Australian companies face new ransomware reporting requirements

Susan Kantor, an expert in cyber law at Pinsent Masons, said: “There is no law across APAC that specifically prohibits the payment of ransom following a cyber-attack.”

“A new law that is unique in Australia is the Cyber Security Act, which introduced a range of new obligations, including new ransomware payment reporting laws that take effect from 30 May,” she said.

“The law does not prevent you from making a ransomware payment, but if you do or you become aware that another organisation has made a payment on your behalf, then a report must be made to the Australian Signals Directorate through the Australin Cyber Security Centre within 72 hours of that payment being made.”

This obligation will apply to organisations that meet an annual turnover threshold of A$3 million (approx. US$1.91 million) or who are a responsible entity for a critical infrastructure asset under the Security of Critical Infrastructure Act.

Veronica Scott, an expert in cyber law at Pinsent Masons, said: “paying a ransom demand should be a last resort and you should be taking a range of steps to avoid this stage.”

“Just because you pay does not mean you will get access back to your data back, and even if you do the criminal actor keeps a copy the data anyway,” she said.

“You need to think very carefully about your options and understand the consequences down the line and the risk you reopen yourself to being retargeted.” The introduction of the limited use framework in the Cyber Security Act, together with the payment reporting obligations, is aimed at reassuring organisations that they can also share information voluntarily with cyber agencies about attacks they experience.

The Australian government’s annual cyberthreat report found that there was a 3% increase in ransomware attacks on businesses in 2023-24 when compared to the previous year and new ransomware groups continue to emerge.

Ransomware as a service continue to be a thriving business model and new AI tools are emerging that cyber criminals can use to offer more cyber as a crime services, however, humans continue to be a weak link through which ransomware is able to breach organisations’ cyber defences.

The Australia Signals Directorate responded to 121 ransomware incidents during the 2023-24 financial year, according to the report.

Scott said: “Another challenge is that you’re not handing over cash or making a bank transfer, to these attackers, they demand payment in crypto currencies like Bitcoin using untraceable wallets.”

“Nobody can quantify precisely the amount of ransomware payments that have been made, how often they occur and what sectors are most at risk,” she said.

“One purpose of the of Australia’s notifiable data breach scheme and cyber incident reporting is to give regulators and government the intelligence to understand where these events are happening, where the risks are and provide guidance to organisations about how the controls and measures they should implement to address those risks.” 

Regulators are more actively pursuing organisations who don’t invest to have the right cyber security measures in place.