New Australian Ransomware Action Plan: Mandatory Reporting Regime for Businesses with > 10M AUD TO

Karen Andrews, the Australian Minister for Home Defence, has today announced a new Ransomware Action Plan (). Following the by Tim Watts earlier this year suggested regulatory changes (see our previous article), the new bill aims to:

  • Introduce a new stand-alone aggravated offence for all forms of cyber extortion to ensure that cyber criminals who use ransomware face increased maximum penalties, giving law enforcement a stronger basis for investigations and prosecution of ransomware criminals.
  • Introduce a new stand-alone aggravated offence for cybercriminals seeking to target critical infrastructure. This will ensure cybercriminals targeting critical infrastructure face increased penalties, recognising the significant impact on assets that deliver essential services to Australians.
  • Criminalise the act of dealing with stolen data knowingly obtained in the course of committing a separate criminal offence, so that cybercriminals who deprive a victim of their data, or publicly release a victim’s sensitive data, face increased penalties.
  • Criminalise the buying or selling of malware for the purposes of undertaking computer crimes.
  • Modernise legislation to ensure that cybercriminals won’t be able to realise and benefit from their ill-gotten gains, and law enforcement can better track and seize or freeze cybercriminals’ financial transactions in cryptocurrency.
  • Establishment of a multi-agency taskforce Operation Orcus, led by the Australian Federal Police.

Especially important for cyber insurance and risk modelers is the mandatory reporting of ransomware attacks for all enterprises with an annual turnover exceeding 10 Mil AUD. We hope that the datasets will be made available to academic researchers and other interested parties in the future and that the data is structured with future analysis in mind.

From a global perspective, we hope that other jurisdictions follow the Australian example for mandatory reporting of ransomware attacks. From a public welfare perspective, this is as a free of a lunch as there is.


Daniel Kasper

Daniel Kasper is the principal of Cyber Economics.