Full Report
Australia is now the first country to require ransomware victims to report if they make any extortion payments to their attackers.
Analysis Summary
# Regulation/Compliance: Australian Mandatory Ransomware Payment Reporting
## Overview
This regulation mandates that specific Australian organizations must report any extortion payments made to cybercriminals following a ransomware attack to the Australian Signals Directorate (ASD) within 72 hours. The goal is to increase government visibility into the scope and nature of the ransomware threat, as voluntary reporting has been significantly underutilized.
## Key Details
- Issuing Authority: Australian Government (Legislation)
- Effective Date: Not explicitly stated as a single date, but compliance reporting commenced after the law took effect on a Friday.
- Jurisdiction: Australia
- Status: In Effect (With an initial period of constructive engagement leading into a hardening of the regulatory approach next year.)
## Requirements
### Mandatory Requirements
1. **Report Ransom Payments:** Victims of ransomware attacks must declare any extortion payments made on their behalf to cybercriminals.
2. **Reporting Timeline:** Reports must be made to the Australian Signals Directorate (ASD) within **72 hours** of the payment being made.
### Recommended Practices
1. **General Incident Reporting:** While not detailed in this summary as a specific *recommendation* for this new law, the context implies that organizations are generally urged by governments globally to avoid funding criminal ecosystems by not making ransom payments.
2. **Resilience Building:** Organizations should assume a breach will occur, focus on building resilience, and implement strong protections to deter attackers (as advised by industry experts).
## Affected Organizations
- Industries: All sectors, with specific attention to **Critical Infrastructure Sectors**.
- Organization Size: Organizations with an **annual turnover greater than AUS $3 million** ($1.93 million), alongside the smaller group of critical infrastructure entities. This threshold is expected to capture the top 6.5% of all registered businesses in Australia.
- Geographic Scope: Australia.
## Compliance Timeline
- **Initial Period (Until Beginning of Next Year):** Government intends to focus on pursuing "egregious" cases of noncompliance while constructively engaging with relevant victims.
- **Beginning of Next Year:** The regulatory approach is scheduled to "harden," implying stricter enforcement for all non-compliant entities.
- **72 Hours Post-Payment:** Deadline to report any extortion payment made.
## Implementation Guidance
### Assessment Phase
- Determine if the organization meets the threshold (annual turnover > AUD $3M) or falls under critical infrastructure definitions.
- Identify internal procedures for tracking and documenting any potential extortion payments made.
### Implementation Phase
- Establish clear internal communication channels to notify the designated personnel responsible for reporting to the ASD immediately following a payment.
- Prepare documentation and evidence necessary for the required report within the 72-hour window.
### Validation Phase
- Conduct drills or tabletop exercises to test the efficacy of the 72-hour mandatory reporting procedure following a simulated payment event.
## Technical Requirements
No specific technical controls were mandated within this article regarding *how* the payment was made or *how* the reporting is delivered, beyond the requirement that the report itself must be submitted to the ASD.
## Penalties & Enforcement
- Fines: Failure to make a report could result in a penalty equivalent to **60 penalty units** within the Australian civil penalty system.
- Other Consequences: Initial enforcement will target "egregious" cases, suggesting compliance efforts should be swift to benefit from the constructive engagement period.
- Enforcement: The Australian Signals Directorate (ASD) is the recipient agency, suggesting enforcement actions will be coordinated by relevant regulatory bodies.
## Related Standards
- Counter Ransomware Initiative (Mentioned generally regarding global efforts to dissuade payments).
- The focus is primarily on a *legislative reporting mandate* rather than a specific technical or security framework (like NIST or ISO).
## Resources
- Official Documentation: Reference to the Bill originally proposed last year (link provided in context but defanged here).
- Guidance Documents: Organizations should seek specific guidance issued by the Australian Signals Directorate (ASD) regarding the precise format and method for submitting the mandatory payment report.
## Practical Recommendations
- **Immediately Confirm Scope:** Determine instantly if the organization is subject to the mandatory reporting rules based on revenue and sector.
- **Prioritize 72-Hour Response:** Develop a clear, executable protocol to compile required information and submit the report to the ASD within 72 hours post-payment.
- **Document Everything:** Maintain detailed records of all communications, negotiations, and the final decision surrounding any ransom payment.
- **Prepare for Hardening:** Assume that after the initial grace period, enforcement will become significantly stricter, necessitating robust compliance practices immediately.