Lockton has issued new guidance for Australian businesses navigating ransomware incidents, urging a methodical evaluation of payment options, legal risks, and cyber insurance coverage.
As ransomware attacks become more frequent and complex, Lockton said companies need a clear framework for responding to cyber extortion events without compromising regulatory or contractual obligations.
Drawing from international counter-ransomware recommendations, the firm’s advisory noted that decisions around ransom payments should involve risk managers, legal counsel, insurers, and cyber security professionals.
The emphasis is on aligning crisis response plans with cyber insurance terms and ensuring decisions reflect broader organisational risk management goals.
Governments, including Australia’s, generally oppose ransom payments due to concerns that these transactions incentivise further criminal activity and destabilise the broader cyber threat environment.
Lockton pointed out that even when payments are made, outcomes are uncertain. Decryption keys provided by threat actors may not work, and there are no assurances that stolen data will be deleted.
In some investigations, such as those involving the LockBit group, authorities found that attackers retained sensitive data despite having received payment. These findings highlight the reputational and regulatory risks associated with ransom negotiations.
In certain scenarios – especially where operational disruption is severe and data backups are compromised – organisations may weigh the cost of paying the ransom against extended downtime.
Lockton recommends consulting forensic and crisis response specialists to evaluate technical feasibility and potential legal exposure before making any payments.
The firm noted that while ransom payments may sometimes appear more cost-effective than business interruption losses, they do not guarantee immediate recovery. Restoring full system functionality often takes weeks, and payment alone is not a remedy for systemic vulnerabilities.
Cyber insurance may offer partial financial protection for forensic services, negotiation costs, or restoration efforts, but policies vary significantly.
Brokers are encouraged to ensure clients understand what is covered and to clarify any exclusions related to ransom or reputational losses.
Lockton emphasised the importance of notifying insurers promptly following a ransomware event.
Many policies provide access to vetted incident response vendors, including forensic investigators and negotiation teams.
These specialists can assess the scope of the breach, advise on containment, and, where appropriate, engage with attackers to verify decryption key functionality or reduce the ransom demand.
Legal advisors should also be engaged early in the process to ensure all contractual, regulatory, and disclosure requirements are met.
Brokers have a key role in facilitating these steps and supporting clients throughout the breach response lifecycle.
Lockton reiterated that strong cyber hygiene is essential in reducing the likelihood and impact of ransomware attacks. Recommended practices include:
These recommendations align with findings from Beazley’s 2025 Risk & Resilience report, which noted a rise in concern among executives regarding cyber threats.
Despite 29% of respondents identifying cyber risk as their top issue, 83% said they felt prepared – a gap that Beazley cautioned may not reflect actual organisational readiness.
Separately, Aon’s 2025 Cyber Risk Report identified reputational and financial consequences of ransomware attacks, including a 27% average drop in share value for companies that experienced public and media fallout.
The report highlighted that firms with pre-established crisis plans and leadership protocols tend to recover more quickly.
