On 13 October 2021 the Australian Government released its Ransomware Action Plan. The Plan sets out the Australian Government's strategic approach to tackling the threat posed by ransomware, outlining current and future initiatives the Government will adopt to combat ransomware from a policy, operational and legislative perspective. In this update, we provide a snapshot of the key legislative reform aspects of the Ransomware Action Plan and what organisations can do now to mitigate the risks of ransomware attacks.
A copy of the Ransomware Action Plan can be found on the Department of Home Affairs website.
The threat landscape
Ransomware attacks continue to rise each year, posing a cybersecurity threat to all Australian organisations and the broader community. The Australian Cyber Security Centre (ACSC) reported in its Annual Cyber Threat Report that it recorded a 15 per cent increase in ransomware cybercrime reports in the 2020-21 financial year. Against this threat landscape, the Australian Government has publicly released its stance and strategic approach to combatting ransomware in Australia.
Objectives of the Plan
The Australian Government is taking a zero-tolerance approach to ransomware.
The Ransomware Action Plan is built on three objectives:
- Prepare and prevent: Managing the risk of ransomware attacks by undertaking a number of initiatives including uplifting the cybersecurity posture of Australia's critical infrastructure systems of national significance through the Security Legislation Amendment (Critical Infrastructure) Bill 2020
Respond and recover: Strengthening response mechanisms for ransomware victims, to help protect Australia and reduce the incentive to pay ransoms by introducing legislation to:
- ensure the Australian Government can assist industry in responding to cyber threats that are too sophisticated or disruptive to be handled alone, through the Security Legislation Amendment (Critical Infrastructure) Bill 2020
- mandate ransomware incident reporting to the Australian Government
- ensure law enforcement can investigate and seize ransomware payments
- Disrupt and deter: Taking an offensive approach through cyber offensive capabilities and deterring cybercriminal strategies and business models. Through the Surveillance Legislation Amendment (Identify and Disrupt) Act 2021 (Cth), the Australian Federal Police and Australian Criminal Intelligence Commission were recently granted new powers to identify individuals and their networks engaging in serious criminal activity on the dark web through network activity and introduce data disruption and account takeover warrant powers. Legislative reforms will also introduce a stand-alone aggravated offence for cybercriminals seeking to target critical infrastructure and harsher penalties to apply to those engaging in ransomware or targeting Australia's critical infrastructure.
Actions you can take now
Ransomware attacks can be devastating for victims from a financial, reputational and legal perspective. Anyone can be the victim of a ransomware attack. Thus, it is better to take steps now to be prepared in order to mitigate the costly effects of a ransomware attack.
Updating and modernising Australia's cyber laws is only one line of defence. Your organisation can also be proactive in protecting itself from ransomware attacks by:
- adopting simple and cost-effective technical protective measures to prevent ransomware. For more information, visit the ACSC website
- having in place a data breach response and business continuity plan
- conducting privacy and cyber due diligence on third-party suppliers
- understanding its risk profile and implementing enterprise risk management to manage cyber risks across the organisation
- reviewing existing insurance policies to understand its coverage and whether cyber risks are adequately covered.
For more information, please contact Lander & Rogers' team of Digital and Technology experts.
Authors: Lisa Fitzgerald, Partner and Keely O'Dowd, Senior Associate.
All information on this site is of a general nature only and is not intended to be relied upon as, nor to be a substitute for, specific legal professional advice. No responsibility for the loss occasioned to any person acting on or refraining from action as a result of any material published can be accepted.