The Australian government has passed the new Cyber Security Act, which was recently approved by Parliament. One of the most critical provisions of this new law mandates that organizations must report ransomware payments made to hackers within 72 hours. This change is aimed at improving Australia’s cyber resilience and deterring cybercriminals while ensuring that businesses remain accountable for their actions.
The Australian Cyber Security Act introduces a host of new requirements for organizations, particularly those impacted by ransomware attacks. Notably, businesses must now notify the Australian Signals Directorate (ASD) within 72 hours if they make a payment in response to a ransomware attack. This move is intended to help the ASD monitor ransomware trends, assess potential threats to national security, and aid in law enforcement’s ability to track cybercriminals.
The Australian Cyber Security Act int and the Legal Obligations
While the new law emphasizes quick reporting, it does not necessarily absolve organizations from the broader legal obligations associated with paying a ransom. This legislation aims to strike a balance between addressing immediate security concerns and protecting the legal interests of businesses.
As part of the Australian Cyber Security Act, the law specifically notes that while payments to cyber criminals are discouraged, there may be exceptional cases where paying a ransom is justifiable. The government strongly advises against ransom payments as it seeks to reduce the financial incentive for cyber criminals and make Australia a less attractive target for cyberattacks.
Key Provisions of the Cyber Security Act
The 72-hour reporting obligation for ransom payments is one of the most interesting changes under the new Cyber Security Act. Companies—except for small businesses—must now report to the ASD if they make any ransomware payments, regardless of the amount. The law also includes provisions that preserve the company’s legal rights during these notifications, ensuring that it does not automatically waive privileges such as attorney-client communications.
In addition to reporting ransom payments, new security standards for smart devices will also be enforced under the Act. Manufacturers of Internet of Things (IoT) devices, including televisions, speakers, watches, and doorbells, will be required to meet new security standards. These standards will include secure default settings, unique passwords for each device, and encryption of sensitive data. While the specifics of these requirements are still being finalized, the initiative is a clear effort to address the growing risks associated with the interconnectedness of modern technology.
Another notable addition to the Australian Cyber Security Act is the establishment of a Cyber Incident Review Board. This board will be responsible for reviewing major cyber incidents, including ransomware attacks, that impact national security or public welfare. The board will assess how organizations responded to incidents and offer recommendations to improve future responses. However, the board will not assign fault or prejudice the legal rights of the organizations involved.
Expanding the Scope of the Security of Critical Infrastructure Act
The Cyber Security Act also expands the Security of critical infrastructure Act 2018 (SOCI Act) to cover data systems associated with critical infrastructure. With the increasing dependence on digital systems in sectors such as utilities, healthcare, and finance, these systems have become prime targets for cyberattacks.
The amendments will allow regulators to ensure better protection for data systems linked to critical infrastructure assets. This change grants authorities’ additional powers to assess and address vulnerabilities that could impact national security or public safety.
Organizations that manage critical infrastructure systems must now meet new obligations to protect these systems from cyber threats. This includes preparing for heightened regulatory scrutiny and ensuring their cybersecurity measures are enough to handle increasing threats in this domain.
Implications for Organizations and How to Prepare
The introduction of the Cyber Security Act will have far-reaching consequences for businesses, particularly those dealing with sensitive information or critical infrastructure. To stay compliant, organizations must strengthen their cybersecurity protocols, especially regarding the mandatory 72-hour reporting obligation for ransomware payments. This may involve refining incident response plans, revising risk management frameworks, and ensuring that employees are trained to handle cyber incidents effectively.
Furthermore, companies must be mindful of their broader regulatory responsibilities. In addition to the new reporting requirements under the Australian Cyber Security Act, organizations must continue to comply with existing regulations, such as the Privacy Act and the Security of Critical Infrastructure regime. These regulations are still in effect, and businesses should be aware of how they interact with the new law to ensure comprehensive compliance.
Directors of organizations should also take note of their general duty to act in the company’s best interests. This includes weighing the risks associated with making a ransom payment, considering whether it will truly resolve the cyber incident, or if it will only make the organization a future target. The decision to pay a ransom may also expose the company to legal risks under counter-terrorism and anti-money laundering laws.
