Breach Notification , Fraud Management & Cybercrime , Geo Focus: Asia
Australia May Require Businesses to Report Ransom Payments
Cyber Bill Says the Government Can't Use Information to Prosecute VictimsRansom payments are typically tightly held secrets between cybercriminals and their victims, but the Australian government has introduced a cybersecurity bill in Parliament that would require larger businesses to report ransom payments to the government.
See Also: The Expert Guide to Mitigating Ransomware & Extortion Attacks
The Cyber Security Bill 2024, introduced in the House of Representatives Wednesday, mandates certain businesses to report ransom payments and a 'limited use' obligation for cybercrime investigation agencies to avoid information disclosure and reputational damage to victim organizations.
Reporting requirements will be based on the size of the business, with a minimum threshold to be determined by the government. In addition to the ransom payment amount, businesses would be required to disclose whether another entity made the payment, the impact of the attack on the business, the original extortion demand and any "communications with the extorting entity relating to the incident, the demand and the payment."
The government said organizations have so far had the opportunity to disclose ransom payments voluntarily, but only one in five organizations shares the information. "As a result, the government lacks visibility of the economic and social impact of ransomware in Australia," the government said in an explanatory memorandum attached to the bill.
The Department of Home Affairs said the proposed legislation is part of a comprehensive "cybersecurity legislation package," which also includes minimum security standards for connected devices and establishes a cyber incident review board.
The package would also reform the Security of Critical Infrastructure Act 2018 by simplifying information sharing across industry and government, enhancing government assistance for responding to cyber incidents targeting critical infrastructure, and clarifying existing rules for holding business-critical data.
The introduction of the bill follows a lengthy consultation process the government began in December to obtain feedback on plans to align the country's cybersecurity laws and regulations with the Australian Cyber Security Strategy, which seeks to make Australia the most secure nation in the world by 2030.
The consultation paper also recommended that larger businesses report ransomware and cyber extortion payments to the National Cyber Security Coordinator or the Australian Signals Directorate within 72 hours of making a payment.
Failure to report ransom payments could lead to a civil fine, but the Cyber Security Bill also places a "limited-use obligation" on the National Cyber Security Coordinator and the Australian Signals Directorate to ensure that victim organizations will not face legal action or regulatory penalties for the information they share with investigative agencies.
The limited-use obligation will ensure that the National Cyber Security Coordinator will be able to use the information only for the purpose of responding to a cybersecurity incident. Even if the information is shared with provincial governments or other agencies, it cannot be used to prosecute the reporting entity.
The bill also seeks to establish a Cyber Incident Review Board similar to the Cyber Safety Review Board in the U.S. that periodically reviews significant cybersecurity incidents and issues public findings.