policy require clarity, Ms Navidi explained that it is currently not clear who is paying the ransom and how it is being paid.

“This lack of clarity creates a vague picture for everyone,” she said.

One suggestion, Ms Navidi noted, is potentially having a portal or system where ransom payments and requests are reported, which provides invaluable visibility and transparency across the board.

If the government could access this information, it could gain clarity on how prevalent ransomware is, what sorts of organisations are likely to be targeted, and which ones are likely to pay the ransom, she said.

“But a blanket ban or making it illegal could deter businesses from reporting this information,” Ms Navidi said.

“Information is power in these circumstances, so something to do with reporting could be beneficial. Others have suggested this too, and I would support that too.”

In a recent opinion piece, Cyber Security Connect editor Liam Garman said that while the push towards banning ransomware payments is “admirable” and marks an inflection point with the government taking the issue seriously, he cautioned that success would be dictated by the structural details that make businesses more resilient and government agencies more adaptable.

To gain more insights from Persia Navidi on the international cyber crime trends that threaten the stability of governments, economies, and businesses and whether the current legal and regulatory landscape is robust enough to manage risk, come along to the Cyber Security Summit 2023.

It will be held at Hotel Realm, Canberra, on Thursday, 1 June.

Click here to buy tickets and don’t miss out!

For more information, including agenda and speakers, click here.