Cyber extortion and ransom payments 1900 x 500

Cyber extortion and ransom payments

Share
13 Oct 1999
Gina Tresidder, Jonathan Teh, Jaqueline Wilson, Dan Saunders, Emily Aforozis

Key takeaways

  • The Cyber Security Act 2024 (Cth) (Act) introduces mandatory reporting of ransomware and cyber extortion payments as of 30 May 2025.
  • Businesses with an annual turnover above $3 million will be required to report ransomware payments.
  • A ransomware payment report must be made within 72 hours of making a ransomware payment
  • Failing to make a ransomware payment report can result in a maximum penalty of $19,800

Why reform is needed?

According to the Office of Impact Analysis, cyber extortion (particularly ransomware attacks) continues to be a growing threat to Australian businesses and citizens. Ransomware uses malicious software that encrypts devices, folders and files, rendering them inaccessible unless a ransom is paid.

The Australian Cyber Security Strategy prioritises disrupting the ransomware business model and preventing cybercriminals from profiting from attacks on Australian businesses and citizens. However, the under-reporting of ransomware payments has limited the Australian Government’s understanding of the cyber threat landscape, which is critical to addressing increased extortion-related cyber security incidents and developing policy options to break the ransomware business model.

The Act is designed to protect Australian people and businesses, mitigate cyber risks and improve the Government’s visibility of the threat environment.

The Act:

  • mandates minimum cyber security standards for smart devices;
  • introduces a Limited Use obligation for the National Cyber Security Coordinator to encourage industry engagement with the government following cyber incidents; and
  • establishes a Cyber Incident Review Board to conduct reviews of significant cyber incidents and share lessons learned.

Summary of the proposed Reform

The Act became law on 29 November 2024, however the ransomware reporting obligations will commence from 30 May 2025.

1.Do you need to report? 

Reporting obligations will apply to ‘reporting business entities’ defined as businesses with an annual turnover that exceeds the $3 million turnover threshold; responsible entity for a critical infrastructure asset as defined in the Act.

2.Do you need to make a report? 

Reporting obligations will arise if all of the following apply:

  • An incident has occurred, is occurring or is imminent;
  • The incident is a cyber security incident (this includes ransomware incidents, and other types of cyber extortion e.g. data exfiltration accompanied by a demand and payment);.
  • The incident has had, is having, or could reasonably be expected to have, a direct or indirect impact on a reporting business entity;
  • The extorting entity makes a demand of the reporting business entity in order to benefit from the incident; and
  • The reporting business entity provides, or is aware that another entity has provided on their behalf, a payment or benefit (a ransomware payment) to the extorting entity directly related to the demand.

3.When do you need to make a report? 

Within 72 hours of making the ransomware payment (or becoming aware that the ransomware payment has been made). 

4.How do you make a ransomware payment report? 

A report must be made on a portal which will be developed on the Australian Signals Directorate’s cyber.gov.au website.

The report must contain the following information:

  • the contact and business details of the entity that made the payment;
  • the cyber security incident, including its impact on the reporting business entity;
  • the demand made by the extorting entity;
  • the ransomware payment;
  • communications with the extorting entity relating to the incident, the demand and the payment.

5. What happens if you don't report within 72 hours? 

A civil penalty of $19,800 can apply where a reporting business entity does not make a mandatory ransomware payment report when they are obligated to do so.

What steps should your business take now? 

Businesses will need to update their cyber incident / data breach response plans to include this requirement, and importantly, businesses will need to factor this into their decision-making as to whether or not they will actually pay a ransom.

 

Need more information?

If you’d like to learn more about these reporting obligations and how they may impact your business, or assistance with drafting or updating your cyber incident / data breach response plans, please contact a member of the Corporate and Commercial Advisory team and/or Gina Tresidder or Jonathan Teh directly . We would be happy to provide more detailed advice tailored to your circumstances.

View related insights

Cyber attack

New Privacy Legislation in 2024 - Government responds to proposed reforms to Australia’s privacy laws

10 Oct 2023

The Australian Government has published its response to the Attorney-General’s Privacy Act Review Report.

View
modern-cityscape-with-office-buildings-and-skyscrapers 540x360

Implementation of Australian foreign ownership register

4 Jul 2023

The Register of Foreign Ownership of Australian Assets (Register), recently announced by the Australian Tax Office (ATO), commenced on 1 July 2023, as well as the introduction of new Online Services f ...

View
law-legal-technology 540x360

Privacy law under the spotlight – release of the Privacy Act Review Report

28 Feb 2023

An extensive consultation and review process has culminated in the release of the Attorney-General’s Privacy Act Review Report on 16 February 2023. The Report proposes significant reforms to Aus ...

View