Australia Introduces Mandatory Ransomware Payment Reporting Law

Australia has taken a groundbreaking step in cybersecurity legislation with the introduction of a new Cyber Security Bill, mandating that businesses must report ransomware payments to the government. The bill, presented to the Australian Federal Parliament on Thursday, aims to improve the country’s response to cyber threats following a series of high-profile attacks.

 

Prominent cyber incidents involving companies like Optus, Medibank, and MediSecure have driven the Australian government to prioritise cybersecurity. In response, a national cybersecurity strategy was launched last November, backed by AU$587 million (£310 million) over seven years, to prevent an estimated AU$3 billion (£1.6 billion) in damages from ransomware attacks each year.

 

The Cyber Security Bill 2024 includes several key initiatives from this strategy, with the mandatory reporting of ransomware payments standing out as its most unique provision. Under the proposed law, businesses with an annual turnover exceeding AU$3 million (£1.6 million) must report any ransomware payments to the Department of Home Affairs within 73 hours of the transaction.

 

Failure to comply with the reporting requirement could result in fines of up to AU$18,000 (£9,500), equivalent to 60 penalty units under Australia’s civil penalty system. The Australian government stated that mandatory reporting will enhance its understanding of the financial impact of ransomware on businesses and help curb cyber extortion activities.

 

Tony Burke, Australia’s Minister for Cybersecurity, emphasised the need for this approach, stating, “Mandatory reporting of ransomware payments will clarify how much is being extorted from businesses and who is receiving these payments.”

 

The bill also proposes stricter security standards for smart devices and enhanced information-sharing between the government and industry. The legislation is now set to be reviewed by the Parliamentary Joint Committee on Intelligence and Security, marking another step in Australia’s efforts to tackle cybercrime and bolster national resilience against digital threats.