Australian Government unveils its Ransomware Action Plan

Current site :    AU   |   EN
China Hong Kong SAR
United Kingdom
United States

Written by Andrew Hannay, Cheng Lim and Sean Field.

New mandatory ransomware incident notification requirements for large Australian businesses, new and stronger criminal offences applicable to cybercriminals. Similar legislation may be enacted in the United States soon.


On 13 October 2021, the Minister for Home Affairs unveiled a 'new and comprehensive' Ransomware Action Plan (Plan). Under the Plan, the Australian Government has disclosed upcoming legislative and operational/policy reforms to better protect individuals, businesses and critical infrastructure across Australia against ransomware.  The Plan outlines current initiatives already undertaken by the Government to improve cyber security generally, as well as future legislative reforms aimed specifically at disrupting and deterring ransomware attacks.

The Plan also clearly sets out the Commonwealth's policy position regarding the payment of ransoms, that is, that the Commonwealth does not condone the payment of ransoms.  We have previously provided guidance around the legal risk associated with the payment of ransoms.

Key legislative initiatives

Under the Plan, the key future initiatives to deter ransomware attacks include:

  • Specific mandatory ransomware incident reporting to the Australian Government – however the Government has indicated that this would only apply to businesses with turnover exceeding $10 million per year. The current voluntary reporting entity is the Australian Cyber Security Centre (ACSC), an agency of the Australian Signals Directorate, and we expect that it will continue to receive reports on behalf of the Government under the new legislation.

  • Legislative reform to ensure law enforcement agencies can investigate and seize ransomware payments in cryptocurrency.

  • Introducing a stand-alone offence for all forms of cyber extortion. Presumably this will extend beyond ransomware to other forms of cyber extortion, such as Denial of Service threats.

  • Criminalising the buying or selling of malware for the purposes of undertaking computer crimes.

  • Criminalising the act of dealing with stolen data knowingly obtained in the course of committing a separate criminal offence, so that cybercriminals who deprive a victim of their data, or publicly release a victim's sensitive data, face increased penalties. Given it will extend beyond dealings with data stolen in the course of a ransomware attack to dealings with data stolen in the course of other criminal offences, it will be interesting to see the actual breadth of this new offence and its application to those who "steal" data.

  • A stand-alone aggravated offence for cybercriminals seeking to target critical infrastructure (as proposed to be regulated by the Security Legislation Amendment (Critical Infrastructure) Bill 2020 (SOCI Bill)).  Our previous alerts on the purpose of the reforms and the content of the SOCI Bill are available here, here, here and here.  The Government has indicated this will mean an increase in penalties, given the importance of these assets to Australia. 

International Co-operation

The Plan also indicates an intention for the Government to work with international partners (in joint operations with counterparts) to detect, investigate, disrupt and prosecute malicious cyber actors when engaging in cybercrime and to call out states who support cybercriminals. This presumably would include co-operation on offensive cyber capabilities.

Similar legislation may be enacted in the US soon 

A bipartisan bill was introduced to the US Senate last month that would require owners and operators of critical infrastructure to report to the relevant Federal agency any "covered cyber incident" and any ransomware payments.  Entities reporting ransomware payments will be required to have conducted due diligence into available alternatives, including whether recovery from a ransomware attack was possible without succumbing to a demand for payment.  This accords with Department of State guidance, which is that before paying a ransom, entities should consult with the Department of State to minimise the risk of inadvertently funding proscribed organisations, individuals or activities through ransom payments.

Both points are consistent with strategies we would typically recommend for mitigating the risk of committing an offence under Australia's Criminal Code in relation to anti-money laundering and counter-terrorism financing laws including, in the Australian context, notifying and liaising with one or both of the ACSC or the Australian Federal Police."

APRA has released its proposed new remuneration disclosure and reporting requirements for APRA-regulated entities for consultation. This article explores the key features of the new and enhanced disclosure requirements proposed by APRA.

12 August 2022

Offshore wind farms are one step closer in Australia following an announcement from the Federal Government on Friday.

11 August 2022

On 2 August 2022, the Aged Care and Other Legislation Amendment (Royal Commission Response) Bill 2022 was passed (Aged Care Bill), introducing important regulatory changes to Australia’s aged care sector. The Bill makes numerous legislative amendments, including to the Aged Care Act 1997 (Cth) (Aged Care Act) and the Aged Care (Transitional Provisions) Act 1997 (Cth) (Transitional Provisions Act), and responds to various recommendations made by the Royal Commission into Aged Care Quality and Safety (Royal Commission) Final Report (Report). The Report identified the provision of substandard aged care services and perceived systemic failures in the aged care sector.[1]

08 August 2022