Ransomware Data Extortion Attacks Insolvency Scenarios | #ransomware | #cybercrime

This article was written in partnership with Alistair Fleming, Helen Clarke, Phillip Magness and Jaana Davidsson of Johnson Winter Slattery.

Ransomware and data extortion attacks are unfortunately becoming increasingly common (see for example, high profile attacks on Canva,¹ Latitude Financial² and recently the Legal Practice Board of Western Australia).³ These attacks typically involve a party (commonly referred to as a ‘threat actor’) accessing and encrypting a company’s systems, and/or exfiltrating (stealing) personal and commercially sensitive information from the company. The threat actor then threatens to destroy the key that would otherwise decrypt the impacted system(s), and/or release the exfiltrated data publicly unless its demands for payment are met.

While the identity of the threat actors, the degree and nature of the attack including the information obtained, the demands and the timeframes will vary from case to case, there will be some consistency in how boards of companies (depending on their size) should reasonably act in those instances, having regard to their statutory and fiduciary duties owed to the company.

The situation becomes more complicated however, when you overlay an insolvency scenario (such as a voluntary administration, receivership or a liquidation) or where the effect of the attack will lead to an insolvency scenario (caused by meeting the payment or resulting from non-payment and the impact of the data release on the business or the inability to access encrypted systems). In a formal insolvency, the insolvency practitioner appointee (Insolvency Practitioner) assumes the powers and responsibilities of the directors; and the interests of key stakeholders change, as the interests of creditors become paramount from any dividends paid from the administration before shareholders receive any return. However, fiduciary duties remain to the company and its shareholders.

In a formal insolvency, money, if there is any, is typically tight and often illiquid, further the Corporations Act clearly lays out the creditor priorities and entitlements to any available monies. If a ransomware attack and demand is made of a company in a formal insolvency administration, many questions arise:

• Can the insolvency appointee legally make a payment in response to a ransom demand?
• What monies are available and can they actually be used or are they legally or beneficially entitled to others?
• In circumstances where no cyber insurance policy responds, will a payment in response to a demand be a cost and expense of the insolvency appointee and thus rank in priority to creditor claims, or will it be a personal liability of the insolvency appointee and therefore repayable to the company?
• Can an insolvency appointee be criticised or worse, sued, for:
  — making a payment on a demand; or not making a payment on a demand which sees the value destruction of the company?
  — not taking steps to ensure that personal or commercially sensitive data is adequately protected.

None of these matters have presently been considered by the Courts. However, there are many common principles which we can draw from to consider how those questions might be answered if they were, and with a view to managing and mitigating risk for Insolvency Practitioners.

Legality of Payment

It is not unusual for critical trade creditors to demand monies or more favourable terms from the insolvency appointee when they are critical to the ongoing operations of the company during the insolvency administration period (often referred to as ‘ransom creditors’). However, those are commercial discussions between trading partners.

A ransom demand from a threat actor is an entirely different story, as ransom payments may breach Australian or overseas sanction laws (depending on where any payment is facilitated) as well as other Commonwealth or state criminal laws. For example, a ransom payment could constitute money laundering,⁴ a sanctions offence⁵ or even a terrorist financing offence⁶ (although defences are available).

Whether any payment can legally be made needs to be considered on a case-by-case basis in view of those matters. From an Insolvency Practitioner’s perspective, extreme caution should be exercised and appropriate specialist advice taken, when considering making any payment given the serious legal consequences involved of doing so and the risk of committing one of the offences described above.

Available Monies

Insolvency Practitioners will typically use existing cash to meet their remuneration, costs and expenses of the administration, which attracts a priority ranking under the statutory priorities.

While the use of monies to protect, maintain and preserve the value of the insolvent company and advance the insolvency administration will often attract priority treatment as a cost and expense of the administration, given the nature of a payment in response to a ransomware and data extortion attack, there is significant risk that such a payment will not be treated in the same way and afforded the same priority (having regard to the potential legal risks of such a payment as outlined above), potentially exposing the Insolvency Practitioner to a personal liability to the company for the payment made.

Typically, if Insolvency Practitioners are concerned about whether they will be personally liable for a liability arising during their appointment, they will seek limitation orders from the Court which make it clear that the liability is incurred in the course of and for the benefit and utility of the administration, limiting their liability to the assets and undertakings of the company, repayable as a cost and expense of the administration.

