- This video doorbell camera has just as many features are my Ring - and no subscription required
- LG is giving away free 27-inch gaming monitors, but this is the last day to grab one
- I tested this Eufy security camera and can't go back to grainy night vision
- I replaced my iPhone with a premium dumbphone - here's my verdict after a month
- Build your toolkit with the 10 DIY gadgets every dad should have
Mandatory Ransomware Payment Disclosure Begins in Australia
New ransomware payment reporting rules have come into effect in Australia from today (May 30), applying to all organizations with an annual turnover of AUS $3m ($1.93M).
The provisions, outlined in Australia’s Cyber Security Act 2024, also apply to private companies that operate critical infrastructure assets in the country.
Applicable organizations must report any ransomware payment they make to the Australian Signals Directorate (ASD) reporting tool within 72 hours of making the payment or becoming aware that the ransomware payment has been made.
The report must include the following information:
- The ransomware payment amount demanded and paid
- The method of provision that was demanded and used
- Details on the nature and timing communication with the attackers
The requirements do not apply to public sector bodies.
Failure to comply can result in civil penalties.
Australia is the first country in the world to introduce mandatory ransomware payment reporting requirements.
Australia’s Cyber Security Act 2024 also mandates new security standards for smart device manufacturers, which are due to come into effect in 2026.
Additionally, the law will see the creation of a new Cyber Incident Review Board, which will conduct post-incident reviews into significant cybersecurity incidents. This could see senior executives face scrutiny over the cyber strategy decisions.
Reporting Rules Aim to Boost Ransomware Visibility
The new rules are designed to improve visibility into ransomware attacks, helping government and law enforcement in their efforts to combat threat actors.
It is believed that there is a significant underreporting of ransomware incidents. The Australian Institute of Criminology has reported that just one in five victims report cyber-attacks to authorities.
The requirement to make payments public could also serve as a deterrent to ransomware victims to pay their extorters.
Commenting on the reporting rules, Tim Dillon, Director of Professional Services, APAC, NCC Group, said: “The introduction of Australia’s latest cybersecurity laws is a significant step in bolstering national digital resilience against an ever-evolving threat landscape. Governments and regulators globally are grappling with limited visibility into cyber risks – particularly ransomware – which hinders their ability to effectively detect, disrupt, and deter cyber-attacks.”
The UK government is currently undertaking a consultation on creating a mandatory reporting regime for ransomware incidents, in addition to making payments illegal for public sector and critical infrastructure organizations.
Recent research has indicated that ransomware victims are becoming increasingly resistant to attackers’ demands, with Chainalysis finding that payments fell 35% in 2024 compared to 2023.
New ransomware payment reporting rules have come into effect in Australia from today (May 30), applying to all organizations with an annual turnover of AUS $3m ($1.93M).
The provisions, outlined in Australia’s Cyber Security Act 2024, also apply to private companies that operate critical infrastructure assets in the country.
Applicable organizations must report any ransomware payment they make to the Australian Signals Directorate (ASD) reporting tool within 72 hours of making the payment or becoming aware that the ransomware payment has been made.
The report must include the following information:
- The ransomware payment amount demanded and paid
- The method of provision that was demanded and used
- Details on the nature and timing communication with the attackers
The requirements do not apply to public sector bodies.
Failure to comply can result in civil penalties.
Australia is the first country in the world to introduce mandatory ransomware payment reporting requirements.
Australia’s Cyber Security Act 2024 also mandates new security standards for smart device manufacturers, which are due to come into effect in 2026.
Additionally, the law will see the creation of a new Cyber Incident Review Board, which will conduct post-incident reviews into significant cybersecurity incidents. This could see senior executives face scrutiny over the cyber strategy decisions.
Reporting Rules Aim to Boost Ransomware Visibility
The new rules are designed to improve visibility into ransomware attacks, helping government and law enforcement in their efforts to combat threat actors.
It is believed that there is a significant underreporting of ransomware incidents. The Australian Institute of Criminology has reported that just one in five victims report cyber-attacks to authorities.
The requirement to make payments public could also serve as a deterrent to ransomware victims to pay their extorters.
Commenting on the reporting rules, Tim Dillon, Director of Professional Services, APAC, NCC Group, said: “The introduction of Australia’s latest cybersecurity laws is a significant step in bolstering national digital resilience against an ever-evolving threat landscape. Governments and regulators globally are grappling with limited visibility into cyber risks – particularly ransomware – which hinders their ability to effectively detect, disrupt, and deter cyber-attacks.”
The UK government is currently undertaking a consultation on creating a mandatory reporting regime for ransomware incidents, in addition to making payments illegal for public sector and critical infrastructure organizations.
Recent research has indicated that ransomware victims are becoming increasingly resistant to attackers’ demands, with Chainalysis finding that payments fell 35% in 2024 compared to 2023.
