Recent high-profile data breaches, like the 2022 and 2023 Optus and Medibank hacks exposing 9.7 million Australians, have driven the Australian government to focus on understanding anonymous ransomware attacks. The new Cyber Security Act 2024 is designed to facilitate information gathering on ransomware attacks. It does this by imposing wide-reaching notification requirements on businesses. See how it compares to other G20 nations here.
However, the new requirements are unusually burdensome in scope.
What is a ransomware attack?
Ransomware attacks are malicious cyberattacks where hackers seize exclusive control of a victim’s systems/data and demand payment to restore access. Attackers often threaten to release, sell or destroy sensitive data if the ransom is not met. A big concern with ransomware attacks is that even if payment is made, access may not be restored, and the attacker’s threats may still be carried out.
Unless the attack is high profile, ransomware attacks can often slip under the radar. A business is attacked, the ransom may be paid and system access may or may not be restored. The business that suffered the attack may not call the cyber security hotline or otherwise report the incident to the Australian Signals Directorate.
The Australian Government cannot effectively regulate if it doesn’t have visibility over cyber security incidents. Cybercrime is sneaky. This brings us to the current state of legislative changes and mandatory reporting of ransomware attacks.
Who has reporting obligations under the Cyber Security Act?
The new reporting obligations will affect all businesses with an annual turnover exceeding $3 million. They will also apply to responsible entities under the Security of Critical Infrastructure Act 2016 (Cth) (together, reporting companies)
When is the reporting obligation triggered?
From 31 May 2025, reporting companies must make fulsome reports on ransomware payments made in response to ransomware attacks that have a direct or indirect impact on the reporting company. If a ransomware payment- whether cash or other concessions- is made in response to a ransomware attack, any Australian company affected by the attack must file a Ransomware Payment Report with the Australian Signals Directorate.
The obligation applies regardless of who makes the payment. Once aware of a ransomware payment, the reporting company has 72 hours to report.
The reporting obligation has broad application and may be triggered by events that the reporting company has no direct control over, such as becoming aware of an attack on a 3rd party software provider which impacts the reporting company. The following scenario demonstrates the breadth of the reporting obligation.
Example |
|---|
"AustCo," an Australian company with a $5 million turnover, licenses payroll software from "Payroll Pty Ltd," a New Zealand company. On 1 June, "Ransomboys," a hacker group, infiltrates and locks Payroll Pty Ltd’s system, preventing the use of its payroll software by AustCo and other customers, pending payment of a $2.5 million ransom. Facing threats by customers to terminate their licences, Payroll Pty Ltd pays the ransom but does not initially inform its licensees. On 3 June, AustCo’s CEO learns of the ransomware payment in a conversation with Payroll Pty Ltd’s CEO. AustCo has now become aware of the payment. It must now gather the required reporting details from Payroll Pty Ltd (which includes the total ransom paid, and all negotiations) and report the payment within 72 hours. |
Entities who fail to report may incur a civil penalty up to $99,000. The Government has stated that it will initially prioritise warnings and education before imposing civil penalties. This may change in the coming years.
Overlapping requirements
These obligations add an additional step to existing reporting obligations in the event a business suffers a cybersecurity incident. For example, the onset of a ransomware attack is also likely to simultaneously constitute a notifiable data breach under the Privacy Act 1988 (Cth).
If you have questions in relation to the above, or what you can do to manage your new obligations, please get in touch with Leah Cowell or Alexander Dorrington from Cowell Clarke’s Digital & Technology team.
This publication has been prepared for general guidance on matters of interest only and does not constitute professional legal advice. You should not act upon the information contained in this publication without obtaining specific professional legal advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication and to the extent permitted by law, Cowell Clarke does not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting or refraining to act in relation on the information contained in this publication or for any decision based on it.