The company, whose board was recently shaken up by Atlassian tech billionaire and activist investor Mike Cannon-Brookes, said that while criminals should not profit from their crimes, the payment of a cyber ransom demand “may be the only path to achieving acceptable outcomes”.

Finance provider Latitude this month rejected a ransom demand from criminals behind what has become the nation’s biggest cyber attack. It was a move welcomed by the Albanese government. Last year Medibank also refused to pay a cyber ransom.

In its submission to the government’s 2030 cyber strategy, AGL said banning paying ransoms “may result in potentially avoidable catastrophic damage, harm to community, loss of life, disruption of essential services or disclosure of sensitive information”.

The company also rejected calls for the obligations of company directors to be expanded to specifically address cyber security risks and consequences.

It said that existing directors’ duties already require directors to take all reasonable care and steps to ensure that business risks are appropriately understood and mitigated against, including cyber security.

The electricity provider was hit by a cyber incident in December and about 6000 customers were affected.

“Based on current analysis it appears malicious actors have used stolen credentials acquired externally (such as usernames and passwords used elsewhere by customers) to log into a number of customer accounts,” AGL said in a statement at the time.

Mr Cannon-Brookes won a battle to shake up AGL’s board last year and all four of his proposed directors secured seats in November.

As Australia continues to count the cost of two of the most significant data breaches in the nation‘s history, which crippled Optus and Medibank late last year, the government’s upcoming strategy has a stated goal of making Australia the most cyber secure nation by 2030.

Home Affairs received more than 280 submissions and officials will now use the responses to weigh key considerations for the strategy, balancing questions of how to reduce the volume of cyber attacks and minimise harm to Australians and the nation‘s critical infrastructure.

The Australian Institute of Company Directors said it did not support efforts to ban the paying of cyber ransoms.

“The AICD is not convinced that a strict legislative prohibition on the payment of ransoms and extortion demands by either victims or insurers is appropriate,” it said.

“Although we support the government clarifying its position with respect to payment of ransoms and the circumstances in which this may constitute a breach of Australian law.

“We also consider there is a pivotal role for government to play in providing enhanced guidance and support to entities in respect of ransomware and extortion demands.”

Like AGL, the AICD rejected calls to widen directors’ responsibilities to include cyber security.

“Australia’s existing corporations law and directors’ duties provide a comprehensive and clear legal framework that obliges directors to effectively oversee the management of cyber security risk and build cyber security resilience,” its submission reads.

“The AICD does not support introducing new cyber-specific director duties. There is no shortage of existing legal obligations that create a strong incentive for appropriate cyber risk management and no comparable jurisdiction has imposed a cyber duty on directors.”

Companies like AGL, Medibank and Optus could face fines of up to $50m for “serious” or “repeated breaches” after the federal government passed legislation last year.

Meanwhile, the peak body for software firms, the BSA Software Alliance, said the federal co-ordinator for cyber security – recently announced by minister Clare O’Neil – should be granted new powers including the ability to oversee and direct the cybersecurity policies of all government agencies.

“For example, all government agencies should be required to seek the endorsement of the new co-ordinator before implementing any new cybersecurity policies or adjusting existing ones, thereby reducing instances of agencies imposing obligations without regard or consideration for the wider cybersecurity landscape,” it said in its submission.

Several attendees at a February industry roundtable hosted by Prime Minister Anthony Albanese and Ms O’Neil as Home Affairs Minister, told The Australian there was broad agreement in the room for greater co-operation between government and industry, and to avoid heavy-handed regulations that may unfairly burden businesses.

The strategy has four broad objectives, including creating a secure economy and thriving cyber ecosystem; secure and resilient critical infrastructure and government sector; sovereign and assured capability to counter cyber threats; and collaboration with neighbouring countries to lift cyber security and build a cyber resilient region.

Work on the new strategy, which is set to be released by the end of the year, is being led by former Telstra chief executive Andy Penn, with support from RAAF Air Marshal Mel Hupfeld and Rachel Falk of the Cyber Security Co-operative Research Centre.

“As we’ve all seen the level of digital adoption increase dramatically over several years as a consequence of Covid, the flip side of that is, unfortunately, the level of malicious activity and the risk of further malicious actors only increases,” Mr Penn told The Australian in a recent interview.

“So now is a very important time to see if we can’t give ourselves a really big ambition of making this the most cyber-secure nation by the end of the decade.”

Ms O’Neil said the upcoming strategy would examine how all parts of government should better co-operate to protect Australians from cyber threats.

“The cyber threat is growing every day. As a government, we are committed to increasing Australia’s national cyber resilience and capabilities in tackling these threats, on the road to becoming a world leader in cyber security by 2030,” Ms O’Neil said.

Originally published as ‘Catastrophic damage’: AGL warns of a government-imposed cyber ransom ban