Skip to main content

Sanctions

Guidance note on cyber sanctions

Australia is experiencing an increase in persistent and pervasive cybercrime threats targeting critical infrastructure, governments, industry and the Australian community. The Government will use all lawful and appropriate levers to deter and disrupt cybercrime. Australia's autonomous sanctions framework, which is established by the Autonomous Sanctions Act 2011 and the Autonomous Sanctions Regulations 2011 (collectively, 'Australian autonomous sanctions laws') is one tool available to respond to a significant cyber incident.

This Guidance Note intends to assist with understanding:

  • Australia's cyber sanctions framework;
  • compliance obligations under autonomous sanctions law, including the need to undertake due diligence; and
  • the risks associated with making or facilitating a ransomware payment to persons or entities subject to sanctions.
     

This document only provides a summary only of relevant sanctions laws. It should not be relied upon as a substitute for legal advice. It is your responsibility to ensure you do not contravene sanctions law, including by obtaining your own legal advice.

Overview of Australia's cyber sanctions framework

Australia established a thematic autonomous sanctions framework on 21 December 2021 in relation to significant cyber incidents.

The purpose of this framework is to disrupt and frustrate the perpetrators of malicious cyber activity and not to punish victims of crime.

The Minister for Foreign Affairs may impose a cyber sanction if satisfied that a person or entity has caused, assisted with causing, or been complicit in, a cyber incident or an attempted cyber incident that is significant or which, had it occurred, would have been significant.

A cyber incident may include events that result in harm to individuals, businesses, economies or governments. The conduct amounting to a significant cyber incident or attempted cyber incident could have occurred anywhere in the world outside of Australia.

What constitutes a 'significant cyber incident' will be determined on a case-by-case basis.  Guidance is provided in the Autonomous Sanctions Regulations 2011 as to matters the Minister for Foreign Affairs may have regard to in deciding whether a cyber incident was, or would have been, significant.

Once sanctioned, a person or entity is referred to as a 'designated person' or 'designated entity'.

Who must comply with Australian autonomous sanctions laws?

Autonomous sanction laws apply to those conducting activities:

  • in Australia;
  • by Australian citizens and Australian-registered bodies corporate overseas;
  • on board Australian-flagged vessels and aircraft.

The Minister for Foreign Affairs, or the Minister's delegate, may grant a sanctions permit authorising certain activities that would otherwise contravene Australian sanctions laws, if satisfied that it is in the national interest to do so (more information is available at About sanctions).

In addition to Australian autonomous sanctions laws, consideration should also be given as to whether any activity you intend to engage in is subject to other Australian laws or the sanction laws of another country. If so, it is recommended you seek legal advice as to how those laws may impact upon the activity.

Offences for breaches of Australian autonomous sanctions laws

Breaches of Australian autonomous sanctions law can be a serious criminal offence. Sanctions offences are punishable:

  • for individuals: by up to 10 years in prison, and/or a fine the greater of 2500 penalty units ($782,000 as of 1 July 2023) or three times the value of the transaction;
  • for bodies corporate: by a fine the greater of 10,000 penalty units ($3.13 million as of 1 July 2023) or three times the value of the transaction.

The offences are strict liability offences for bodies corporate, meaning that it is not necessary to prove any fault element (intent, knowledge, recklessness or negligence) for a body corporate to be found guilty. However, an offence is not committed if a body corporate proves that it took reasonable precautions, and exercised due diligence, to avoid contravening the autonomous sanctions laws.

There are practical steps you can take to ensure you (and/or your business) are in compliance with Australian sanctions laws (discussed below).

What happens when a sanction is imposed in relation a significant cyber incident?

When a sanction is imposed in relation to a significant cyber incident, the designated person or entity is subject to targeted financial sanctions and/or a travel ban.  

Targeted financial sanctions prohibit directly or indirectly making an asset (including funds or economic resources, such as crypto assets) available to (or for the benefit of) a designated person or entity.

Targeted financial sanctions also prohibit an asset holder (such as banks or crypto exchanges) from using or dealing with an asset that is owned or controlled by a designated person or entity, or allowing the asset to be used or dealt with, or facilitating the use of the asset or dealing with the asset.

Making or facilitating a ransomware payment to a person or entity subject to a cyber sanction would be a contravention of Australia's sanctions laws. It could expose you to criminal penalties.

Travel bans prohibit a person from travelling to, entering or remaining in Australia.

Compliance obligations under Australian autonomous sanctions law

It is your responsibility to ensure you (and/or your business) do not contravene Australian cyber sanctions laws, and you must ensure that there are sufficient measures in place to avoid breaching sanctions. It is recommended that you:

  • assess your own level of exposure to Australian sanctions laws;
  • seek legal advice; and
  • put in place due diligence measures to manage any identified or anticipated risk of breaching financial sanctions.

The Australian Sanctions Office (ASO) provides a checklist on what you can do to ensure you comply with, and reduce your risk of contravening, Australian cyber sanctions laws. To mitigate your risk of breaching Australian cyber sanctions laws, ASO recommends you check the DFAT website to familiarise yourself with your obligations and undertake due diligence.

As part of your due diligence checks, it is important that you inform yourself about persons or entities connected with your proposed activity to ensure you do not contravene Australian cyber sanctions laws. To do this, you can search the Consolidated List.

The Consolidated List is a list of all persons and entities who are subject to targeted financial sanctions under Australian sanctions law. Persons listed on the Consolidated List may also subject to a travel ban.

If your proposed activity in any way involves a person or entity listed on the Consolidated List, you should consider seeking legal advice before taking further action.

The ASO is here to assist you to understand your rights and responsibilities and will work with you to prevent and address breaches of Australian autonomous sanctions laws. It cannot, however, provide legal advice or advice on the sanctions laws of other countries, and it does not mandate specific sanctions systems, controls or due diligence measures.

If you have specific questions regarding your situation, please contact the ASO at sanctions@DFAT.gov.au

Payment of ransomware demands

The Government’s focus is on pursuing and deterring perpetrators of malicious cyber activity and the sanctions are directed towards that end. The Government’s priority is to assist Australians who find themselves victims of ransomware attacks. 

While the Government strongly discourages the payment of ransoms, the focus of the cyber sanctions framework is to disrupt and frustrate the perpetrators of malicious cyber activity, such as ransomware attacks, not to punish victims of crime.

The Government encourages victims of ransomware attacks to approach it for advice. For guidance on how to deal with an attack, please consult the Australian Federal Police (AFP) and Australian Cyber Security Centre (ACSC) via the ReportCyber website.

If you suspect a ransomware payment has been made to a designated person or entity, you should also report this to the ASO as soon as possible, via email at sanctions@DFAT.gov.au through the online portal Pax.

That a victim had engaged with the Government concerning the ransomware attack and/or voluntarily disclosed the fact of the ransom payment would be taken into account in any decision to pursue any enforcement or compliance action.

IMPORTANT CHECKS

Tips to comply with Australian autonomous sanctions laws following a cyber incident

  • Has a crime been committed that needs to be reported? Report to ReportCyber?
  • Have you called the ACSC's 24/7 Hotline on 1300 CYBER1 (1300 292 371) for cyber security assistance?
  • Are the persons or entities you are dealing with sanctioned by Australia? Run a check of the names of the persons and entities on the Consolidated List, and sign up to ASO's email distribution for updates to the Consolidated List.
  • Have you sought legal advice to understand any sanctions implications for your proposed activities?
  • If you operate internationally, are there any other countries sanctions laws you need to consider?

Resources

Back to top