Skip to main content

Cyber Security Legislation: Mandatory Ransomware Payment Reporting – Cyber Security Bill 2024

Announcement date
9 October 2024

Link to announcement 
https://www.aph.gov.au/Parliamentary_Business/Bills_Legislation/Bills_Search_Results/Result?bId=r7250

Problem being addressed
Ransomware uses malicious software to cripple operations by encrypting devices, folders and files, rendering essential computer systems inaccessible unless a ransom is paid, and remains the most destructive cybercrime threat to Australians. Cyber extortion is on the rise. In 2022-2023, the Australian Signals Directorate (ASD) responded to 127 extortion-related incidents, 118 of these incidents involved ransomware or other forms of restriction to systems, files or accounts. Throughout this period, ASD reported that cybercriminals constantly evolved their tactics and operations to extract maximum payments from victims, fuelled by a global industry of access brokers, extortionists and ransomware-as-a-service operators.

Under the 2023-2030 Australian Cyber Security Strategy, the Australian Government has committed to disrupting the ransomware business model and preventing cybercriminals from profiting from attacks on Australian businesses and citizens. However, under-reporting of ransomware payments limits the Australian Government’s understanding of the cyber threat landscape, which is essential to facing increased extortion-related cyber security incidents and developing policy options to break the ransomware business model. 

Proposal
This Impact Analysis (IA) considers four options. 

  • Option 1 – maintain the status quo (no regulatory change).

  • Option 2 – encourage voluntary reporting of ransomware demands and payments.

  • Option 3 – legislate mandatory reporting of ransomware payments.

  • Option 4 – legislate mandatory reporting of ransomware demands and payments.

For options 3 and 4, two thresholds to apply the reporting obligation were considered.

  • Option A – entities with an annual turnover of greater than $10 million.

  • Option B – entities with an annual turnover of greater than $3 million.

The preferred policy option is Option 3B.

Assessed Impact Analysis outcome
Good practice.

Assessment comments.
The IA addresses the seven IA questions and follows an appropriate policy development process commensurate with the significance of the problem and magnitude of the proposed intervention. In particular, the IA included a quality process for consulting with stakeholders on the proposed reforms

Regulatory burden
The Department of Home Affairs estimates the three reforms in preferred Option 3B will increase average regulatory costs by $4.77 million per year.

Note: any accessibility queries should be directed to the Department of Home Affairs.

OIA assessment of the Impact Analysis
Insufficient
Adequate
Good practice
Exemplary
Attachment File type Size
Certification Letter docx 726 KB
Certification Letter pdf 263.69 KB
Impact Analysis docx 6.86 MB
Impact Analysis pdf 3.06 MB
OIA Assessment Letter docx 243.34 KB
OIA Assessment Letter pdf 253.06 KB