AUSTRALIA Trends and Developments Contributed by: Dennis Miralis and Jack Dennis, Nyman Gibson Miralis
use of the significant cyber-incidents sanctions regime established on 21 December 2021. Since then, four more individuals have been added to the list for their involvement in LockBit and Evil Corp cybercrime groups. Financial sanctions under the Sanctions Act now make it a criminal offence, punishable by up to ten years’ imprisonment and heavy fines, to pro - vide assets to designated individuals or to use or deal with his assets, including through cryp - tocurrency wallets or ransomware payments. The designated persons are also banned from travelling to or remaining in Australia. Although ransomware payments are not illegal, the juncture between cyber sanctions and ran - somware payments requires further considera - tion. Currently, the Department of Foreign Affairs and Trade (DFAT) encourages all such payments to be reported (mandatorily or voluntarily), and states that such disclosure “would be taken into account in any decision to pursue any enforce - ment or compliance action”. The crossover between cybersecurity and sanc - tions has continued to increase. DFAT has identi - fied in their Advisory Note – Democratic People’s Republic of Korea (DPRK) information technol - ogy (IT) workers (14 December 2024) a recent tactic by the Democratic People’s Republic of Korea (DPRK) to deploy thousands of informa - tion technology professionals to seek remote employment (posing as non-DPRK nationals) to illicitly finance the DPRK and circumvent sanc - tions. At a time when many industries are looking to establish cybersecurity structures and com - pliant procedures, more and more are hiring or outsourcing these services (some reports sug - gest 76% of leading global businesses do so),
potentially making them more vulnerable (eg, accessible, desperate) to other legal risks. ASIC mandate In November 2023, the chairperson of the Aus - tralian Securities and Investments Commission (ASIC), Joe Longo, stated that ASIC’s priority for 2024 would be addressing governance and breach of directors’ duties following the results of ASIC’s 2023 Cyber Pulse Survey. As a snap - shot, the survey found significant gaps in Aus - tralia’s corporate security, with: • 44% of participants failing to manage cyber- risks posed when dealing with third parties; • 58% of participants having limited or no capability to adequately protect confidential information; • 33% of participants not having a cyber-inci - dent response plan; and • 20% of participants not having adopted cybersecurity standards. This was speculated to include ASIC prosecut - ing directors or officers for breaches of direc - tors’ duties concerning cybersecurity breaches. However, there was limited outward action on this front in 2024. Nevertheless, a change may be afoot. At the ASIC Annual Forum on 14 November 2024, the ASIC deputy chairperson, Sarah Court, con - firmed ASIC is “considering a range of matters where we consider [financial services and credit] licensees may have not adequately prepared for [cybersecurity] events”. There, Court announced that ASIC’s 2024 priority of action against finan - cial service licensees who fail to comply with reporting obligations was out, to make way for ASIC’s new 2025 priority of action against financial service and credit licensee’s failures to have adequate cybersecurity protections. One
36
CHAMBERS.COM
Powered by FlippingBook