New laws proposed as ransomware threat intensifies
Proposed regulatory changes to deter the ‘tidal wave’ of ransomware attacks may have governance and risk implications.
A Private Members’ Bill introduced to Parliament on 21 June proposes a mandatory ransomware disclosure scheme that would apply to all listed and unlisted companies, excluding small businesses, sole traders, unincorporated entities, and charities.
In his second reading speech, Shadow Assistant Minister for Cyber Security Tim Watts, who sponsored the Bill, referred to a ‘tidal wave of attacks’ that are becoming ‘an intolerable burden on Australian organisations’.
Governance Institute of Australia understands the Bill is designed to prompt debate on the issue, with the Federal Government reportedly considering a similar scheme although they are yet to make a policy commitment.
What is ransomware?
As defined in the Bill’s explanatory memorandum, ransomware is ‘malicious software used to deny access to an organisation’s IT systems and/or to threaten the release of private data unless a ransom is paid’.
‘Double extortion’ ransomware is reportedly on the rise, where hackers demand a second ransom payment in return for not releasing the sensitive data stolen during the initial attack. CyberCX, an Australian and New Zealand-based cybersecurity firm, reports some hackers are starting to demand ransoms from customers of hacked firms, in exchange for not releasing their sensitive personal data.
The Australian Cyber Security Centre (ACSC) recently warned that the aged care and healthcare sectors are seen as “lucrative targets”.
The proposed changes may have an impact on several areas where the ransomware threat intersects with key governance and risk issues, including:
- Data and cybersecurity governance frameworks and policies
- Director’s duties
- The skills composition of the board
- Insurance policies
- Regulatory compliance programs
- Data breach reporting
- Anti-money laundering (AML).
Proposed new regulations
The Ransomware Payments Bill 2021 (Cth) would require any business or Commonwealth Government entity that makes a ransomware payment to give written notice “as soon as practicable” to the Australian Cyber Security Centre (ACSC), including the amount of the payment and any known information about the hackers.
The invention of Bitcoin and other cryptocurrencies, which are difficult to track, is understood to be driving the proliferation of ransomware attacks. The Bill acknowledges this by requiring the notification to include “the cryptocurrency wallet etc. to which the payment was made”.
No specific time periods are specified for notification. Businesses that failed to report ransomware payments would risk fines of up to $222,000 (1000 penalty units).
A similar scheme requiring data breach notifications to the Office of the Australian Information Commissioner (OAIC) became mandatory under the Notifiable Data Breaches (NDB) scheme in 2018.
A range of authorities have recently issued guidance on ransomware attacks, including:
- Australian Cyber Security Centre and Australian Signals Directorate.
- Australian Digital Health Agency.
- The UK’s National Cyber Security Centre.
- New York State’s Department of Financial Services.
- Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Centre (MS-ISAC).
- CISA, MS-ISAC, the National Governors Association and NASCIO.
- The US-based Institute for Security and Technology’s Ransomware Task Force.
- US Department of Treasury’s Office of Foreign Assets Control (OFAC).
- US Department of Treasury’s Financial Crimes Enforcement Network (FinCEN).
- Canadian Centre for Cyber Security.
Many guides and resources recommend a layered or multi-pronged, risk-based approach. Common recommendations include:
- Appropriate and rigorously tested backups of data.
- Policies and procedures to ensure software is regularly patched and updated to latest available versions.
- Training for employees in cybersecurity awareness, especially phishing.
- Preventative security solutions such as multi-factor authentications and strong passwords.
- Systems to detect intruders.
- Ransomware-specific incident response plan.
- Cyber incident exercises.
- Cyber insurance.
The ACSC recommends that Australian organisations infected with ransomware seek assistance in the first instance by calling 1300 CYBER1 (1300 292 371).
To pay or not to pay
A growing number of law enforcement authorities and regulatory agencies recommend that companies avoid making ransomware payments, including the Australian Cyber Security Centre and the US Federal Bureau of Investigation (FBI).
US Treasury’s FinCEN warns that ransom payments may interact with anti-money laundering (AML) and terrorism funding legislation and financial sanctions imposed on rogue states.