Australian Companies Will Soon Need to Report Ransom Payments

  /     /     /  
Publicated : 23/11/2024   Category : security


Australian Companies Will Soon Need to Report Ransom Payments


Significant upcoming legislation promises to tighten the screws on cyber incident response in Australia, mirroring CIRCIA in the US.



UPDATE
Australian companies may soon have to disclose to the government any ransom payments they surrender to ransomware attackers.
It wasnt so long ago that Australias government was considering an outright
ban on ransom payments
across the country. That idea didnt survive, but a slightly softer rule was floated in a
national cybersecurity strategy document
published last November. In just a single sentence buried deep in that document, the government signaled its intention that To stay ahead of the threat, we will co-design with industry options to legislate a no-fault, no-liability ransomware reporting obligation for businesses.
That obligation will be part of the countrys upcoming Cyber Security Act, which is expected to be brought before parliament during its next sitting in just a couple of weeks time. Businesses with annual turnover exceeding $3 million AUD ($1.96 million US) will be forced to report their ransom payments.
The goal with such laws is to allow governments to have insight into funds going to bad actors, in order to be able to track those payments and hopefully bring criminals to justice, explains Beth Burgin Waller, chair of the Cybersecurity & Data Privacy practice at Woods Rogers Vandeventer Black (WRVB).
In Australias case, The proposed bill appears to mirror what we are seeing in the United States from
CIRCIA
(the Cyber Incident Reporting for Critical Infrastructure Act of 2022), which requires that covered entities report ransom payments within 24 hours of making a ransom payment to CISA, she explains. The Australian proposed law is broader, though, in the sense that it appears to be for any business making a ransom payment, whereas it appears CIRCIA covers only covered entities, which the current proposed CIRCIA regulations broadly define.
Australia has been rocked by some major cyberattacks in recent years. In 2022, a
breach of millions of consumer records
struck the telecommunications company Optus. Shortly thereafter, a
case of similar scope
hit the health insurance provider Medibank. Last year, a cyber disruption
downed four core ports
around the country for a weekend. And there have been more.
The toll to Australias economy has been significant. As former minister ONeil noted in a forward to the 2023–2030 Australian Cyber Security Strategy, a cyber incident is reported to the government every six minutes. (Of course, that doesnt include all the incidents that dont get reported.) Ransomware, meanwhile, is responsible for $3 billion worth of damage to Aussie organizations annually, and cyberattack costs are rising 14% per annum.
Any hard and fast rules that help curb the problem inevitably affect different organizations differently. On one hand there are larger companies, which can handle the costs involved and stand to benefit the most from clearer regulations.
With laws like this popping up locally across the globe, it creates a patchwork quilt of compliance for multi-national organizations with perhaps a headquarters in the United States but significant operations in Australia, Waller says.
Smaller organizations, meanwhile, have fewer resources to dedicate to cybersecurity, and less money to pay fines when they fall short. According to the Australian Broadcasting Company, the Australian Chamber of Commerce and Industry (ACCI) trade organization supports parts of the upcoming Cyber Security Act, but proposes that the minimum revenue threshold for businesses affected by the reporting rule should be $10 million. ABC also reports that
fines for noncompliance will be just $15,000
.
The hope, regardless, is that any potential negative side effects to the law will be outweighed by two primary benefits.
First, greater visibility for law enforcement. A lack of visibility of the overall ransomware and cyber extortion threat limits the capacity of the government and private sector to support Australian organizations prepare for, and respond to, a ransomware or cyber extortion attack, a spokesperson with the Australian Department of Home Affairs said in a statement provided to Dark Reading. Timely reporting of ransomware and cyber extortion incidents is needed to enhance whole-of-economy risk mitigation and preparedness and help tailor victim support services. This will ultimately bolster our collective security and strengthen our defences against future cyber attacks.
Another upside: more effective incentives for companies to better themselves. Mandatory disclosures may prompt a reassessment of corporate practices regarding negotiations with cybercriminals, says Anne Cutler, cybersecurity evangelist at Keeper Security.
With the knowledge they must disclose any ransom payments, business leaders may be persuaded to invest more heavily in preventive measures and robust incident response plans to avoid the financial and reputational scrutiny that comes with public disclosure, she says.
This story was updated at 10:15 a.m. ET on Aug. 2, 2024 to reflect the addition of comments from the Australian Department of Home Affairs.

Last News

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Australian Companies Will Soon Need to Report Ransom Payments