The Law

On 25th November 2024, the Federal Government passed the Cyber Security Act 2024 (“Cyber Security Act”), which requires organisations to report ransomware payments to the Department of Home Affairs and the Australian Signals Directorate. Ransomware reports are to be made within 72 hours of payment and a failure to comply will result in a civil penalty of 60 penalty units (A$93,900). There have recently been a number of “cyber incident” sanctions imposed against certain ransomware bad actors and breaches of sanction laws can be a serious criminal offence, punishable by potential fines for entities of the greater of 10,000 penalty units ($3.13 million as of 1st July 2023) or three times the value of the illegal transaction.

If there has been a breach of personal information due to a ransom and extortion event, the Privacy Act may be applicable. The Act, including Notifiable Data Breach requirements, applies to private sector organisations with an annual turnover of $3 million or more, however there are certain types of businesses with less than $3 million in annual turnover that are not exempt from the Privacy Act. These include health service providers, businesses that hold tax file numbers and credit reporting bodies.

Scale of the problem

Ransomware is a significant and growing threat in Australia with the Australian Cyber Security Centre (“ACSC”) reporting that ransomware incidents accounted for *11% of all incidents in the 2023 – 2024 period. *Surveys suggest that close to three quarters (73%) chose to pay the ransom demand.

All industries are exposed, but healthcare and financial services are among the most frequently targeted sectors due to the high value of their data and the critical nature of their operations.

*Australian Government Annual Cyber Threat Report 2023 - 2024

*Mcgrath Nicol, Ransomware: A cost of doing business, November 2023

Exposure Mitigation

To mitigate the risk of cyber ransom and extortion attacks, organisations should consider implementation of the following in conjunction with their wider security programme and the advice received from their IT security adviser:

• Utilise multi-factor authentication (MFA): Add an extra layer of security to your remote access points by requiring more than one form of verification to access them.
• Maintain regular backups: Maintain regular backups of critical data and ensure they are stored offline or on a separate network to prevent them from being encrypted by ransomware.
• Educate and train employees: Provide ongoing cybersecurity training to help staff recognize and respond to threats such as phishing and social engineering attacks.
• Maintain up-to-date software and security patches: Regularly update all software, including operating systems and security tools, to close known vulnerabilities that ransomware could exploit.
• Maintain up-to-date operating systems: Ensure that your operating system (e.g. Windows) is kept up to date to protect your network from new threats.

Insurance Solution

Extortion Expenses and Extortion Payment, when incurred as a direct result of a Cyber Extortion Threat.

Reasonable expenses incurred to repair or replace the Insured’s computer hardware that has been Bricked, solely and directly because of a Security Breach.

An amount offered by the Insured, with the Insurer’s prior written consent, for any information or other assistance leading to the arrest and conviction of any individual committing or trying to commit any illegal act related to First Party Cover 1.g. Cyber Extortion.