Gallagher Australia has highlighted the potential implications of new federal cybersecurity legislation, which mandates businesses to report ransomware payments.
The Cyber Security Act 2024, taking effect in January 2025, is part of the government’s strategy to improve national cybersecurity resilience and transparency.
Under the new framework, businesses with an annual turnover exceeding $3 million must disclose ransomware or cyber extortion payments to the Department of Home Affairs within 72 hours. The requirement applies to all payments made in response to cybersecurity incidents, whether they directly or indirectly impact business operations.
Gallagher noted that the legislative package introduces several measures aimed at strengthening cybersecurity protections and increasing government oversight:
Businesses falling under the reporting mandate must submit ransomware payment details through the ASD portal, including the ransom amount, involvement of third-party negotiators, and communication records with attackers. Failure to comply may result in penalties of up to $19,000.
Cyber Security Minister Tony Burke said the policy is designed to improve government insight into ransomware incidents.
“Mandatory reporting of ransomware payments will crystallise our picture of how much is being extorted from businesses via ransomware attacks, whom these payments are being made to and how,” he said.
Gallagher noted that cyber extortion remains a significant issue for Australian businesses, with ransomware attacks rising by 9% in 2023-24, according to ASD data. Of those cases, 71% involved ransomware.
In 2023, Australian businesses reported an average financial impact of $9.27 million per ransomware attack, covering ransom payments, legal expenses, operational downtime, and reputational damage. Many attacks involve demands for payment in exchange for not disclosing or selling stolen data.
The government aims to use the data collected through mandatory reporting to track cybercrime trends and allocate resources to improve national cybersecurity preparedness.
The new reporting requirements introduce additional compliance obligations, requiring organisations to integrate cybersecurity risk management into their operations.
Gallagher warned that many businesses, particularly small to mid-sized firms, may struggle with limited resources, a lack of dedicated cybersecurity personnel, or insufficient awareness of evolving threats.
Larger organisations, especially those managing critical infrastructure, will face heightened regulatory scrutiny to ensure their cybersecurity measures align with national security priorities. Meanwhile, cybercriminal tactics continue to evolve, with ransomware-as-a-service models making attacks more accessible and sophisticated.
To meet these challenges, insurance companies and brokerages are urged to advise their business clients to enhance cybersecurity frameworks, establish robust incident response plans, and consider cyber insurance as part of their risk mitigation strategies.
