Australian Businesses Prepare for Ransom Reporting Deadline

Organizations in Australia are facing a deadline of approximately 40 days to comply with a newly enacted law that mandates the reporting of ransomware payments to authorities. The Cyber Security Act 2024, which received parliamentary approval last November, requires specific businesses to officially document cybersecurity incidents and any payments made to ransomware attackers, with enforcement starting on May 30.

Failing to report such incidents or payments could lead to significant penalties, with a maximum fine reaching 60 penalty units, equivalent to approximately AU$19,800 under current valuation. Australian authorities evaluate penalties based on units that appreciate over time, where each unit is currently valued at AU$330.

The reporting requirement targets organizations with an annual turnover of at least AU$3 million (approximately USD 1.91 million) and those identified as critical infrastructure operators. These entities comprise about 6.5% of all registered businesses and are obliged to report ransom payments within 72 hours to the Australian Signals Directorate.

The obligation to report ransomware payments was initially introduced in the draft cybersecurity bill published in early 2024, aiming to enhance the government’s intelligence regarding the impact and scope of ransomware threats within Australian businesses. This initiative follows concerns that many victimized entities refrain from reporting attacks, fearing potential penalties or legal repercussions.

The Home Office’s Office of Impact Analysis disclosed that underreporting of ransom payments has hindered a comprehensive understanding of the cyber threat landscape, and mandated reporting is anticipated to disrupt the current ransomware business model.

Under the new legislation, organizations must disclose the amount paid in ransom, the method and timing of the payment, the impact on operations, the original extortion demand, and details of any communication with the extorting entity. This detailed reporting framework is designed to shine a light on the mechanisms and methodologies used by cybercriminals.

Data from the Australian Signals Directorate indicates that 118 ransomware incidents were officially reported during the fiscal year 2022-23. However, there is a stark belief among officials that the actual number of ransom payments is substantially higher, given the historical reluctance of victims to report such incidents due to fears surrounding regulatory scrutiny or lack of clear reporting channels.

In response to concerns regarding potential legal actions against victim organizations, the government has implemented a “limited use obligation.” This measure aims to protect organizations from facing prosecution or regulatory penalties based on the information they provide to investigative agencies.