In October 2021, the Department of Home Affairs released its Ransomware Action Plan. A copy of the Ransomware Action Plan in its entirety can be located here.
The Ransomware Action Plan identifies three primary objectives:
- building Australia’s resilience to attacks;
- strengthening responses to ransomware attacks by ensuring support is available to victims; and
- disrupting cybercriminals through deterrence and offensive action by strengthening Australia’s criminal law regime and increasing the risk of ransomware gangs being caught.
The Ransomware Action Plan also reaffirms that the Australian government does not condone ransom payments being made to cybercriminals. Any payment to cybercriminals fuels the ransomware business. Further, even if victims pay a ransom demand, there is never a guarantee that they will regain access to the lost or encrypted information, and it may in fact open the victim up to repeated attacks.
Among the handful of legislative reforms proposed by the Ransomware Action Plan, it proposes a specific mandatory ransomware incident reporting obligation on certain businesses. Under the current proposals, there would be an express obligation on Australian businesses with an annual turnover of $10 million or more to notify the Australia government if they are the subject of a ransomware attack.
Presently, the Privacy Act sets out a mandatory reporting regime for only for certain organisations and agencies when a data breach has occurred and personal information has been accessed or disclosed without authorisation.
In other cases, the current ransomware reporting regime is a voluntary one. Understandably, businesses in the past have been reluctant to disclose when they are subjected to ransomware attacks (whether or not the ransom was paid), for a multitude of reasons, including a fear of being a repeat target and reputational damage.
Even so, over the past 12 months, Australia has faced a 15% increase in ransomware attacks reported to the Australian Cyber Security Centre. It is clear that ransomware attacks are an increasingly prevalent threat to businesses and individuals.
Other legislative reform proposed by the Ransomware Action Plan include:
- introducing a stand-alone offence for all forms of cyber extortion;
- introducing a stand-alone aggravated offence for cybercriminal seeking to target critical infrastructure; and
- modernising legislation to ensure that cybercriminals are held to account, and law enforcement is able to track and seize the proceeds of their crimes.
Given the inherently global nature of ransomware attacks, the Ransomware Action Plan also foreshadows joint operations with international counterparts to strengthen shared capabilities to detect, investigate, disrupt and prosecute cybercriminals engaging in ransomware attacks. Among other things, the Ransomware Action Plan also proposes policy and operational changes, such as the establishment of a multi-agency taskforce, Operation Orcus, led by the Australian Federal Police to target ransomware threats both in Australia and overseas.
The Ransomware Action Plan sets out the Australian government’s proposed response to tackle the increasingly prevalent and serious threat to Australian businesses, including imposing disclosure obligations on certain businesses subjected to ransomware attacks. Undoubtedly, the best way for businesses to avoid having to disclose a ransomware attack is stringent preparation and prevention to avoid a ransomware attack to begin with. In that regard, the Ransomware Action Plan is a good reminder for all businesses (and individuals) to check in with their cybersecurity protocols and processes to make sure they are as prepared as possible.
If you have any questions in relation to Cyber Security or would like legal advice on your current obligations in respect of Cyber Protection, Data Protection or Cyber Law generally, please contact Iain Freeman.