Breach Notification , Fraud Management & Cybercrime , Geo Focus: Australia
Victims Must Disclose Ransom Payments Under Australian Law
New Law Calls for Better Reporting, Securing Devices and Critical InfrastructureThe Australian government's proposed cybersecurity legislation passed both houses of the Parliament on Monday, formalizing the government's strategy to boost ransomware payment reporting, mandate basic cybersecurity standards for connected devices and enhance critical infrastructure security.
See Also: 57 Tips to Secure Your Organization
The Cyber Security Act forms part of a comprehensive cybersecurity legislative package that also would amend the Security of Critical Infrastructure Act 2018 to better secure critical infrastructure systems and establish a Cyber Incident Review Board to review significant cybersecurity incidents and issue public findings.
Cybersecurity Minister Tony Burke said the Cyber Security Act's passage is a "landmark reform" under the government's eight-year cybersecurity strategy that seeks to make Australia the world's most secure nation by 2030.
"The government has passed into law Australia's first stand-alone Cyber Security Act, a key pillar in our mission to protect Australians from cyberthreats," Burke said. "This package forms a cohesive legislative toolbox for Australia to move forward with clarity and confidence in the face of an ever-changing cyber landscape."
The Cyber Security Act empowers the minister to set mandatory cybersecurity standards for smart devices manufactured or sold in Australia. It gives government agencies power to test internet-connected devices for cybersecurity vulnerabilities and order their removal if vulnerabilities are found.
The law also imposes a limited use obligation on government cybersecurity agencies that investigate cybersecurity incidents reported by businesses. It entails that agencies can use and share such data only to investigate specific incidents, ensuring that the information cannot be used to target the reporting organization through lawsuits or other means. Burke said the obligation will facilitate "rapid and open sharing of information" between victim organizations and the government.
The legislative package, introduced in the Parliament on Oct. 9, followed a lengthy consultation process the government began in December to obtain feedback on plans to align the country's cybersecurity laws and regulations with the Australian Cyber Security Strategy (see: Australia May Require Businesses to Report Ransom Payments).
The government's clear vision behind presenting the bills was to enhance transparency and gain as much information about the cybersecurity landscape as it can to respond better to emerging threats. Aside from the limited use obligation, the act mandates ransomware payment reporting by a certain category of organizations with a minimum threshold to be determined by the government.
The government said in an explanatory memorandum attached to the Cyber Security bill that ransomware payment reporting will help it gain a better understanding of "the economic and social impact of ransomware in Australia." Under the previous voluntary reporting scheme, only one in five organizations reported making ransomware payments.
The Cyber Security Act also establishes a Cyber Incident Review Board that will conduct no-fault, post-incident reviews of significant cybersecurity incidents and make recommendations to help victim organizations prevent, detect, respond to and minimize the impact of security incidents in the future.
Amendments to the Security of Critical Infrastructure Act 2018 also give the government power to categorize certain data storage systems as critical infrastructure assets and require their owners to apply critical infrastructure regulations to the assets. The government also will gain powers to direct critical infrastructure operators to take certain actions following a cybersecurity incident.