Arabic Arabic Chinese (Simplified) Chinese (Simplified) Dutch Dutch English English French French German German Italian Italian Portuguese Portuguese Russian Russian Spanish Spanish
| (844) 627-8267

Herbert Smith Freehills partner Cameron Whittfield says boards undecided on ransoms | #cybercrime | #computerhacker

Herbert Smith Freehills surveyed 122 senior lawyers at major Australian organisations who have a clear line of sight across their board and management’s preparation plan for cyberattacks.

The report comes as ASIC chairman Joe Longo warned the corporate regulator would take legal action against directors and executives who were recklessly ill-prepared for cyberattacks.

Last year health insurer Medibank and telecommunications provider Optus fell victim to major data hacks and ransom demands for $15 million and $1.5 million respectively. Both companies declined to pay.

Law firm HWL Ebsworth was targeted by Russian gang BlackCat in April, with the hackers publishing a 1.4 terabyte tranche of confidential client information online after Australia’s largest legal partnership refused to pay a ransom.

While there’s no law against paying a ransom, in some situations it could be an offence if the payment breached terrorism finance laws, or was paid to a sanctioned organisation.

Recent hacks have triggered a debate over whether or not ransomware payments should be banned and the federal government is considering introducing mandatory reporting of ransomware or extortion demands to regulators.

A quarter of the respondents said their company had been hit by a cyber extortion threat. Of those only 11 per cent met the hackers’ demands and paid a ransom.

Mr Whittfield said the decision to pay a ransom would ultimately come down to the details of the attack but boards should consider how they would act in the best interests of the company if facing an extortion threat.

A company’s response would also depend on the nature of the hack. For example, businesses are unlikely to pay a ransom demand if a hacker is threatening to release stolen data but may be open to payment if an attack shuts down critical infrastructure or endangers lives.

“I appreciate the guidance ‘do not pay’ because it exacerbates the legal criminal model; but if health, safety, and the lives of people are at stake – and that is a possibility – I hate to say it, but it would be a brave company and a brave board, not to be open to the payment decision,” Mr Whittfield said.

“My biggest concern going forward is that we may have an impact on the operations of our critical infrastructure or essential services.”


Click Here For The Original Source.