14 October 2021

Australian Government unveils its Ransomware Action Plan

This article was written by Andrew Hannay, Cheng Lim and Sean Field.

TL;DR: New mandatory ransomware incident notification requirements for large Australian businesses, new and stronger criminal offences applicable to cybercriminals. Similar legislation may be enacted in the United States soon.


On 13 October 2021, the Minister for Home Affairs unveiled a ‘new and comprehensive’ Ransomware Action Plan (Plan). Under the Plan, the Australian Government has disclosed upcoming legislative and operational/policy reforms to better protect individuals, businesses and critical infrastructure across Australia against ransomware.  The Plan outlines current initiatives already undertaken by the Government to improve cyber security generally, as well as future legislative reforms aimed specifically at disrupting and deterring ransomware attacks.

The Plan also clearly sets out the Commonwealth’s policy position regarding the payment of ransoms, that is, that the Commonwealth does not condone the payment of ransoms.  We have previously provided guidance around the legal risk associated with the payment of ransoms.

Key legislative initiatives

Under the Plan, the key future initiatives to deter ransomware attacks include:

  • Specific mandatory ransomware incident reporting to the Australian Government – however the Government has indicated that this would only apply to businesses with turnover exceeding $10 million per year. The current voluntary reporting entity is the Australian Cyber Security Centre (ACSC), an agency of the Australian Signals Directorate, and we expect that it will continue to receive reports on behalf of the Government under the new legislation.

  • Legislative reform to ensure law enforcement agencies can investigate and seize ransomware payments in cryptocurrency.

  • Introducing a stand-alone offence for all forms of cyber extortion. Presumably this will extend beyond ransomware to other forms of cyber extortion, such as Denial of Service threats.

  • Criminalising the buying or selling of malware for the purposes of undertaking computer crimes.

  • Criminalising the act of dealing with stolen data knowingly obtained in the course of committing a separate criminal offence, so that cybercriminals who deprive a victim of their data, or publicly release a victim’s sensitive data, face increased penalties. Given it will extend beyond dealings with data stolen in the course of a ransomware attack to dealings with data stolen in the course of other criminal offences, it will be interesting to see the actual breadth of this new offence and its application to those who “steal” data.

  • A stand-alone aggravated offence for cybercriminals seeking to target critical infrastructure (as proposed to be regulated by the Security Legislation Amendment (Critical Infrastructure) Bill 2020 (SOCI Bill)).  Our previous alerts on the purpose of the reforms and the content of the SOCI Bill are available here, here, here and here.  The Government has indicated this will mean an increase in penalties, given the importance of these assets to Australia. 

International Co-operation

The Plan also indicates an intention for the Government to work with international partners (in joint operations with counterparts) to detect, investigate, disrupt and prosecute malicious cyber actors when engaging in cybercrime and to call out states who support cybercriminals. This presumably would include co-operation on offensive cyber capabilities.

Similar legislation may be enacted in the US soon 

A bipartisan bill was introduced to the US Senate last month that would require owners and operators of critical infrastructure to report to the relevant Federal agency any “covered cyber incident” and any ransomware payments.  Entities reporting ransomware payments will be required to have conducted due diligence into available alternatives, including whether recovery from a ransomware attack was possible without succumbing to a demand for payment.  This accords with Department of State guidance, which is that before paying a ransom, entities should consult with the Department of State to minimise the risk of inadvertently funding proscribed organisations, individuals or activities through ransom payments.

Both points are consistent with strategies we would typically recommend for mitigating the risk of committing an offence under Australia’s Criminal Code in relation to anti-money laundering and counter-terrorism financing laws including, in the Australian context, notifying and liaising with one or both of the ACSC or the Australian Federal Police.”

Key contacts

Data Central

Have you checked out our new Data Hub? Data Central contains a range of resources to help our clients minimise the legal, regulatory and commercial risks this data-driven environment presents and ensure that its full value is being realised.

Share on LinkedIn Share on Facebook Share on Twitter
    You might also be interested in

    As at 6 December, almost all entities in the ASX200 have held their AGMs for 2021. Entities have continued to adapt to the challenges brought on by the COVID-19 pandemic, which influenced the way...

    16 December 2021

    The increased use of Artificial Intelligence raises serious questions: Can – or should – we automate decision making?

    16 December 2021

    One of this year’s prominent corporate governance developments was the Federal Government’s proposed regulatory "crackdown" on proxy advisers.

    16 December 2021

    On 15 October 2021, the Hon. Ray Finkelstein AO QC as Commissioner and Chairperson of the Royal Commission into the Casino Operator and Licence, delivered the report (An inquiry into the suitability...

    16 December 2021

    This site uses cookies to enhance your experience and to help us improve the site. Please see our Privacy Policy for further information. If you continue without changing your settings, we will assume that you are happy to receive these cookies. You can change your cookie settings at any time.

    For more information on which cookies we use then please refer to our Cookie Policy.