In light of the risks that are brought about by companies and individuals that choose to pay cyber ransoms, the government has taken a non-payment stance and even legislated to prohibit the payment of cyber ransoms in particular circumstances. 

Ms Tan discussed a dilemma currently at the fore of legislation being created around the payment of cyber ransoms: should the government prohibit payment of cyber ransom by victims and insurers?

There is the need to consider the impacts of such strict prohibitions, Ms Tan highlighted.

“In my view, if we were to ban ransom payments now — I would say it won’t solve the problem, and the current ecosystem is simply not ready,” she said. 

“Increasingly, ransom payments are made only under the most exceptional circumstances.

“For instance, the victim may not have any back-ups or data recovery methods, such that paying the ransom may be the only way to retrieve the data necessary, otherwise they go out of business.”

Uplifting cyber resilience

VIEW ALL

“Reforms need to focus on uplifting the cyber resilience of Australian organisations,” Ms Tan highlighted. 

“The real problem in my mind isn’t the payment of the ransom, but the cyber posture and resilience of a lot of these organisations under tech who have no choice but to consider the payment of ransom.”

“Focusing on ensuring organisations are not in this position in the event of cyber attack or ransomware attack is key.”

Ms Tan outlined that reforms could be introduced that provide support, including monetary support, to organisations.

Ms Tan outlined the kinds of measures that should be taken by companies: “investing and implementing risk mitigation measures, like making sure data is backed up offline, improving staff training, doing risk assessments, and implementing a sound credential management policy to prevent any unauthorised access”.

Ms Tan continued: “Make sure network segregation and segmentation is a part of every organisation and, most importantly, ensure that every organisation actually have a restoration plan to ensure that key assets can be recovered without having to pay the ransom.”

Upskilling

“The World Economic Forum recently highlighted that there are two major issues that need to be addressed in the cyber security industry,” Ms Tan highlighted.

“First, there is a global cyber security skills gap, and secondly, there’s a lack of diversity in the cyber security workforce.”

“Further reform should encourage the build-up of the cyber security workforce with the necessary skills,” she said. 

“The cyber security skills gap has a negative impact on organisations and increases the likelihood of security breaches and the loss of money and reputation.”

“By introducing reforms to make cyber security training more accessible, particularly to people from underrepresented groups, uplift the cyber security workforce and their skills may actually assist in filling the cyber security skills gap.”

“This, in turn, will enable the cyber resilience and maturity of Australian organisations to be uplifted more quickly,” she stated. 

“This would strengthen the way in which Australian organisations can respond to cyber threats in the future and ultimately bring us to the situation where we don’t even need to consider the question of making the ransom payment.”

The role of legal practitioners

“It’s really important for both private practice as practitioners ourselves and our clients to get on the front foot,” Ms Tan explained. 

“This might take the form of working on simulations of a ransomware attack or a cyber extortion scenario and actually work out what I call a cyber extortion response plan.”

“It’s important not only for an organisation to have a policy of whether or not they will pay but also the policy must address the exceptional situations where they may consider paying,” she said. 

“One of the issues in crisis mode is that time is of the essence, and you’re often in a situation where you have to make quick decisions with limited information.

“The role of a practitioner is there to help the client guide them to make the best possible decision.”

“Pre-incident planning is so important both for the practitioner as well as the clients so both the client and the practitioner are ready and not anxious during the actual crisis situation,” she highlighted. 

Best practice for legal practitioners

“The first thing for best practice is you need to have a cool head as a practitioner in this area,” Ms Tan explained. 

“Very often you are facing both an emergency for the business as well as clients who are extremely agitated, anxious, and possibly facing not only a loss of the business but [also] a huge loss of reputation.”

“As a practitioner in this area, you’re not just advising on the law, you are really also that trusted advisor, that counsellor for the client to hold their hand through such situations,” she said.

“There are so many different laws, and the laws here in this area, they’re constantly changing.

“It’s not just cyber laws or cyber payment laws, it’s also the privacy laws that we’ve seen. The reforms have been coming fast and hot.

“As a practitioner, you need to be flexible. You also need to draw on a broad base of laws, which means that you need to be sure that you continually educate yourself,” she said, “and not silo yourself to a particular area — I realised that as a cyber lawyer, I also need to be quite across criminal laws”. 

“Lastly”, she said, “we have a great opportunity to be part of this law reform”.

“There are opportunities to provide submissions and to have a say with industry consultations. 

“Also, to participate in industry think tanks or any other industry groups in order to discuss these matters because they’re not easy questions. They’re complex as you know, and they require different brains seeing the same problem from different angles in order to find the best solution,” Ms Tan added.