Australia Considers Mandatory Reporting of Ransom Payments

New legislation is on the horizon in Australia that is set to change the way businesses deal with ransomware attacks. This law, not unlike the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) in the US, aims to improve transparency when it comes to paying ransoms.

There’s no question that cybercrime is on the rise in the country. In its 2022/23 Annual Cyber Threat Report, the Australian Cyber Security Centre (ACSC) said it was notified of a cyber incident an average of a staggering once every six minutes.

Ransomware, in particular, remains a significant threat to Australian businesses of all sizes and types in 2024. Recent reports reveal a troubling trend: attacks are increasing in frequency, and the costs for victims are rising, too. The economic impact of these incidents has been substantial, with ransomware incidents costing the Australian economy an average of $2.59 billion annually.

Initially, Australia toyed with the idea of imposing an outright ban on ransomware payments as a response to the escalating threat these incidents pose. It was considered a possible way to disrupt the lucrative payouts that fuel ransomware gangs. However, this approach was greeted with much debate and criticism, leading the government to shift its focus. Instead, the proposed legislation now emphasizes mandatory reporting of ransomware payments.

Deterrence vs. Practicality

This shift hopes to strike a balance between effective deterrence and practical considerations for businesses, providing a framework for transparency and accountability without completely restricting their ability to negotiate with attackers.

Under the proposed Cyber Security Act, businesses in the country with an annual turnover of more than $3 million AUD ($1.96 million US) may be required to disclose any ransom payments made to ransomware gangs. This approach was born from a strategy document released last November, which stated: “To stay ahead of the threat, we will co-design with industry options to legislate a no-fault, no-liability ransomware reporting obligation for businesses.”

The rationale behind this legislation is to arm the government with better insight into ransomware payments, which, with any luck, will help them track and prosecute bad actors more effectively. The US’s CIRCIA mandates that certain entities must report ransom payments within 24 hours. Australia’s proposed law, on the other hand, would have a broader scope, applying to any business that makes a ransom payment.

SMEs Struggle with Costs, Penalties

There is a worry that small and medium enterprises (SMEs) might be disadvantaged by the new regulations. While their corporate counterparts are more likely to have the means to comply, smaller entities might struggle with the costs and penalties. The Australian Chamber of Commerce and Industry (ACCI) has suggested raising the minimum revenue threshold for affected businesses to $10 million AUD. Current reports suggest that fines for non-compliance will be around $15,000 AUD.

The expectation is that any potential downsides of the law will be offset by two key advantages. “A lack of visibility of the overall ransomware and cyber extortion threat limits the capacity of the government and private sector to support Australian organizations prepare for, and respond to, a ransomware or cyber extortion attack,” the Australian Department of Home Affairs said in a statement. “Timely reporting of ransomware and cyber extortion incidents is needed to enhance whole-of-economy risk mitigation and preparedness and help tailor victim support services. This will ultimately bolster our collective security and strengthen our defences against future cyber attacks.”

A Slew of High-Profile Attacks

The effectiveness of this approach is yet to be determined. Australia has faced several high-profile cyberattacks in recent years. One of which happened in late 2022 and was one of the most significant cyberattacks in the country’s recent history. Malicious actors got their hands on the personal and sensitive health information of nearly 9.7 million current and previous customers, including medical records, addresses, and contact details. The attackers demanded a ransom, which the organization refused to pay, resulting in the gang releasing some stolen data publicly. The incident sparked debates about the effectiveness of Australia’s cybersecurity measures as well as the need for stricter regulations to protect customer data.

Similarly, in the same year there was another major incident in Australia, affecting around 10 million people. Malefactors accessed a host of personal data, including names, addresses, email addresses, and identification details, including passports and driver’s licenses. The breach raised legitimate concerns about data security practices in Australia’s telecommunications sector and led to growing scrutiny of how companies handle sensitive information. The fallout from this event also fueled discussions about regulatory reform, with calls for stronger data protection laws and harsher penalties for those who fail to adequately secure their customers’ information.

Incentivizing Businesses to Rethink Security

It is hoped that mandatory disclosures of ransomware payments will light the fire under businesses to rethink their entire approach to cybersecurity, and force a shift from reactive measures to more comprehensive, proactive ones. If companies are forced to report these payments, they could  feel increased pressure to strengthen their defenses, limit the likelihood of an attack, and avoid the financial and reputational fallout associated with disclosure.

This could lead to greater investments in advanced security technologies, employee training, and regular security audits, as well as the development of robust incident response plans. Ultimately, the transparency brought about by these mandatory disclosures could drive a cultural change within organizations, making cybersecurity a more prominent priority at all levels.