Whether such orders would be available in relation to a liability arising from a ransomware and data extortion attack is questionable, primarily for public policy reasons, as such payments could be viewed as against the public interest (noting that the Australian Government does not condone ransom payments being made to cybercriminals).⁷ It also calls into question whether it is in the interests of an ‘honest and efficient’ administration to make payments to criminals, and whether the orders of the Court could be viewed as condoning or endorsing illegal conduct, calling into question the public confidence in the law. One can also see the tension for Insolvency Practitioners in weighing up the discharge of their duties to the creditors and fiduciary duties to the company in circumstances where, on proper consideration of the risk, the making of the payment may not be strictly illegal.

If the Insolvency Practitioner is potentially personally liable for repayment of the payment made in response to the ransomware demand, it is difficult to see why they would make that payment without creditor (and ideally shareholder) support and most likely, only with full indemnification for the payment. That being the case, the views and support of creditors, shareholders and key stakeholders will be critical and should be canvassed where appropriate. That said, the point of a ransomware attack is to be paid. Therefore, a practitioner may have a short period to determine what has occurred and the potential impact of the data being released before speaking to stakeholders (if allowed by the threat actor, or even possible).

It is also possible that a creditor, shareholder or key stakeholder may even be willing to make the payment in the place of the company. In these circumstances, the Insolvency Practitioner would still need to be clear about whether making the payment would contravene any laws, or sanction lists.

Risk of Criticism and Challenge

The key issue in most insolvencies is whether there is any value to be saved or extracted through a recapitalisation, restructure or transaction, if not, ultimately liquidation and the end of the company awaits.

Often the balance between value and no value is fine, as such unforeseen events, which would include a ransom attack, can have a drastic effect on whether the company can be saved and restructured. This could be for a few reasons: whether the release of the data in question will be value destructive for any restructure (for example, is it valuable commercial information or intellectual property which could be exploited by competitors or sensitive personal information, the release of which could destroy the brand and business); or whether the payment of the demand will exhaust or materially deplete existing cash reserves, making it difficult for the company to preserve its value through continued trading or for the purpose of undertaking a restructure.

In the circumstances, the Insolvency Practitioner is in a position where there is significant scope that they could be criticised, challenged or sued both for making the payment and not making the payment, which is quite the quandary. In terms of risk management and mitigation, there should be a number of things taken into consideration by the Insolvency Practitioner, such as how will the cyber attack, incident response and ransom demand be managed internally, who should be notified and consulted, what protections and remedial actions can and should be taken, and whether any applications should be made to the Court to limit liability or protect them against challenge (all time permitting based on the demand deadline).

In terms of protection from the Court, having regard to the issues identified above with asking for the Court’s blessing and protection to enable an Insolvency Practitioner to make a ransom payment to a cybercriminal, the more prudent consideration should be whether it is more appropriate to seek protective orders from the Court in favour of the insolvency appointee to protect them from being challenged for not making the payment. For example, an administrator could consider seeking urgent directions from the Court⁸ to the effect that they would be acting reasonably and appropriately in not making the ransom payment. Given the time usually afforded by a threat actor, the application would likely need to be heard urgently with limited notice (if any) to interested parties, such as creditors and shareholders, who would normally seek to be heard in the proceeding. From the Court’s perspective, it would not be endorsing any criminal or dishonest actions rather protecting the Insolvency Practitioner (and an officer of the Court) from exposure and liability for not committing a criminal or dishonest act, enabling them to continue and manage the administration honestly and efficiently without risk of liability.

What Would Reasonably Be Expected of an Insolvency Appointee When a Demand Is Made?

As would be expected of directors when making any commercial decision, Courts often focus more on the process and steps undertaken by the Insolvency Practitioner, rather than the final decision made, save where the final decision bears no resemblance to the process.

