Adrian Johnson
TLDR:
Australian companies will soon need to report ransom payments to the government, with fines for non-compliance, mirroring CIRCIA in the US.
Key Points:
- Australian government to implement no-fault, no-liability ransomware reporting obligation for businesses
- Businesses making more than $3 million AUD in annual revenue will be required to report ransom payments
Article Summary:
Australian companies are facing upcoming legislation that will tighten the regulations around reporting ransom payments, similar to laws in the US. The new rule, expected to be part of the Cyber Security Act, will mandate businesses making over $3 million AUD to disclose ransom payments to the government. While fines for non-compliance are relatively low at $15,000, the goal of the law is to track funds going to cybercriminals.
The proposed bill mirrors the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) in the US, requiring prompt disclosure of ransom payments. This move is a response to the significant cyberattacks that have hit Australia in recent years, causing billions in damage annually. The hope is that mandatory disclosures will incentivize companies to invest more in cyber defenses and incident response plans to avoid financial and reputational scrutiny.
However, the new regulation may affect different organizations differently, with larger companies benefiting from clearer regulations while smaller ones may struggle with compliance and fines. The Australian Chamber of Commerce and Industry has proposed a minimum revenue threshold of $10 million for businesses affected by the reporting rule.
Overall, the implementation of mandatory ransom disclosure is aimed at providing law enforcement with better visibility into cyber incidents and creating stronger incentives for companies to enhance their cybersecurity measures.
