He says the survey found the average amount a business was willing to pay was about $690,000. But the actual amount paid is closer to $1 million, and he knows of at least one payment exceeding $10 million.
Hopkins says the ransomware threat can be divided into two categories: an intruder encrypts all operating systems and asks for a payment to allow them back online or an encryption is accompanied by the theft of information that will be released publicly unless there is an extortion payment.
Legal constraints
Sutton says boards of directors face tricky legal issues including their obligations to notify certain government entities of a cyberattack. They might have to notify the Privacy Commissioner or, potentially, foreign privacy commissioners.
A listed entity might have disclosure obligations to the ASX, or they might have to tell customers and suppliers in very short time frames. Mandatory disclosure is now enforced by the Security of Critical Infrastructure Act for all companies classified as offering critical services
She says boards need to know the legal constraints when faced with the choice of whether to pay a ransom.
A company cannot pay someone in a sanctioned…