In a significant move to combat cybercrime, Australia is set to introduce the Cyber Security Act, requiring businesses to disclose ransom payments made to hackers. The landmark legislation aims to shed light on a growing practice that has largely remained hidden from public view.
Recent data from the Australian Cyber Security Centre reveals cyber incidents occur every six minutes on average, with ransomware attacks increasing five-fold since the pandemic. Even more alarming, estimates suggest billions of dollars in ransoms are being paid across the Five Eyes intelligence alliance countries, with criminals reinvesting these funds into further attacks.
The new law will apply to businesses with annual turnovers exceeding $3 million, though industry groups argue this threshold is too low. The Australian Chamber of Commerce and Industry warns that small businesses might struggle with compliance, suggesting the limit should be raised to $10 million.
To encourage transparency, the government has included a “Limited Use Provision” that prevents the Australian Signals Directorate and Australian Cyber Security Centre from sharing disclosed information broadly. While this provision offers some protection, businesses will not receive complete immunity from prosecution if they’ve failed to implement adequate security measures.
The legislation also introduces international standards for Internet of Things devices and establishes a Cyber Incident Review Board to analyse major breaches. Notably, the government’s initial plan to completely ban ransom payments has been shelved in favour of first understanding the scale of the problem.
Cybersecurity experts support the balanced approach, though they emphasise the need for additional measures to prevent unnecessary data collection by businesses and government agencies. With nearly one-third of reported cybersecurity incidents affecting the public service, the legislation represents a crucial step toward a more comprehensive national cybersecurity strategy.
The legislation received Royal Assent on 29 November 2024 to become official law.
For a full reading of the media release, see here.
