Lockton issues ransomware response guide for Australian organisations

Lockton has introduced a new decision-making guide and incident response framework aimed at supporting Australian organisations in managing ransomware and extortion incidents.

The resource is designed to assist boards, executives, and insurance professionals in navigating the legal, regulatory, and operational complexities associated with cyber extortion events.

Legal obligations and regulatory landscape

According to Lockton’s guidance, Australian law does not currently prohibit the payment of ransoms in cyber extortion cases.

However, organisations must ensure that any such payments comply with anti-money laundering (AML) and sanctions legislation.

This includes conducting due diligence to avoid transferring funds to sanctioned individuals or entities, as violations can result in significant penalties.

The Cyber Security Act imposes mandatory reporting requirements for ransomware incidents.

Entities that meet the turnover threshold of $3 million, as well as other designated organisations, must report ransomware payments within 72 hours to the Australian Signals Directorate via the cyber.gov.au portal.

These obligations also extend to payments made by third-party vendors or advisors on behalf of the organisation.

Reports must include all available information at the time of submission, with updates provided as further details become known.

Compliance with the Notifiable Data Breaches (NDB) scheme under the Privacy Act is also required, mandating prompt notification to the Office of the Australian Information Commissioner (OAIC) and affected individuals if a data breach occurs.

Incident response: a structured approach

Lockton’s framework recommends a five-stage approach to ransomware and extortion events:

• Immediate response and triage – organisations should activate protocols to protect legal professional privilege, notify key internal stakeholders, and engage external experts, including legal counsel, forensic specialists, and cyber insurance brokers.
• Analysis and decision-making – this phase involves investigating the incident’s scope, assessing the threat actor’s credibility, and determining whether a ransom payment is legally permissible. Alternatives to paying a ransom, such as restoring operations independently, should also be considered.
• Negotiation and communication – if negotiation is pursued, specialist services should be used. Communication strategies should be developed for both internal and external audiences, including regulatory notifications as required by law.
• Resolution and recovery – recovery actions are implemented based on the chosen strategy, with ongoing monitoring and reporting to leadership. All actions and decisions should be documented for compliance and insurance purposes.
• Post-incident review – after the event, organisations should evaluate the effectiveness of their response, update incident response plans as needed, and report outcomes to the board.

Board responsibilities and insurance considerations

Boards and senior executives are encouraged to confirm the legality of potential payments, establish clear decision-making processes, and ensure access to specialist advisors.

It is also important to align incident response plans with existing cyber insurance policies and claims procedures.

Regular training and simulation exercises for incident response teams are recommended to maintain readiness.

Lockton’s guidance highlights the importance of integrating cyber insurance coverage into incident response planning.

Organisations should ensure that notification requirements and insurer guidelines are followed to avoid disputes over claims related to ransom payments, business interruption, and response costs.

Global context: cyber risk trends and financial impact

Recent industry research provides additional context for the Australian market.

Beazley’s 2025 Risk & Resilience report found that nearly one-third of global executives now view cyber risk as their primary concern, up from the previous year.

Aon’s 2025 Cyber Risk Report analysed over 1,400 cyber incidents globally and found that companies experiencing high-profile cyber events with reputational consequences saw an average 27% decline in shareholder value.