Australian businesses who make ransomware payments to hackers are likely to be forced to report their actions to authorities under new cybersecurity laws being introduced to parliament on Wednesday.
The “unprecedented” legislation will also encourage companies to share private details with relevant agencies under Australia’s first standalone Cyber Security Act, which follows the Albanese government’s Cyber Security Strategy unveiled last year.
New “limited use” obligations will prevent the sharing of information given to the National Cyber Security Coordinator and Australian Signals Directorate but will not necessarily give complete indemnity for businesses from future prosecution.
Private entities will also be forced to address serious deficiencies with their risk management programs under a new government power aimed at protecting the country’s critical infrastructure.
A new Cyber Incident Review Board will be created as an independent body to collate lessons from serious incidents, but so far the make-up of the board has not been announced.
Authorities warn cyber threats are escalating at an alarming rate in Australia, with more than 94,000 incidents reported last financial year — representing a 23 per cent increase, or roughly one report every six minutes.
In 2022 telecommunications giant Optus came under heavy public and government criticism for failing to protect its customers’ personal information during a massive data breach.
“The creation of a Cyber Security Act is a long-overdue step for our country and reflects the government’s deep concern and focus on these threats,” Cyber Security Minister Tony Burke said in a statement ahead of the laws being tabled.
“This legislation ensures we keep pace with emerging threats, positioning individuals and businesses better to respond to, and bounce back from cyber security threats,” Mr Burke added.
“To achieve Australia’s vision of being a world leader in cyber security by 2030, we need the unified effort of government, industry and the community.”
If passed the provisions would also introduce new minimum cyber security standards for all smart devices such as watches and televisions to ensure Australians know they are “safe”.
On Wednesday, a newly established not-for-profit organisation known as the Australian Cyber Network (ACN) will be officially launched at Parliament House, focused on advocacy, capability-building, and education for the local cyber security industry.