Cybersecurity bill could make ransomware payment reporting mandatory

The Australian Federal Government has introduced the Cyber Security Bill 2024 to Parliament proposing the country’s first standalone cybersecurity Act.

The simplified outline of the Act proposes the following:

• This Act provides for mandatory security standards for certain products that can directly or indirectly connect to the internet (called relevant connectable products).
• This Act also provides an obligation to report ransomware payments made. Information required includes relating to the cyber security incident, the demand made by the extorting entity and the ransomware payment. An organisation may be liable to a civil penalty if it fails to make a ransomware payment report as required.
• Information may be voluntarily provided to the National Cyber Security Coordinator in relation to a significant cyber security incident. The National Cyber Security Coordinator’s role is to lead across the whole of Government the coordination and triaging of action in response to a significant cyber security incident.
• The Cyber Incident Review Board is established by this Act. Its functions include causing reviews to be conducted in relation to certain cyber security incidents. A review will make recommendations to Government and industry about actions that could be taken to prevent, detect, respond to or minimise the impact of incidents of a similar nature in the future. One chair and up to six other members should make the board. A review panel to be established for each review.
• Information provided by entities under provisions of this Act may only be used and disclosed for limited purposes. Certain information provided to the Australian Government under this Act is not admissible in evidence in proceedings against the entity that provided the information.
• A range of compliance and enforcement powers are provided for, including by applying the Regulatory Powers (Standard Provisions) Act 2014.
• This Act also deals with administrative matters such as delegations and the power to make rules.

The first four proposed measures are meant to “address gaps in current legislation” and had been flagged under the 2023-2030 Australian Cyber Security Strategy, announced in November 2023.

Not long after, the Australian Federal government launched a consultation paper covering several topics including ransomware reporting obligations.

“The bill’s second measure will help build our understanding of the ransomware threat that continues to cause large-scale harm to the Australian economy and national security,” Home Affairs and Cyber Security Minister Tony Burke told parliament when introducing the bill. “In 2023 it was estimated that Australian businesses who paid in response to ransomware attacks paid an average of $9.27 million. This issue needs to be tackled. Mandatory reporting of ransomware payments will crystalise our picture of how much is being extorted from businesses via ransomware attacks, whom these payments are being made to and how.”

“With these timely and comprehensive insights, the government will be better able to develop the resources, tools and supports that are most useful to industry and help break the ransomware business model.”

The bill also proposes to implement reforms under the Security of Critical Infrastructure Act 2018 (SOCI Act).