Australia’s government is considering new regulations that would require companies to disclose any ransom payments made to cyber attackers. This move comes in response to a series of major cyberattacks that have targeted Australian businesses in recent years, causing significant damage to the country’s economy.
The proposed rule, which is expected to be included in the upcoming Cyber Security Act, would mandate that businesses with annual revenues exceeding $3 million AUD report any ransom payments they make. While the fines for noncompliance are relatively low at $15,000, the goal of the regulation is to provide government authorities with insight into funds that are being paid to cybercriminals.
According to Clare O’Neil, the former Minister for Home Affairs, the new rule is aimed at tracking ransom payments and potentially bringing cybercriminals to justice. Similar regulations have been implemented in the United States under the Cyber Incident Reporting for Critical Infrastructure Act of 2022, which requires covered entities to report ransom payments to the Cybersecurity and Infrastructure Security Agency (CISA) within 24 hours.
The Australian regulation, however, is broader in scope, applying to any business that makes a ransom payment, not just covered entities. This could create challenges for multinational organizations with operations in both Australia and other countries subject to similar laws.
While larger companies may be better equipped to comply with the reporting requirements, smaller organizations could face more significant challenges. The Australian Chamber of Commerce and Industry (ACCI) has suggested that the minimum revenue threshold for reporting ransom payments should be raised to $10 million to reduce the burden on smaller businesses.
Despite potential challenges, the government hopes that the new regulation will provide law enforcement with greater visibility into cybercrime activities and encourage companies to strengthen their cybersecurity defenses. By requiring mandatory disclosures of ransom payments, businesses may be incentivized to invest more heavily in preventive measures and incident response plans to avoid the financial and reputational risks associated with cyberattacks.
Overall, the Australian government’s efforts to enhance cybersecurity regulations reflect a growing recognition of the need to address the escalating threat of cybercrime and protect the country’s critical infrastructure and business operations from malicious actors. As the cyber threat landscape continues to evolve, it is crucial for governments and businesses to work together to strengthen cybersecurity defenses and mitigate the risks posed by ransomware attacks.