New disclosure laws increase the potential for regulatory liability associated with ransomware incidents, Willis is warning clients.

On May 30, Australia became the first nation to insist that victims choosing to pay cyberattack ransoms must report the details.

Notification is required within 72 hours of any payment by organisations with annual revenue above $3 million. Those that fail to comply face fines of almost $19,000.

Paying ransoms without proper due diligence can create legal dangers for directors, Willis cyber and technology industry leader for the Pacific Benjamin Di Marco says.

Although ransom payment reports cannot be used in prosecutions, directors need to be fully transparent on all processes and decisions made, he warns.

Mr Di Marco and colleague Leah Mooney have created in-depth reports on recent legal changes in cyber and AI.

“We have received a number of client queries about Australia’s new mandatory ransomware payment laws,” Mr Di Marco said.

“These obligations will significantly impact how many of [Willis parent] WTW’s clients plan for, investigate and respond to ransomware events, and will increase the potential regulatory and business risks associated with ransom events.  

“To help our clients, we have summarised the key elements of the law and how it is likely to impact businesses and their directors ... and recommended best practices.”

The Willis team recently presented at the AUSCERT Cyber Security Conference, detailing trends in the regulation of AI systems and technology, and how organisations are approaching the technology’s implementation.

See ANALYSIS.