Ransomware Incident Response Plan: Guide for Australian organisations in 2022

Lockton has observed an increasing number of ransomware attacks in Australia and the prices of ransom demands are skyrocketing. When a ransomware incident occurs, many organisations are left surprised and struggle to know what to do or where to look. This has significant implications on the impacts of any given ransomware incident and an organisation’s ability to recover.

Lockton’s guide, prepared in partnership with Clyde & Co, (opens a new window) has been produced to help organisations better understand and respond to ransomware attacks as part of their incident response plan.

From before the incident to post incident, this guide is essential for any organisation in Australia.

What’s in the guide?


• What is a ransomware attack and where is the risk?

• The ransomware landscape in Australia

• The global ransomware landscape

• Average ransomware payments

• Insurance cover available for ransomware

• How an insurance policy is triggered

• How should an insurance policy respond to ransomware?

• Contractual considerations and issues which need to be considered when notifying an incident

• What sanctions implications are there when considering ransomware payment?

• Role of different stakeholders when coordinating a ransomware claim

• Ransom payment considerations

• What happens when an organisation engages with a threat actor without paying the ransom?

• What if an organisation doesn’t engage with a threat actor?

• How are ransomware payments made?

• Ransomware payments and cryptocurrency

Examples of five insights shared


1. How is an insurance policy triggered?

Firstly, the incident must adhere to the insurance policies claims and loss reporting guidelines, in addition to notifying respective authorities. Failing to do so may result in claims payment challenges.

Organisations must carefully examine their insurance policies’ terms, exclusions and conditions, for example limits and sub-limits. Organisations who are able to understand this prior to an incident occurring will be best placed to determine whether coverage will be triggered. For example, some insurance policies will have a specific ransomware exclusion. Each policy will also include the types of costs that might be recoverable.

2. New ransomware notification requirements

As part of its ‘Ransomware Action Plan’, the Australian government has announced it will introduce a mandatory ransomware incident reporting framework which will require organisations who suffer a ransomware attack to report the incident to the government. The government has also proposed legislative reforms which will enable law enforcement to investigate and seize ransomware payments (although it has not explained in what circumstances such action will be taken). This law reform agenda remains under close review. Notification is just one of the many considerations organisations now need to be aware of and prepared for.

3. What sanctions implications are there when considering ransomware payments?

Although Australia does not currently have any laws that explicitly prohibit the payment of ransomware demands, organisations should consider the potential operation of Australian and international sanctions laws when making any payment of a ransom demand. Given the criminal nature of cyber-attacks, the jurisdictions in which they take place, and links to terrorist/organised crime groups, payment of a ransom carries a high risk of sanctions breach.

4. What is the role of different stakeholders in coordinating a claim?

In the first instance, every organisation should establish a clear decision-making framework for handling ransom payments. These will include a diverse range of stakeholders with varying roles and responsibilities.

For example, Lockton recommends organisations engage an experienced and proven external legal counsel who specialise in cybersecurity and data protection. This legal team can provide guidance on paying a ransom demand (even prior to a ransomware event occurring), determine the best avenue for notification, and advise on further legal and regulatory considerations such as mandatory reporting and advice on due diligence to avoid breaching sanctions laws.

5. How are payments made?

It’s important for organisations to have a clear plan on how they would arrange payment of a ransom demand. Ideally, ransom payments are made through an expert third-party negotiator following consideration of sanctions risks and undertaking due diligence to avoid any sanctions breach.

An insurance policy may also guide decision-making on whether to pay a cryptocurrency ransom demand.

Access the guide now

Click the download button on the right (or at the bottom on mobile) and fill out the form to access the complete guide.

(opens a new window)
Ransomware Incident Response Plan: Guide for Australian organisations