In an insolvency scenario, it would be reasonable to expect an Insolvency Practitioner to take all, or some of the following steps depending on the circumstances, time and funding available:

• Immediately engage a reputable digital forensics and incident response provider and ransomware negotiation advisers to respond to the incident and provide valuable intelligence about the threat actor;
• Consider voluntary notification to authorities such as the police and the Australian Cybersecurity Centre (‘ACSC’), subject to any pre-notification requirements in any cyber insurance policy;
• Assess regulatory obligations including to the Australian Signals Directorate (‘ASD’), Australian Securities Exchange (‘ASX’), Australian Prudential Regulation Authority (‘APRA’), Australian Securities & Investments Commission (‘ASIC’) and the Office of the Australian Information Commissioner (‘OAIC’) (where applicable);
• Depending on the circumstances, time available and legal issues, engage a reputable cybersecurity crisis communications provider to notify and engage with creditors and shareholders of the attack and the data at risk. For appointments where there is sensitive data, you might consider forming a creditor committee specifically for guiding the administrator on the issue quickly and without the need to convene multiple formal meetings of creditors. It should be noted that there are scenarios where delayed notification is the most prudent option. This should be considered with the Insolvency Practitioner’s lawyers and (if possible) crisis communications advisers;
• Assess notification obligations to contractual counterparties should the counterparty’s information be impacted by the demand;
• Subject to legal and sanction list compliance, consider and consult with any creditors, shareholders or interested parties who may be willing to make the payment in response to the demand to preserve the value of the company;
• Consider fiduciary and personal liability risk for not making the demand payment, such as making an application to the Court for directions that the administrator would be acting reasonably and appropriately in not making the demand payment, to protect the administrator against challenge from potentially affected parties; and
• Report the data breach, its effect on the company’s financial position, the impact of making or not making the payment, and the outcome in the next report to creditors. The timing of the report will be dictated by the circumstances and the type of appointment.

It would be prudent for Insolvency Practitioners who regularly take insolvency appointments to consider and prepare a ransomware response plan to address these issues, particularly for unsophisticated businesses housing sensitive personal and/or commercial information where appropriate processes and protocols may not exist. This would be akin to, for example, existing occupational health and safety processes (‘OH&S’) used by Insolvency Practitioners for trading engagements.

There will not be ‘one size fits all’ for a ransomware response plan, but pre-planning common steps will save time when time is critical and will enable action to be taken immediately rather than time wasted planning from scratch and in a high-pressure scenario.

Should an Insolvency Practitioner Take Steps to Prevent a Data Breach?

Given the increasing number of ransomware attacks, it is not difficult to see an Insolvency Practitioner being criticised, or worse, proceedings commenced against them for failing to take adequate steps to protect personal information from a ransomware attack. It is clearly a focus area of (‘ASIC’), who commenced proceedings against FIIG Securities Limited on 12 March 2025 for allegedly failing to have adequate cybersecurity measures.⁹

While not strictly analogous, practitioners may want to consider the circumstances in Presswell Holdings Pty Ltd (‘Presswell’),¹⁰ which is the genesis of (‘OH&S’) reviews now conducted on formal trading insolvency appointments.

An Insolvency Practitioner may want to consider undertaking a cyber review in a formal insolvency appointment to ensure that personal or commercially sensitive data is adequately protected, and to identify key security control failures and risk exposure to ransomware and data extortion attacks in insolvency scenarios. This would be particularly relevant where the appointment is over a business that holds sensitive personal, or financial data, such as (for example) a healthcare provider, or a financial services business.

While the circumstances, time and funding will dictate, an Insolvency Practitioner may want to implement some, or all of the following procedures and processes for insolvency appointments where personal or commercially sensitive data is involved:

• Engage a cybersecurity expert to:
  — undertake a cybersecurity risk assessment to identify whether there are any significant cybersecurity risks involved with trading the business; and
  — provide a report with prioritised remediation actions required to allow the business to continue to trade and mitigate any significant cybersecurity risk exposure.
• Obtain an understanding of the cybersecurity and technology environment, including:
  — meeting the key personnel responsible for managing the cybersecurity and technology environment;
  — any recent data breaches, or compliance issues that a prudent director would be expected to know about and whether any existing cyber insurance might respond; and
  — the internal processes for dealing with a security incident such as a ransomware, or data extortion attack and whether they are sufficient.
• Arrange for an insurance broker to advise on whether cyber insurance is required.

If there are any serious issues identified, an Insolvency Practitioner may want to consider further specialised cyber or legal advice.

Ransomware and data extortion events are an increasing part of the commercial and regulatory world in which we operate. Therefore, Insolvency Practitioners need to have an understanding of data legislation, how data is protected, and the personal risks associated with a data breach. It is only a matter of time before an Insolvency Practitioner is involved in a major data breach (if not already) and the consequences, as seen in Presswell, could be dire.