Home News New Bill Mandates Australian Organizations to Notify Before Paying Ransom

New Bill Mandates Australian Organizations to Notify Before Paying Ransom

Australia has introduced a new Bill to the House of Representatives that seeks all organizations to disclose to the ACSC if/when they plan to make ransom payments to cybercriminals.

SHARE
Ransomware Payments Bill
Read Aloud

Ransomware attacks are not a common security incident anymore. Several countries are severely concerned about the rising sophistication of ransomware attacks. Some governments even announced ransomware attacks as a national threat, giving utmost attention to mitigate them. With a view to mandate the same, member of the Australian Labor Party and Shadow Assistant Minister for Cyber Security, Tim Watts, proposed the Ransomware Payments Bill 2021 to the House of Representatives. If approved, the new legislation would require all organizations to inform the Australian Cyber Security Centre (ACSC) if/when they are considering paying ransom to cybercriminals in the event of a ransomware attack. Organizations that fail to notify might face penalties from the authorities.

The ACSC stated that the proposed bill would act as a policy foundation for a coordinated government response to rising ransomware threats. It provides a critical platform for a comprehensive national ransomware strategy, which is much required to deal with the evolving ransomware attacks on Australian organizations.

“This is a stand-alone Bill to establish a mandatory reporting requirement for Commonwealth entities, State or Territory agencies, corporations, and partnerships who make ransomware payments in response to a ransomware attack,” the ACSC said.

Responsible Disclosure

As per the bill, all organizations in Australia, except small businesses, sole traders, and unincorporated entities, and charities, must notify the ACSC of the entire details of the cyberattack, the attacker, and the ransom payment. This information will be held by the ACSC and used to:

  • Share de-identified information to the private sector through the ACSC threat sharing platform.
  • Collect and share information that may be used by law enforcement.
  • Collect and share information to inform policymaking and to track the effectiveness of policy responses.

“If an entity makes a ransomware payment, they must provide ACSC with their details, the details of the attacker, and information about the attack to that extent that it is known. Information about the attack includes cryptocurrency wallet details, the amount of the payment, and indicators of compromise. Failure to notify the ACSC attracts a penalty,” the ACSC added.

Several industry experts support the introduction of a mandatory reporting scheme that will help enterprises to better understand and respond to cyberthreats.

Cyberattacks in Australia Rise

The recent ransomware attack on the largest meat processing giant JBS has paralyzed the company’s operations, affecting over 11,000 Australian employees across 47 units. Also, a new report from the Australian Competition and Consumer Commission (ACCC) for the year 2020 has rung the alarm for immediate recognition of these cybersecurity gaps. It revealed an 84% surge in identity theft scams and 75% in phishing scams, respectively.