Ransomware Payment Reporting Mandate Introduced in Australia

By Netvora Tech News

---

From today, Australian businesses and vital organizations that fall victim to ransomware attacks and pay off the criminals will be required to report the payments to the government within 72 hours. This move makes Australia the first country to introduce a mandatory reporting requirement for ransomware and cyber extortion payments. The new regulation applies to businesses operating in Australia with an annual turnover of AUD 3 million or more, or those responsible for critical infrastructure. This includes situations where third-party payments are made on behalf of these organizations. The reporting requirement is designed to provide a clearer understanding of the extent of the problem, as current statistics suggest that many organizations do not report paying ransomware demands. According to the Australian Institute of Criminology, only one in five victims of ransomware attacks report the incident. This lack of transparency makes it difficult for authorities to assess the economic and social impact of ransomware attacks in the country. The Australian government estimates that Australian businesses paid out approximately AUD 9.27 million in ransomware demands last year. The introduction of mandatory reporting is aimed at addressing this issue and providing insight into the number of businesses affected, who is making the payments, and how. "This will give us a better understanding of how many businesses are being extorted, who is making these payments, and how," said Tony Burke, Australia's Minister for Cyber Security, last year. Organizations that fail to report ransomware payments within the 72-hour deadline will be required to provide detailed information about the incident and the payment. The Australian government has published a document explaining the circumstances in which the reporting requirement applies.