Mandatory Disclosure of Ransomware Payments Commences in Australia

New ransomware payment reporting rules have been enacted in Australia, effective May 30, impacting organizations with an annual turnover of AUD $3 million (USD $1.93 million). These provisions, integrated into Australia’s Cyber Security Act 2024, extend to private companies operating critical infrastructure assets within the nation.

Organizations falling under this regulation must report any ransomware payments made to the Australian Signals Directorate (ASD) within a 72-hour timeframe, either upon making the payment or becoming aware of it. The required report must encompass:

– The amount demanded and paid in the ransom
– The method of payment demanded and utilized
– Details regarding the nature and timing of communications with the threat actors

It is important to note that these guidelines do not pertain to public sector bodies. Non-compliance may lead to civil penalties.

Australia is the first nation globally to implement such mandatory ransomware payment reporting requirements. Furthermore, the Cyber Security Act 2024 establishes new security standards for smart device manufacturers, which will be enforced starting in 2026. The legislation also initiates the creation of a Cyber Incident Review Board, tasked with conducting post-incident evaluations of significant cybersecurity events, potentially subjecting senior executives to increased scrutiny regarding their cyber strategy decisions.

Reporting Rules Aim to Boost Ransomware Visibility

The newly established rules are aimed at enhancing awareness of ransomware attacks, thereby assisting governmental and law enforcement entities in their confrontation with cybercriminals. The Australian Institute of Criminology has indicated a significant underreporting of ransomware incidents, with only one in five victims disclosing cyber attacks to authorities.

Publicizing payment requirements could also function as a deterrent for ransomware victims contemplating payment to attackers.

Tim Dillon, Director of Professional Services for APAC at NCC Group, commented on the introduction of these regulations, stating: “Australia’s latest cybersecurity laws significantly enhance national digital resilience against a constantly evolving threat landscape. Governments and regulators worldwide face challenges due to limited visibility into cyber risks, particularly ransomware, which complicates their efforts to effectively detect, disrupt, and deter cyber threats.”

In a parallel effort, the UK government is exploring the establishment of a mandatory reporting framework for ransomware incidents while considering the prohibition of payments for public sector and critical infrastructure organizations.

Recent findings have shown that ransomware victims are increasingly resistant to demands from attackers, with Chainalysis reporting a 35% decline in payments made in 2024 compared to the previous year.