The Consultation Paper considers areas of legislative reform set out in the Strategy including new cybersecurity legislation to address gaps in existing regulatory frameworks, and amendments to the Security of Critical Infrastructure Act 2018 (Cth) (the SOCI Act) to strengthen the protection of Australia's critical infrastructure.

Notably, the Consultation Paper proposes to impose no-fault ransomware reporting obligations on Australian businesses to help expand understanding of ransomware incidents and develop a 'threat picture.' 'Threat picture' is the term used in the Consultation Paper to describe gathering a more coherent understanding of ransomware and the way in which it presents in society. The Consultation Paper seeks input from the Australian public on the proposal.

Ransomware in Australia: the current situation

Ransomware attacks

Ransomware is malware used to infiltrate an operating system and prevent the host from accessing their data until a ransom has been paid. Cyber extortion is where cybercriminals exfiltrate data that is sensitive or personal in nature from individuals or businesses and threaten the sale or release if extortion demands are not adhered to. Both cyber incidents pose some of the greatest, most destructive cybercrime threats to Australian businesses, and can extend to have serious implications on both personal privacy and national security.

The infectious malware used in ransomware attacks is commonly spread via the following methods:

• malicious websites;
• attachments or links in emails;
• social media posts;
• message apps; and
• downloadable applications.

The driving motivation for cybercriminals when committing ransomware attacks is financial gain, with ransomware incidents costing the Australian economy an average of $2.59 billion per year.

Regulating ransomware attacks

Australian ransomware and cyberattack regulations are limited. Businesses and individuals are not prohibited from making ransom payments to cybercriminals, although it is strongly discouraged by the Australian Government.

The issues

The Australian Institute of Criminology suggests that ransomware and cyber extortion attacks are severely underreported with only one in five entities reporting when they suffer a ransomware attack.

Businesses are often reluctant to report ransomware and cyber extortion attacks due to fear of reputational damage and legal reprimand. This limits the visibility of the issue and reduces the capacity of the Government and private sector to help Australian businesses prepare for, mitigate, and respond to these incidents.

Additionally, when a business pays a ransom, it helps to fund the cybercriminal's business, a form of permission to continue to operate and expand its reach and technology. Paying a ransom also gives no guarantee to the victim that their stolen data will not be shared by the cybercriminal.

Government's proposed ransomware reforms

In the Consultation Paper, one of the Government's proposals is to introduce a ransomware reporting obligation for businesses to enable them to gather more information on cyber threats and develop better responses and defenses.

The proposed reforms align strongly with the Strategy to work with industry to break the ransomware business model and co-design options for mandatory no-fault, no-liability ransomware reporting obligations for businesses to report ransomware incidents and payments.

Gaining a greater understanding of ransomware threats through reporting will assist in developing mitigation strategies for businesses and allow adaptability in the Government's approach to the rapidly evolving cybersecurity landscape. The proposed measures will help develop a more thorough 'threat picture,' enhance the whole economy's risk mitigation to such threats, and help establish and tailor victim support services.

What would these reporting obligations entail?

Under the proposed reforms, the Government is seeking to establish two reporting obligations. An entity would be required to report to the Government where it has:

• been impacted by a ransomware or cyber extortion attack, and has received a demand to make a payment to decrypt its data or prevent its data from being sold or released; or
• made a ransomware or extortion payment.

If a business pays a ransom, it would be obliged to submit two reports, one for the initial impact and one for the payment of the ransom. Some information the business would be required to detail in the report includes:

• when the incident occurred, and when the entity became aware of the incident;
• what variant of ransomware was used, if relevant;
• what vulnerabilities in the entity's system were exploited by the attack, if known;
• which assets and data were affected by the incident;
• what amount of money has been demanded as payment by the ransomware cybercriminal, and what method of payment has been demanded;
• the nature and timing of any communications between the entity and cybercriminal;
• the impact of the incident, including impacts on the entity's infrastructure and customers; and
• any other relevant information about the incident that could assist law enforcement with mitigating the impact of the incident and any future incidents.

Who will be required to report?

The Government is looking to find a balance between maximizing the data available to develop a greater understanding of ransomware incidents, and minimizing the administrative burden of imposing a new reporting obligation on Australian businesses, particularly small businesses. Striking this balance will involve determining who must report on ransomware incidents.

There may be circumstances where an entity is already subject to other cyber incident reporting obligations that require it to collect the relevant ransomware information. Instead of introducing new reporting obligations for these organizations, the Government could expand reporting obligations under existing regulations. For example, approximately 1,000 Australian entities already fall within mandatory cyber incident reporting obligations under the SOCI Act, which includes an obligation to report ransomware and cyber extortion incidents.

The Consultation Paper also contemplates limiting the reporting obligation to specific types of entities, for example, businesses with an annual turnover of $10 million or more. This will exclude over 98% of Australian businesses¹. The downside of limiting the sample size is that data is only gathered from a small percentage of Australian businesses, excluding a lot of potential data.

Timeframes for reporting

Prioritizing timely reporting of ransomware and cyber extortion attacks would allow the Government to generate time-sensitive threat assessments that respond to the issue promptly in the hopes of mitigating future attacks. Currently, the Government is considering aligning the timeframes of the new reporting obligations with those already prescribed under other reporting schemes. For example, mandatory incident reporting obligations under the SOCI Act require reports to be made within 72 hours of an incident. The Government is likely to adopt a similar timeframe.

'No-fault' and 'no-liability' protections

The 'no-fault' principle seeks to provide entities with assurance that the agency receiving and reviewing the ransomware reports will not apportion blame for the incident and provide further confidence that it will not be prosecuted for making a ransom payment. Whilst the payment of a ransom is strongly discouraged, there is no legislative ban on such actions.

The proposed reporting obligations do not seek to penalize victims of an attack or to make findings of fault or liability. However, a proportionate compliance framework, such as a civil penalty provision, is necessary to ensure businesses comply with these reporting obligations.

Looking forward

In the Strategy, the Government emphasizes its commitment to building an understanding of ransomware attacks, disrupting their growing presence, and developing a ransomware playbook to assist in mitigating the destructive impact on Australian businesses. The Consultation Paper provides a considered first look at the proposed reforms, giving useful insight into their application and any expected changes Australian businesses can expect moving forward. The opportunity for community submissions closed on March 1, 2024, and the Government will be considering these views to improve its approach to the reforms and ensure it accurately reflects the community's vision for greater protection against ransomware.

The Consultation Paper suggests releasing a public quarterly report to share information on ransomware incidents gathered through the proposed reporting obligations. The report would anonymize or aggregate sensitive information. The Government seeks the public's view on this initiative.

For more specific information on the proposed reforms, including those that extend beyond ransomware, we recommend you read the full Consultation Paper and become aware of the extensive list of reforms and how they could impact your business.

Katherine Sainty Director
[email protected]
Kaelah Dowman Graduate Lawyer
[email protected]
Sarah Macken Paralegal
[email protected]
Giselle Croker Junior Paralegal
[email protected]
Sainty Law, Sydney

1. According to the Australian Small Business and Family Enterprise Ombudsman which uses 2022 Australian Bureau of Statistics figures.