Chanticleer
Ransomware’s dilemma for boards
A leading law firm says directors may be found liable if a company pays ransomware and may also be in breach of their duties for failing to pay hackers a ransom.
There are two schools of thought about how business should respond to cyber criminals demanding ransom payments in return for access to frozen computer systems or the return of stolen data.
Experienced company directors with a background in law want to put pressure on the federal government to make Australia the first country in the world to criminalise ransomware payments.
To report or not to report a ransomware attack: company directors could be damned if they do, and damned if they don’t. David Rowe
This would end the confusion and uncertainty that surrounds any corporate decision to pay a ransom to a cyber criminal.
Also, making ransomware illegal would provide directors protection against potential class actions.
On the other hand, technology executives experienced in dealing with cyber crime are taking a more pragmatic approach. They argue directors should weigh up the potentially enormous costs of not paying against the size of the ransom, and make a commercial decision.
They say directors should have the discretion to pay ransoms, which would mean leaving in place the murky situation where directors can shop around for legal advice to suit their final position.
This thinking is based on the bizarre idea that there is honour among thieves, that cyber criminals will act in good faith, and one ransom payment will not lead to a demand for another.
There is a third group of directors who believe it is best to say nothing about cyber attacks and never reveal whether a ransom payment has been made.
This position is being made increasingly untenable by federal government moves to force companies to disclose cyber attacks, such as the Critical Infrastructure Bill.
The ransomware debate is complicated by the fear among non-executive directors about the consequences of speaking up.
There is a genuine belief that any robust public call for criminalisation of ransomware will inevitably be met with cyber attacks from criminal gangs and possibly nation states.
Chanticleer sought clarity on the legality of paying a ransom from Rob Hanley, a partner in Ashurst’s legal governance advisory division, and his colleague John Macpherson, a director of the firm’s risk advisory practice.
“The current legal position of directors of listed companies is completely untenable,” Hanley says.
Terrorist financing
“Payment of a ransomware demand may be a criminal offence – both for companies but also for directors, either through aiding and abetting or in their own right.
“In certain circumstances, making a ransomware payment could be an offence under UN sanctions laws, it could be a money-laundering offence, or it could be a terrorist financing offence under the Criminal Codes.
“Directors in Australia could themselves be held liable under the US Patriot Act, which has extraterritorial effect in some cases.”
Hanley, Macpherson and Ashurst lawyer Maxine Viertmann have just published a paper describing the murky legal position and recommendations for achieving legal clarity.
“As the law currently stands, payment of a ransom without consideration of the legal implications may lead to a director being found personally liable for the company’s offence as a result of ‘stepping stone liability’, a construct the Australian Securities and Investments Commission has used to find directors liable for failing to prevent a company’s contravention where a foreseeable risk of harm was present,” the paper says.
Class actions
“Directors must have a sufficient level of knowledge of ransomware risks so that they are able to challenge and assess the decisions of management.
“Conversely, if the company does not pay a ransom and, as a result of not doing so, the company suffers loss and possibly a significant drop in its share price, directors could face a class action or other shareholder action alleging a breach of their duty to act in good faith in the best interests of the company.”
Home Affairs Minister Karen Andrews has indicated in the Ransomware Action Plan that the federal government will pass a law making it a criminal offence to make a ransomware demand.
But the plan is silent on the legality or otherwise of paying a ransom.
“The government could go one or two ways,” Hanley says.
“It could either clarify the existing defences, so the directors at least know if they do or don’t pay, what defences are available. And our preferred view is that they should legislate specifically to make the payment of a ransom illegal as well.”
Tax-deductible
Hanley says the government could provide financial incentives to ensure that companies have proper cyber-security systems and processes. For example, in the US there was an idea floated that cyber prevention costs could be tax-deductible.
Macpherson says there is a dangerous misconception that paying a ransom is an effective and an economically rational decision.
He says there are credible reports that show that fewer than 8 per cent of companies globally retrieved all of their stolen data after paying a ransom.
“The key reason why ransomware risk continues to evolve and exponentially increase is because ransomware payments fund profits that are then used by organised criminals to create better technology,” he says.
“And that doesn’t really align with corporate values.”
One leading company director summed it up well when asked about the dilemma facing boards confronted with a ransomware demand.
“This concept of making ransomware illegal solves the problem because if I’m going to go to jail for doing it, it certainly focuses the mind,” the director says.
Subscribe to gift this article
Gift 5 articles to anyone you choose each month when you subscribe.
Subscribe nowAlready a subscriber?
Introducing your Newsfeed
Follow the topics, people and companies that matter to you.
Find out moreRead More
Latest In Technology
Fetching latest articles