Last week the Department of Home Affairs Minister Karen Andrews released the Government’s Ransomware Action Plan (the Action Plan) which contains a commitment to a new mandatory reporting regime, in response to the sharp increase in ransomware attacks.
The Government said the reporting regime would be used to better understand the ransomware threat and enable better support to victims of ransomware attacks.
“Ransomware gangs have attacked businesses, individuals and critical infrastructure right across the country,” Minister Andrews said. “Stealing and holding private and personal information for ransom costs victims time and money, interrupting lives and the operations of small businesses”.
Ransomware attacks are significantly on the rise in Australia, according to the national cyber agency, which now describes the extortion tactic as the “most serious cybercrime threat” in Australia.
The Action Plan contains policy and operational responses as well as legislative reforms (see below). Critically, the Action Plan also makes clear that the Australian Government does not condone ransom payments to cyber criminals. This is food for thought given our understanding from media reports and speaking to our network of professionals in this space, is that in the Australian market over the last 18 months ransoms have often been paid by organisations where their mission critical systems become inoperable due to a ransomware attack.
Key drivers for the Action Plan’s inclusion of the new mandatory reporting obligation appear to include the lack of reporting of these attacks under the current mandatory reporting regime contained in the Privacy Act (which requires that certain serious data breaches involving personal information be notified to the Privacy Commissioner and affected individuals). The Government has also expressed frustration over the lack of transparency and cooperation from organisations when these attacks occur.
What is in the Action Plan?
Key elements of the Action Plan include:
- Introducing a specific mandatory ransomware incident reporting to the Australian Government
- Introducing a stand-alone offence for all forms of cyber extortion
- Introducing a stand-alone aggravated offence for cybercriminals seeking to target critical infrastructure (noting critical infrastructure is also proposed to be regulated by the Security Legislation Amendment (Critical Infrastructure) Bill 2020 – for more on this see our recent eAlert)
- Modernising legislation to ensure that cybercriminals are held to account for their actions, and law enforcement is able to track and seize or freeze their ill-gotten gains
- Establishment of the multi-agency taskforce ‘Operation Orcus’ as Australia’s strongest response to the surging ransomware threat, led by the Australian Federal Police
- Awareness raising and clear advice for critical infrastructure, large businesses and small to medium enterprises on ransomware payments
- Joint operations with international counterparts to strengthen shared capabilities to detect, investigate, disrupt and prosecute malicious cyber actors engaging in ransomware
- Actively calling out those who support, facilitate or provide safe havens to cybercriminals.
What is clear is that organisations will need to start preparing for these new legislative obligations and consider how cybersecurity controls, policies, procedures and risk management frameworks will need to evolve to account for these latest developments.
We will continue to keep you updated of future developments.