New cyber security regulations: An insight into new reporting obligations for ransomware attacks

An entity that has been subject to a ransomware attack must make a report within 72 hours from making a ransomware payment or from becoming aware that a ransomware payment was made.

Reports can be made on the cyber.gov.au website and must include information that is known to the reporting entity or available by reasonable search in relation:

• the contact and business details of the entity that made the payment;
• ​the cyber security incident, including its impact on the reporting business entity;
• the demand made by the extorting entity;
• the ransomware payment; and
• communications with the extorting entity relating to the incident, demand and the payment.

Lavan comment

In FY2023-24, the Australian Signals Directorate received over 36,700 calls to its Australian Cybersecurity Hotline, an increase of 12% from the previous financial year and responded to over 1,100 cybersecurity incidents, highlighting the continued exploitation of Australian systems and ongoing threat to critical networks.

As cyber-attacks become more frequent and sophisticated, it is more important than ever before to have an appropriate incident response plan in place. Paying ransom payments does not necessarily mean that a company will have data held released or that it has not been, or will not be, leaked by the extorting entity.

ASIC has warned board directors that they will seek to make examples of boards who are ill prepared for cyberattacks, by taking legal action against companies who have not taken steps to protect customer data (Boards’ Oversight Of Cyber Risk – Your Obligation To Be Prepared For Attack | Lavan).

If you or your business would like further advice or assistance on reporting obligations or on how to minimise any risk with respect to the cyber security of your business, please reach out to Iain Freeman.