Australian organizations are gearing up to comply with a new law that will require the mandatory reporting of ransomware payments to authorities. The Cyber Security Act 2024, which was passed by both houses of parliament in November, will make it obligatory for certain businesses to report cybersecurity incidents and payments made to ransomware operators, with the deadline set for May 30. Failure to comply with the reporting requirement may result in a maximum fine of 60 penalty units, which is currently equivalent to AU$19,800.
The reporting mandate applies to organizations with an annual turnover of at least AU$3 million or designated as critical infrastructure operators. These organizations make up about 6.5% of registered businesses and are required to report ransomware payments within 72 hours to the Australian Signals Directorate. The government introduced the ransomware reporting obligation to gain clear intelligence on the extent and impact of the ransomware threat on Australian businesses.
The Office of Impact Analysis within the Home Office emphasized that under-reporting of ransomware payments has limited the government’s understanding of the cyberthreat landscape. By mandating the reporting of ransomware payments, the government aims to disrupt the ransomware business model and gather more comprehensive data on cyberattacks.
Organizations subject to the reporting mandate must disclose details such as the ransom payment amount, payment method, impact of the attack on the business, original extortion demand, and any communications with the extorting entity. The goal is to improve transparency and provide authorities with actionable intelligence to combat ransomware attacks effectively.
Despite the Australian Signals Directorate responding to 118 reported ransomware incidents in the previous fiscal year, the government suspects that the actual number of ransomware payments is higher. Many victim organizations may be reluctant to report incidents due to concerns about regulatory consequences, legal liabilities, or a lack of established reporting mechanisms.
In response to industry concerns about potential misuse of reported information, the government has introduced a “limited use obligation.” This provision ensures that victim organizations will not face legal or regulatory repercussions for sharing information with investigative agencies. The aim is to encourage cooperation and information sharing without fear of punitive measures.
Overall, the new legislation represents a proactive approach by the Australian government to address the growing threat of ransomware attacks. By requiring organizations to report ransom payments, authorities can gain better insight into the cybersecurity landscape and take targeted measures to protect businesses from malicious actors. As the deadline approaches, Australian organizations are working diligently to ensure compliance with the new reporting requirements and enhance their cybersecurity readiness.