Australian law mandates reporting of ransomware payments
The Australian Government has recently proposed new cyber security legislation which could set a precedent globally, making it mandatory for companies to report any ransomware payments made.
This legislative move aims to bring transparency to the currently opaque area of cybercrime reporting, especially in the face of increasing ransomware attacks impacting numerous organisations.
Andrew Kay, Director of APJ Systems at Illumio, has shared his insights on this legislative development, noting that it is a promising initial step towards bridging the gap between ransomware crimes and their reporting. "Australia's new Cyber Security Act will make it mandatory for those who pay ransom to report it," Kay explained. "Currently, there are huge discrepancies in ransomware crime and what's reported, so this is a good first step forward in closing that gap." Despite these advancements, Kay cautions that this measure alone is insufficient to resolve the broader issue of ransomware attacks, which continue to evolve and pose a threat to both organisational data and reputations.
Kay advocates for strengthening cybersecurity infrastructures to manage and mitigate attacks, suggesting approaches like Zero Trust Segmentation (ZTS). He points out that ZTS "stops the spread of breaches by isolating workloads and devices across clouds, data centres, and endpoints." This strategic segmentation can essentially protect organisational systems by controlling communication channels and restricting unauthorised access.
The proposal has also caught the attention of ransomware specialist Allan Liska, an analyst at Recorded Future, a company that Mastercard recently acquired for USD $2.65 billion. Liska highlights the significance of Australia's initiative, stating, "The new law... would make Australia the world's first country to require companies to report to the government any ransomware payments they make." He emphasises the potential of the law to enhance transparency within business practices concerning ransomware management, which could be of substantial value.
Liska, however, strongly advises businesses to avoid paying ransoms altogether, outlining both moral and technical hazards associated with such payments. "Paying the ransom directly funds criminal enterprises," Liska cautions, "making their attacks much more effective against the next victims... victims who pay are often targeted again." He recommends organisational leaders gain full visibility into the ransomware attack lifecycle to better anticipate and thwart potential threats before they escalate into financial demands.
For situations where paying the ransom seems unavoidable, Liska suggests engaging professional ransomware negotiators to potentially mitigate losses. He also warns businesses against relying solely on cyber insurance policies to cover ransom payments, a practice that is becoming less dependable as insurers reevaluate their coverage terms.
Both experts agree that mandatory reporting of ransomware payments should be accompanied by efforts to equip organisations with tools and knowledge to prevent becoming victims initially. Effective early detection and understanding of ransomware risks are critical, emphasised by Liska's insights shared during Recorded Future's annual Predict event. The introduction of AI-driven capabilities that generate ransomware risk profiles aims to provide real-time insights into the activities of ransomware groups, assisting organisations in improving their defensive strategies.
This proposal and the ensuing discussions are a part of a larger cyber regulatory conversation that places emphasis on drawing clearer lines of accountability and action in the rapidly shifting landscape of cyber threats. As Australia leads this charge, the global community watches closely, assessing the potential impact and value of such legislative efforts in the ongoing battle against cybercrime.