The Australian government is considering introducing new laws that would require businesses to report ransomware incidents or payments made to cyber criminals. This proposed ransomware reporting obligation is part of the 2023-2030 Australian Cyber Security Strategy Action Plan released in November 2023.

Ransomware has become one of the biggest cyber threats facing organizations today. These malicious attacks involve hackers encrypting an organization's data and systems, holding them hostage until a ransom payment is made, often demanding cryptocurrency like Bitcoin. Many businesses prefer to pay the ransom, seeing it as the quickest way to recover their data and operations.

However, paying ransoms fuels the ransomware business model and perpetuates the cycle of these attacks. The Australian government wants to crack down on this by increasing visibility into the true scale of the ransomware scourge through mandatory reporting.

Under the action plan, the government will "work with industry to co-design options for a mandatory no-fault, no-liability ransomware reporting obligation for businesses to report ransomware incidents and payments."

The details still need to be worked out, such as which businesses would be covered, what reporting timeframes would be required, and what processes would be involved. But the intent is to implement a comprehensive ransomware reporting regime.

This would likely require businesses that suffer a ransomware attack to report it to government authorities like the Australian Cyber Security Centre within a set timeframe. If a ransom is paid, that payment would also have to be reported.The government stresses that any mandatory reporting would be "no-fault" and "no-liability" to encourage full transparency. Businesses would not be penalised or liable simply for being a victim and reporting an attack.

However, some in the business community have expressed concerns about the regulatory burden of mandatory reporting and whether it could create a disincentive to being transparent if liability fears still linger despite the no-fault assurances.

These mandatory ransomware reporting rules are yet to be finalised, but businesses should start preparing now. This includes reviewing cyber incident response plans, ensuring they have processes to collect and report on ransomware attacks, and looking at cyber insurance and cryptocurrency policies in case ransom negotiations do still occur.