Australia is poised to become the first country globally to mandate that companies report any ransomware payments they make to the government, as part of a groundbreaking new Cyber Security Bill introduced to the Australian Federal Parliament on Thursday.
This move comes amid heightened political focus on cybersecurity in Australia, driven by a series of high-profile cyberattacks against private firms, including those targeting Optus, Medibank, and MediSecure.
Following these incidents, the Australian government released an updated national cybersecurity strategy in November, which is projected to cost AU$587 million ($382 million) over the next seven years. This strategy aims to prevent AU$3 billion ($1.9 billion) in annual damages caused by ransomware attacks on the Australian economy.
According to the government, the new Cyber Security Bill 2024 seeks to implement seven initiatives outlined in that strategy, some of which will align the country’s legislation with global best practices, while others will introduce entirely new provisions.
One of the most significant and distinctive features of the proposed law is its reporting obligations. It will require all business entities that exceed a specific revenue threshold to report any extortion payments made to the Department of Home Affairs.
The memorandum accompanying the legislation suggests that the threshold for reporting will be set at an annual turnover of over AU$3 million ($2 million). This is expected to capture around 6.56% of all registered businesses in Australia, which accounts for roughly half of the nation’s total annual turnover.
Businesses affected by a cyber incident will only be required to report to the government if they or someone acting on their behalf makes a payment to the attackers.
Those who fail to report an extortion payment within 73 hours will face penalties of 60 penalty units under Australia’s civil penalty system, which translates to a fine of approximately AU$18,000 ($12,000).
In a memorandum accompanying the bill, the Australian government warned, “Ransomware and cyber extortion attacks remain one of the most destructive types of cybercrime. These attacks pose a persistent threat to Australia.”
Gaining visibility over ransomware attacks and payments has been a major challenge for governments grappling with the increasingly effective cybercrime ecosystem.
“Current voluntary reporting mechanisms are underutilized, leading to significant underreporting of ransomware and cyber extortion attacks,” stated the Australian government on Thursday.
According to the Australian Institute of Criminology, only one in five victims of ransomware attacks report these incidents. Consequently, the government lacks insight into the economic and social impacts of ransomware in Australia.
Tony Burke, the Australian Minister for Cybersecurity, addressed Parliament, stating, “In 2023, it was estimated that Australian businesses paying ransom in response to attacks did so at an average cost of $9.27 million. This issue must be addressed.”
“Mandatory reporting of ransomware payments will clarify how much is being extorted from businesses through these attacks, who these payments are being made to, and how.”
Other provisions of the bill include setting security standards for smart devices, such as prohibiting default passwords, similar to the United Kingdom’s Product Security and Telecommunications Infrastructure Act 2022 (PSTI) and the European Union’s Cyber Resilience Act.
Additionally, measures will be implemented to promote cooperation between government and industry by protecting information sharing between the two sectors and establishing a Cyber Incident Review Board to investigate major incidents—mirroring provisions set out in EU legislation.
The bill will now undergo review by the Parliamentary Joint Committee on Intelligence and Security for potential amendments.
+ There are no comments
Add yours