New law in Australia will require mandatory reporting of ransomware payments

Editor's Note: Story corrected with additional information about the revenue threshold for reporting businesses.

Australia is set to become the world’s first country to require companies to report to the government any ransomware payments they make as part of a “landmark” new Cyber Security Bill introduced to the Australian Federal Parliament on Thursday.

It comes as cybersecurity has shot up the political agenda in Australia, spurred by a series of high-profile cyberattacks against private businesses, including those affecting Optus, Medibank and MediSecure.

These incidents were followed by an updated national cybersecurity strategy published last November. The strategy was costed at AU$587 million ($382 million) over the next seven years with the intention of preventing AU$3 billion ($1.9 billion) in annual damages caused by ransomware attacks on the Australian economy.

The new Cyber Security Bill 2024 aims to implement seven initiatives set out in that strategy, according to the Australian government, some of which will see the country’s legislation aligned with what is considered best practice elsewhere in the world, while other provisions are the first of their kind.

The most notable and unique aspect of the proposed law is its section on reporting obligations. It will require all business entities above a certain revenue threshold to declare any extortion payments to the Department of Home Affairs.

This threshold suggested by the memorandum to the legislation is an annual turnover of greater than AU$3 million ($2 million), which is expected to capture approximately 6.56% of all registered businesses in Australia, comprising roughly half of the country’s total annual turnover.

Businesses that are impacted by an incident will only have a duty to report to the government in the case they, or someone acting on their behalf, makes a payment to the attackers.

Those who fail to make a report within 73 hours of making an extortion payment will be subject to 60 penalty units under the country’s civil penalty system, equivalent to a fine of around AU$18,000 ($12,000).

In a memorandum accompanying the bill, the Australian government warned: “Ransomware and cyber extortion attacks remain one of the most destructive types of cybercrime. These attacks present a persistent threat to Australia.”

Visibility over ransomware attacks and payments has been a significant challenge for multiple governments dealing with the increasingly successful cybercrime ecosystem.

“Current voluntary reporting mechanisms are underutilised and consequently, ransomware and cyber extortion attacks remain significantly underreported,” stated the Australian government on Thursday.

“The Australian Institute of Criminology indicates that only one in five victims of a ransomware attack report the attack. As a result, government lacks visibility of the economic and social impact of ransomware in Australia.”

Tony Burke, the Australian minister for cybersecurity, told Parliament: “In 2023 it was estimated that Australian businesses who paid in response to ransomware attacks paid an average of $9.27 million. This issue needs to be tackled.

“Mandatory reporting of ransomware payments will crystalise our picture of how much is being extorted from businesses via ransomware attacks, whom these payments are being made to and how.” 

The bill’s other provisions include specifying security standards for smart devices — including banning default passwords, similar to the United Kingdom’s  Product Security and Telecommunications Infrastructure Act 2022 (PSTI) and the European Union’s  Cyber Resilience Act.

Further measures include supporting cooperation between government and industry by protecting information sharing between the two parties, and establishing a Cyber Incident Review Board to investigate major incidents — similar to what is set out in EU legislation.

The bill will be now reviewed by the Parliamentary Joint Committee on Intelligence and Security for amendments.