A step towards filling the ransomware ‘policy vacuum’
Governance Institute has been monitoring and engaging with key stakeholders on the optimal policy response to the pressing issue of ransomware.
Following our Risk and Technology Committee’s discussions about the governance and risk implications of this rapidly emerging threat we published a member resource.
This outlines the Federal Opposition’s proposal for a mandatory reporting scheme requiring notification of ransomware payments and with the potential for public reporting. This would be similar in operation to the existing data breach notification scheme overseen by the Office of the Australian Information Commissioner (OAIC). Following this, the Commonwealth Government has announced its proposed Ransomware Action Plan. The reform package includes a range of new criminal offences intended to facilitate increased law enforcement cooperation and the investigation and seizure of ransomware payments.
Similar to the Opposition’s Bill, it also includes a mandatory notification scheme requiring Australian businesses with over $10 million annual turnover to make incident reports if they fall victim to ransomware attacks and have made ransom payments. This scheme appears to go further by requiring notification of all ransomware attacks, even where no ransom is paid.
It is not clear at this stage if these incident reports would be made public. This is an important consideration, especially for listed companies. The potential for regulatory duplication with the existing data breach scheme will also need to be considered.
Department of Home Affairs Secretary Mike Pezzullo indicated to the Senate on 25 October that draft legislation giving effect to the Ransomware Action Plan is unlikely to be tabled in Parliament this year. The International Cyber Policy Centre, based in Canberra, recently warned that a ‘policy vacuum’ is making Australia an ‘attractive market’ for ransomware criminals, and called for ‘urgent action’. The Commonwealth Government also warned in August that it was receiving ‘increased reports of ransomware incidents’ and that the attacks ‘continue to threaten Australian businesses, organisations, and families’.
Ransomware was the most frequently cited cyber threat exploiting common software vulnerabilities in a recent joint advisory by authorities in the US, United Kingdom and Australia. Organisations notified the Office of the Australian Information Commissioner (OAIC) of 24% more ransomware attacks resulting in data breaches in the first half of 2021 compared to the last half of 2020.
There are, however, promising signs of international coordination. In October, INTERPOL arrested suspected ransomware criminals in Ukraine, and US President Joe Biden announced a 30-country summit on cyber security collaboration and disrupt ransomware.
Governance Institute will keep members informed of any legislative developments and the potential for further consultation.