Australia has made a significant stride in strengthening its cybersecurity defenses with the passing of a new law that mandates the reporting of ransom payments. This legislation, which passed both houses of Parliament, is a key component of the country’s broader strategy to combat cyber threats and enhance national resilience. By requiring certain organizations to disclose ransom payments, the government aims to gain better insights into the economic and social impacts of ransomware attacks, which have become increasingly prevalent in recent years. Under previous regulations, only a small fraction of organizations reported such payments, but this new law seeks to change that by making it mandatory for businesses to share this critical information.
The Cyber Security Act, as part of a broader legislative package, also introduces stronger protections for connected devices and critical infrastructure. Under the new law, the Minister for Cybersecurity is empowered to establish mandatory cybersecurity standards for smart devices sold or manufactured in Australia. Government agencies can now test these devices for vulnerabilities, and if issues are identified, they can order the devices to be removed from the market. These measures are designed to reduce the risks associated with poorly secured devices, which are often targeted by cybercriminals as entry points for larger attacks.
In addition to the mandatory reporting of ransomware payments, the legislation also introduces a Cyber Incident Review Board. This board will conduct thorough post-incident reviews of significant cyberattacks and incidents, providing no-fault analyses to help organizations improve their cybersecurity practices. The goal is to create a system where businesses can freely share information about incidents without the fear of legal repercussions, ensuring more effective collaboration between the private sector and government agencies. This will, in turn, help organizations better prevent, detect, and respond to future cyber threats.
The new laws also amend the Security of Critical Infrastructure Act 2018, empowering the government to classify certain data storage systems as critical infrastructure assets. Operators of these systems will be required to adhere to new cybersecurity regulations, and in the event of a breach, the government can direct them to take specific actions to mitigate the impact. With these comprehensive reforms, the Australian government aims to create a more secure and resilient digital landscape, ensuring that the country is better prepared to face the evolving cyber threat landscape in the years ahead.
Reference:
