Introduction
In an increasingly digital world, the prevalence of cyber threats has prompted governments worldwide to strengthen their legislative frameworks in the particular area of ransomware threat. In response, the Australian Government has introduced the Cyber Security Bill 2024 (“the Bill”), which aims to regulate and bring transparency to ransomware payments, among other reforms. Ransomware, described as the “most destructive cybercrime threat in 2022-23,” operates by encrypting files, devices, and networks, rendering them inaccessible until a ransom is paid.[1] In many cases, even after a ransom payment has been made, victims of ransomware attacks may still be unable to recover their data.[2]
The impact of ransomware on Australian businesses has been significant, with many high-profile incidents highlighting the economic and reputational damage that can be caused. For example, in October 2022, health insurance company Medibank Private were targeted by a ransomware attack that resulted in over 9 million customers’ information being leaked on the dark web.[3] The data leak included personal information such as names, medical information, Medicare numbers, and dates of birth.[4] Medibank anticipates that costs associated with this attack will exceed $125 million by the end of the 2024/25 financial year.[5]
One of the primary challenges recognised by the Australian Government in their attempt to counter the effects of ransomware is the underreporting of incidents. Currently, there is no mandatory requirement for Australian business entities to report ransomware payments, and in many cases, they are not even required to report the incident at all.[6] Through increased reporting, the Government intends to use the information to accurately assess the scope of ransomware threats in Australia and develop better informed policy decisions.[7]
Legislative Reform
The Bill enlivens a mandatory obligation for Australian business entities to report ransomware payments within 72 hours of making the payment or becoming aware of a payment being made.[8] Importantly, the Bill broadens the definition of ransomware payments to include cyber extortion payments.[9] The difference between the two lies in the actions taken by the extorting entity once they have gained unauthorized access and exfiltrated the data. In the case of ransomware, the extorting entity will deny access or functionality to the data, whereas in the case of cyber extortion, the extorting entity will threaten to release the data.
The reporting requirement is comprehensive and must include specific information, including:
- the contact and business details of the reporting entity;
- if the entities are different, the contact and business details of the entity that made the ransomware payment;
- details of the cyber security incident, including its impact on the reporting entity;
- the demand made by the extorting entity;
- details of the ransomware payment; and
- details of communication with the extorting entity.[10]
Scope of the Bill
The obligation to report a ransomware payment will apply to Australian business entities that meet a specified turnover threshold, which is yet to be definitively set. The government is considering two threshold options:
- entities with an annual turnover greater than $10 million; or
- entities with an annual turnover greater than $3 million.
Currently, entities with an annual turnover greater than $3 million has been considered the more favourable option as it would encompass approximately 6.56 per cent of Australian businesses.[11] This would capture “three times” the number of entities than the alternative $10 million threshold.[12] Broadening the scope of entities which fall under the Bill will assist in facilitating a more accurate assessment of Australia’s ransomware threat landscape.
Use of Reported Information
A significant concern raised during the consultation process was the potential use of reported information by the government as evidence in regulatory or law enforcement actions against the reporting entity.[13] In response to these concerns, the Bill stipulates that reports lodged by business entities will not be admissible as evidence against them in most legal proceedings, including:
- criminal proceedings under Commonwealth, State, or Territory law (with limited exceptions for offenses under sections 137.1, 137.2, and 149.1 of the Criminal Code Act 1995 (Cth));
- civil proceedings for contraventions of civil penalty provisions (except those specific to Part 3 of the Bill, which outlines the reporting obligations);
- proceedings for breaches of other Commonwealth, State, or Territory laws;
- proceedings before any tribunal.[14]
Conclusion
The Bill represents a critical step in enhancing Australia’s legislative response to ransomware and cyber extortion. Business entities should familiarise themselves with these new obligations and develop plans that ensure compliance should a ransom payment be made. This would include identifying whether the entity meets the threshold for reporting, what information would be required to be reported, and what is involved in the reporting process. The introduction of mandatory ransomware payment reporting will not only provide the government with essential information to better understand ransomware threats but will also offer an opportunity for entities to proactively adapt to strong and transparent cyber security practices.
[1] Explanatory Memorandum, Cyber Security Bill 2024 (Cth) 4-5 (‘Explanatory Memorandum’).
[2] Ibid 127.
[3] Australian Signals Directorate, ‘Cyber sanction imposed on Russian cybercriminal for 2022 Medibank Private compromise’, News and media (Web Page, 23 January 2024) <https://www.cyber.gov.au/about-us/view-all-content/news-and-media/cyber-sanction-imposed-russian-cybercriminal-2022-medibank-private-compromise>.
[4] Ibid.
[5] Denham Sadler, ‘Data breach to cost Medibank more than $125m: And that’s not counting impending legal action’, ICT News (Web Page, 27 August 2024) <https://ia.acs.org.au/article/2024/data-breach-to-cost-medibank-more-than–125m-.html#:~:text=And%20that’s%20not%20counting%20impending%20legal%20action.&text=Medibank%20is%20continuing%20to%20pay,penalties%20it%20is%20also%20facing>.
[6] Explanatory Memorandum (n 1) 131.
[7] Ibid 134.
[8] Cyber Security Bill 2024 (Cth) s 27(1).
[9] Ibid s 26(1).
[10] Ibid s 27(2).
[11] Explanatory Memorandum (n 1) 126.
[12] Ibid.
[13] Explanatory Memorandum (n 1) 153.
[14] Cyber Security Bill 2024 (Cth) s 32(2).
