Search
Close this search box.

Cyber security legislation and mandatory ransomware reporting: what you need to know

On 29 November 2024, Australia’s first standalone cyber security law, the Cyber Security Bill, came into effect. This legislation represents a significant milestone in the country’s approach to managing cyber threats, introducing mandatory reporting requirements for ransomware and cyber extortion payments. It is essential for lawyers and conveyancers to understand how this new legislation impacts your business.

What is the Cyber Security Bill?

The Cyber Security Bill aims to build a clearer picture of the evolving threat landscape by mandating that certain businesses report ransomware payments. The government’s goal is to enhance transparency, improve industry support, and enable better mitigation of ransomware attacks. 

The new legislation falls under Part 3 of the Cyber Security Bill, establishing reporting obligations that provide valuable insights into ransomware trends while ensuring sensitive business information is safeguarded. 

Why this matters to lawyers and conveyancers

Given the sensitive nature of client information held by law firms and conveyancers, the risk of ransomware attacks is particularly high. This legislation underscores the importance of robust cyber security measures to protect your practice and clients. Staying informed and compliant with these new requirements can mitigate the impact of cyber threats and uphold trust with your clients. 

Who is required to report?

The new reporting obligations apply to: 

  • Businesses operating in Australia with an annual turnover exceeding AU$3 million, or 
  • Entities responsible for critical infrastructure assets, as defined by the Security of Critical Infrastructure Act 2018, regardless of turnover. 

If your organisation meets either of these criteria, it is critical to be prepared to comply with the reporting requirements. 

Reporting requirements

Businesses that are required to report must do so to the Australian Signals Directorate and the Department of Home Affairs within 72 hours of making a ransomware payment or becoming aware that such a payment has been made. The report must include: 

  • The amount paid, 
  • The payment method, 
  • Details of the recipient, and 
  • A summary of the incident. 

These reports help authorities understand and respond to ransomware threats more effectively while supporting affected businesses. 

How is the reported information protected?

The legislation includes robust measures to protect businesses that comply with the reporting obligations: 

  • Limited use: the information provided in the report can only be used for specific purposes, such as analysing ransomware trends or assisting businesses. 
  • Legal safeguards: the reported information cannot be used against the business in legal proceedings, except in cases directly related to the ransomware incident. 

These safeguards are designed to encourage reporting while protecting businesses from potential misuse of their disclosures. 

Legal professional privilege

The legislation respects the confidentiality of communications between legal advisors. This means that legal professional privilege remains intact, ensuring that sensitive discussions about ransomware incidents do not fall under the reporting requirements. 

Practical steps for compliance

To ensure compliance with the new legislation, you should: 

  1. Review your cyber security policies: ensure your organisation has protocols in place to handle ransomware incidents. 
  1. Train staff: make employees aware of the new reporting requirements and how to recognise potential cyber threats.  
  1. Maintain detailed records: implement systems to capture incident details promptly to meet the 72-hour reporting timeframe. 

Staying compliant and protecting your firm

By staying informed and proactive, you can navigate the new cyber security legislation with confidence. Understanding your reporting obligations, implementing strong cyber security measures, and ensuring staff are prepared will help protect your practice and clients from evolving cyber threats. Compliance not only minimises risk but also reinforces trust in an increasingly digital legal landscape.