Australia has taken a decisive step in enhancing its cyber security framework, passing the Cyber Security Act 2024 (Cyber Security Act) on 25 November 2024 and amendments to related legislation. As we previously reported, the law is set to reshape the cyber security landscape for Australian businesses, particularly with the introduction of a mandatory ransomware payment reporting.
Mandatory Ransomware Payment Reporting
The Cyber Security Act now mandates organisations report ransomware payments to the Department of Home Affairs and the Australian Signals Directorate (ASD) within 72 hours of payment or becoming aware of the same.
This reporting requirement applies to:
Critical infrastructure entities regulated under the Security of Critical Infrastructure (SOCI) Act; and
Private sector businesses with an annual turnover exceeding the forthcoming threshold (likely AUD 3 million if the same threshold under the Privacy Act 1988 (Cth) is applied).
Organisations face a civil penalty of 60 penalty units (currently AUD 19,800) for failing to comply.
Notably, the obligation is triggered upon payment, not the mere discovery of an attack or receipt of a ransom demand. Boards must weigh the implications carefully, given that the Australian Government’s policy remains firmly against paying ransoms.
The Reporting Dilemma
While reporting payments enhances transparency and government response capabilities, it complicates decision-making for directors, who must balance:
Risks of paying a ransom: Encouraging further attacks, violating sanctions or anti-money laundering laws, and uncertainty over effectiveness.
Risks of not paying: Operational disruptions, reputational damage, third-party claims, and data loss.
Adding another layer of complexity, the Government may use its directions powers under the SOCI Act to compel certain organisations to pay or refrain from paying a ransom.
Limited Use Protections
The Cyber Security Act introduces limited use protections for ransomware reports, restricting how disclosed information can be used. Reports cannot be used for general enforcement actions or admitted as evidence in most proceedings, with exceptions for crimes and breaches of the Act itself. However, the Act stops short of providing a full safe harbour:
Regulators can still use investigatory powers to access the underlying information.
Other mandatory reporting regimes, such as those under the Privacy Act or ASX Listing Rules, remain enforceable.
Voluntary Information Sharing: Building Trust
The Act also establishes a voluntary reporting regime via the National Cyber Security Coordinator (NCSC). The scheme is structured to encourages entities to disclose information about cyber incidents to the NCSC for assistance and coordination without fear of it being used against them in regulatory enforcement (outside limited exceptions).
However, this remains distinct from ransomware reporting, and businesses must tread carefully in balancing transparency with the risk of disclosure.
Looking Ahead
The Cyber Security Act is awaiting Royal Assent. The mandatory reporting requirement for ransomware payments is expected to come into force six months after that date or such other date as is designated.
Businesses should ensure that they:
Review and update cyber incident response plans to ensure compliance with ransomware reporting requirements.
Train directors and executives on the implications of ransomware payment decisions and reporting obligations.
Test cyber playbooks with scenarios incorporating ransomware attacks, mandatory reporting, and government engagement.
Consider legal implications, including sanctions laws and directors’ duties, when deciding how to respond to ransomware demands.
The Cyber Security Act signals a shift toward greater transparency, accountability and collaboration in cyber security following several high profile incidents. While the new reporting regime is intended to provide valuable intelligence in combatting cyber breaches, it also introduces significant challenges for businesses navigating compliance, governance, and operational risk.
By Steven Pettigrove and Luke Misthos
Comments