Government to develop mandatory ransomware reporting regime for businesses

Australian businesses with annual turnover above $10 million will need to report ransomware incidents under a new scheme in development as part of the Federal Government's Ransomware Action Plan.

The government says the new mandatory reporting regime will be designed to benefit - not burden - small businesses, with the aim of enhancing understanding of the threat and enable better support to victims of ransomware attacks.

Harsher penalties will also be introduced for cyber criminals.

Minister for Home Affairs Karen Andrews said individuals, businesses and critical infrastructure across Australia would be better protected as a result of the new plan.

"Ransomware gangs have attacked businesses, individuals and critical infrastructure right across the country,” Minister Andrews said.

"Stealing and holding private and personal information for ransom costs victims time and money, interrupting lives and the operations of small businesses.

"That’s why the Morrison Government is taking action to disrupt, pursue and prosecute cybercriminals. Our tough new laws will target this online criminality, and hit cybercrooks where it hurts most – their bank balances."

The government has announced it will undertake the following actions as part of the plan:

• Introduce a new stand-alone aggravated offence for all forms of cyber extortion to ensure that cyber criminals who use ransomware face increased maximum penalties, giving law enforcement a stronger basis for investigations and prosecution of ransomware criminals;
• Introduce a new stand-alone aggravated offence for cybercriminals seeking to target critical infrastructure. This will ensure cybercriminals targeting critical infrastructure face increased penalties, recognising the significant impact on assets that deliver essential services to Australians;
• Criminalise the act of dealing with stolen data knowingly obtained in the course of committing a separate criminal offence, so that cybercriminals who deprive a victim of their data, or publicly release a victim’s sensitive data, face increased penalties;
• Criminalise the buying or selling of malware for the purposes of undertaking computer crimes; and
• Modernise legislation to ensure that cybercriminals won’t be able to realise and benefit from their ill-gotten gains, and law enforcement can better track and seize or freeze cybercriminals’ financial transactions in cryptocurrency.

Jacqueline Jayne, security awareness advocate for the Asia-Pacific region at global security awareness training company KnowBe4, says mandatory reporting of ransomware attacks is a move in the right direction.

"We need more visibility and transparency to encourage more conversations about the impact and ferocity of ransomware attacks or near misses," Jayne says.

"The increase in discussion would bring with it an opportunity to educate all Australians about cybersecurity risks and reporting can be used as a tool to share and to learn from these incidents.  

She adds mandatory reporting on ransomware incidents can also provide a positive move towards collaboration.

"Data can be used as a learning opportunity so that we can share findings, share stories, and then potentially share solutions within the cyber community," she says.

"Furthermore, this brings the conversation to the broader community as cybersecurity is everyone's responsibility."

However, Kaspersky Australia and New Zealand general manager Margrith Appleby argues the mandate should be set by business type and not revenue.

"There is absolutely a place for Government support in the fight against ransomware, however we need to understand the full advantage of mandating ransomware reporting for all businesses with $10m annual turnover to ensure this doesn’t cause additional administration and compliance pressures for thousands of businesses," Appleby says.

"I believe our focus should be on assisting business in both prevention and detection of such attacks, and providing them with the tools in which to respond appropriately.

"Setting the reporting mandate by businesses type or industry, rather than revenue size, may be the right move. For example if an industrial or supply chain organisation is attacked, it can have an enormous impact on our essential services such as access to electricity, water or fuel supply."