Update on Cyber Security Act 2024

The Cyber Security Act 2024 (The Act) is law aimed at enhancing Australia’s cyber security framework. It is part of the broader Cyber Security Legislative Package, which implements a number of initiatives from Australia’s 2023-2030 Cyber Security Strategy. 

Background of the Act

The Cyber Security Act 2024 (The Act) is law aimed at enhancing Australia’s cyber security framework. It is part of the broader Cyber Security Legislative Package, which implements a number of initiatives from Australia’s 2023-2030 Cyber Security Strategy.

As part of its design and formation, the Act was informed by an extensive consultation process, including the release of the Cyber Security Legislative Reforms Consultation Paper in December 2023 and targeted consultation on an Exposure Draft package in September 2024.

The purpose of the Act is to address key areas to bring Australia in line with international best practices relating to cyber security. Some of the measures implemented in the Act are:

  • Mandating minimum cyber security standards for smart devices.
  • Introducing a mandatory ransomware and cyber extortion reporting obligation for certain businesses to report ransom payments.
  • Establishing a Cyber Incident Review Board to conduct reviews of significant cyber incidents and share lessons learned.

 

The Act received Royal Assent on 29 November 2024 and as a result, is now law. The Department of Home Affairs is currently conducting public consultation to develop subordinate legislation required to give effect to some of the measures under the Act. This consultation process will run until 14 February 2025.

Mandatory Ransomware and Cyber Extortion Reporting

Under the Act, there will be mandatory ransomware and cyber extortion reporting obligation for certain businesses. This will require them to report ransom payments. This portion of the Act is currently not operational and is in the process of being implemented. In this respect, the Department of Home Affairs is currently conducting public consultation to develop the subordinate legislation required to give effect to this measure. It is expected that this consultation process will finalise in this month.

The draft rules for the mandatory ransomware payment reporting have also been released and are available for review. These rules outline the requirements for businesses to report ransom payments. The obligation applies to private sector entities that carry on business in Australia and meet an annual turnover threshold to be set (which is expected to be $3 million).

The key points of the draft rules include:

  • Businesses must report any ransom payments made to ransomware gangs.
  • The reporting obligation aims to provide the government with better visibility of ransomware incidents and help in the development of strategies to combat cyber extortion.


The draft rules outline several key requirements for businesses and the key points include.

  1. Applicability: The reporting obligation applies to private sector entities that carry on business in Australia and meet an annual turnover threshold
  2. Reporting Requirements: Businesses must report any ransom payments made to ransomware gangs. This includes payments made directly by the business or on behalf of the business by another entity. It is currently in draft that this report must be submitted to the Department of Home Affairs within 24 hours of making the ransom payment.
  3. Information to be Included in the Report: The report must include detailed information about the ransomware incident, including the date and time of the attack, the amount of the ransom paid, the cryptocurrency used for the payment, and any other relevant details. Businesses must also provide information about the steps taken to mitigate the impact of the ransomware attack and any measures implemented to prevent future incidents.
  4. Purpose of the Reporting Obligation: The primary aim of the reporting obligation is to provide the government with better visibility of ransomware incidents. This information will help in the development of strategies to combat cyber extortion and improve overall cyber security resilience.
  5. Confidentiality and Protection: The draft rules include provisions to ensure the confidentiality of the information reported. The Department of Home Affairs will take necessary measures to protect the sensitive information provided by businesses.
  6. Penalties for Non-Compliance: Businesses that fail to comply with the reporting obligation may face penalties. The specific penalties are still under consideration and will be finalised as part of the subordinate legislation.

Research into mandatory reporting

A previous study[1] have looked at the prevalence of ransomware, the impact of ransom payments, and the effectiveness of law enforcement interventions. The findings indicated that law enforcement interventions, such as arrests, sanctions, and takedowns of leak pages, resulted in nearly half of ransomware groups ceasing their activities. This suggests that mandatory reporting can provide valuable data to law enforcement, enabling them to take targeted actions against ransomware groups.

Additionally, a policy report by the Australian Strategic Policy Institute[2] (ASPI) argues that the current policy vacuum makes Australia an attractive market for ransomware attacks. The report recommends the adoption of a mandatory reporting regime to increase transparency when attacks occur and to provide the government with better visibility of ransomware incidents. This information can help in developing strategies to combat cyber extortion and improve overall cyber security resilience.

Logic and Benefits of Mandatory Reporting

In addition to the points set out above, the logic behind mandatory reporting of ransomware payments is based on several key points:

  1. Increased Visibility: Mandatory reporting provides the government and law enforcement agencies with timely and accurate information about ransomware incidents. This increased visibility allows for better coordination and response to cyber threats.
  2. Data Collection and Analysis: By collecting data on ransomware incidents and payments, authorities can analyse trends, identify common attack vectors, and develop targeted strategies to prevent future attacks. This data-driven approach can lead to more effective prevention and mitigation measures.
  3. Deterrence: Knowing that ransom payments must be reported may deter businesses from paying ransoms in the first place. This can reduce the financial incentive for cybercriminals to carry out ransomware attacks, as they rely on ransom payments to fund their operations.
  4. Improved Incident Response: Mandatory reporting can facilitate faster and more coordinated incident response efforts. Authorities can quickly mobilise resources to assist affected businesses and mitigate the impact of ransomware attacks.
  5. Public Awareness and Education: Reporting requirements can raise public awareness about the risks of ransomware and the importance of cyber security measures. This can lead to better preparedness and resilience among businesses and individuals.

 

Conclusion on benefits of mandatory ransomware payment reporting

The implementation of mandatory ransomware payment reporting is expected to enhance Australia’s cyber security framework in several ways:
      

  • Enhanced Law Enforcement Capabilities: With better data on ransomware incidents, law enforcement agencies can take more effective actions against cybercriminals, such as arrests, sanctions, and takedowns of infrastructure used by ransomware groups.
  • Policy Development: The collected data can inform the development of policies and regulations aimed at preventing ransomware attacks and improving cyber security resilience.
  • Collaboration and Information Sharing: Mandatory reporting can foster collaboration and information sharing between businesses, government agencies, and law enforcement. This can lead to a more coordinated and comprehensive approach to combating ransomware.
  • Increased Accountability: Businesses will be held accountable for their cyber security practices, encouraging them to implement stronger security measures and reduce the likelihood of falling victim to ransomware attacks.

     

     

    Overall, mandatory ransomware payment reporting is considered to be a crucial step towards building a more resilient and secure cyber environment. It provides valuable insights, enhances law enforcement capabilities, and promotes a culture of transparency and accountability in the fight against cybercrime.

     


    [1] https://www.utwente.nl/en/digital-society/news/2025/1/86301/ransomware-ut-phd-offers-new-insights-on-size-willingness-to-pay-and-effectiveness-of-police-interventions

    [2] https://www.aspi.org.au/report/exfiltrate-encrypt-extort

Let's chat

Leave us a message and we will get back to you to book a meeting:


 
 
 
 
 
 
 
*Required fields

Are you looking to submit a report? Please click here.