On 21 June 2021, Shadow Assistant Minister for Cyber Security, Tim Watts, introduced the Ransomware Payments Bill 2021 (Bill) to the Federal Parliament, which proposes mandatory notification of ransomware payments by most entities.
The Bill was moved to a second reading on the same day and no proposed amendments have been made. If approved, the Bill will mandate public and private entities (with the exemption of small businesses, sole traders, unincorporated entities and charities) to notify the Australian Cyber Security Centre (ACSC) about a ransomware incident and payment as soon as practicable.
The explanatory memorandum to the Bill1 sets out that the information is intended to be used to:
- inform the private sector through the ACSC threat-sharing platform;
- assist law enforcement; and
- inform policymaking and track the effectiveness of policy responses.
The memorandum identifies the urgent need for the proposed measures, which are intended to be part of a comprehensive plan to tackle the crisis caused by the increasing frequency and severity of ransomware incidents. To highlight the issue, the memorandum refers to the incidents that impacted JBS Foods, Nine Entertainment and the Colonial Pipeline in the United States.
Mr Watts, in his second reading speech2, was critical of Australia's response to date to combat ransomware and referred to comments in the Financial times by the former head of MI6 Alex Younger that ransomware "is not merely a criminal problem but a national security and geopolitical one, too."
The Colonial Pipeline incident is of particular significance. The payment and subsequent recovery of a majority of the $US4.4 million ransom drew headlines. However, the interruption it caused to fuel supplies resulted in US federal and state governments declaring states of emergency and taking urgent counter measures.
Mr Watts referred to an estimate by Security firm Emsisoft of the cumulative cost of ransomware to Australia being about $1 billion annually.
However, Mr Watts noted that tackling cyber security should not just be an organisational security issue and that a greater policy response is required. In previous articles, we have highlighted steps businesses should be taking to mitigate cyber risk, including that posed by ransomware.
Recent incidents have shown that businesses working together with government agencies can assist other companies to combat cyber incidents. For example, the ACSC used information from Channel Nine's hacking incident in March to warn other organisations who were being targeted by the same threat actors.
We will provide a further update in future publications. If you need advice on how to mitigate cyber risk or deal with a cyber incident, we can assist with a range of services and expertise.
To read the Bill, click here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.