The proposals set out in the consultation paper aim to protect UK businesses, citizens, and critical infrastructure from the growing threat of ransomware, by reducing the financial incentives for criminals targeting UK organisations and to improve intelligence and understanding of ransomware to support the overall resilience of the UK’s cyber defences.

Summary of key proposals

The consultation sets out three key proposals:

1. A targeted ban on ransomware payments   – a targeted ban on ransomware payments for all public sector bodies (including local government) and critical national infrastructure (CNI) owners and operators. This proposal goes beyond the current principle that central government departments cannot make ransomware payments – by prohibiting all organisations in the UK public sector from making a payment to cyber criminals in response to a ransomware incident, as well as including CNI owners and operators. This aim of the proposal is to deter criminals by ensuring they cannot profit from attacking essential services. However, the possible impact of this is unclear and the government is seeking input on whether suppliers to such bodies/entities should also be included. The prohibition of ransomware payments by public sector bodies and critical national infrastructure may have a deterrent effect, assuming the threat actors in question are motivated by financial purposes, but a failure to include supply chain would likely simply shift the threat actors’ focus downstream.  However, inclusion of the entire chain could be extremely far reaching, particularly where such vendors provide products/services across multiple sectors.
   
   It is also not clear how this proposal will be enforced in practice and the government is seeking views on appropriate measures to support compliance. The consultation includes a number of possible measures, ranging from criminal penalties (such as making non-compliance with the ban a criminal offence) or civil penalties (such as a monetary penalty or a ban on being a member of a board).                                      

2. A new ransomware payment prevention regime – requiring all victims, including those not within the scope of the ban, to “engage with the authorities and report their intention to make a ransomware payment before paying over any money to the criminals“. After the report is made, the potential victim would receive support and guidance including the discussion of non-payment resolution options. Under the proposals, the authorities would review the proposed payment to see if there is a reason it needs to be blocked (e.g. known terrorist organisations). If the proposed payment is not blocked, it would be a matter for the victim whether to proceed. Input is sought on the best measures for encouraging compliance with this regime, as well as what additional support and/or guidance should be provided – possibly building on existing collaboration between the National Cyber Security Centre (NCSC) and the Information Commissioner’s Office (ICO).

3. A ransomware incident reporting regime –  a mandatory ransomware incident reporting regime, which could include a threshold-based requirement for suspected victims to report incidents, enhancing the government’s understanding and response capabilities. Input is sought on whether this should be economy wide, or only apply to organisations/individuals meeting a certain threshold. The consultation proposes that organisations will have 72 hours to provide an initial report of the incident and then 28 days to provide the full report. It is unclear how these reporting requirements will align with existing incident reporting obligations, however, the government has stated that the intent is to ensure that “UK victims are only required to report an individual ransomware incident once, as far as possible“.

These proposals, if implemented in their broadest form, will pose a significant challenge for any business impacted by a ransomware incident, requiring mandatory reporting of such incidents, as well as a need to wait for guidance from authorities before making any payments.  This is likely to be particularly problematic where threat actors are imposing deadlines for payment and could lead to significant disruptions to essential services where a ransomware attack has occurred and payment is not possible. The impact of the proposals on organisations not subject to the ban is also unclear, particularly in relation to reporting and disclosure requirements and how these will align with incident/breach notification obligations.

The consultation closes on 8 April 2025.

The key takeaways from the new Bills are summarised below:

Mandatory ransomware reporting

The Cyber Security Bill 2024 (Cyber Security Bill) introduces a mandatory reporting requirement where a ransomware payment (or other benefit) is paid to an extorting entity. The aim is to give the Australian Government greater visibility over the extent of the threat which ransomware poses to Australian businesses, particularly in light of the Australian privacy regulator’s ongoing concern regarding the under-reporting of ransomware incidents under the notifiable data breach regime in the Privacy Act 1988.

A report will need to be made to the Department of Home Affairs within 72 hours, if the following criteria are met:

• a cyber security incident has occurred, is occurring or is imminent and has had, is having or could reasonably be expected to have, a direct or indirect impact on a reporting business entity;
• an extorting entity makes a demand of the reporting business entity, or some third party directly related to the incident impacting the reporting entity, in order to benefit from the incident or the impact on the reporting business entity; and
• the reporting business entity provides, or is aware that another entity, directly related to the reporting entity, has provided a payment or benefit to the extorting entity that is directly related to the demand.

Some Australian businesses will be exempt from the reporting requirement, if their annual turnover falls below an as-yet unspecified amount.

A two-stage reporting obligation had previously been proposed, which would have required notifications to be made if a request for payment of ransomware was received and additionally if any payment was subsequently made.

Cyber Review Board

Australia is following in the footsteps of other jurisdictions such as the United States by establishing a Cyber Review Board. The Board’s remit will be to conduct no-fault, post-incident reviews of significant cyber security incidents in Australia. The intent is to strengthen cyber resilience, by providing recommendations to Government and industry based on lessons learned from previous incidents.

Limited information gathering powers will be granted to the Board, so it will largely rely on cooperation by impacted businesses. 

The Board will be comprised of a Chair, standing members and an Expert Panel. The Expert Panel will be drawn from of a pool of industry members with relevant expertise.

Limited Use Exception

A ‘limited use’ obligation will be established under the Cyber Security Bill and the Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024 (Intelligence Services Bill), designed to encourage engagement and reporting between industry and the Government during cyber incidents.

The regime is designed to assure businesses that any information which is voluntarily provided to the National Cyber Security Coordinator or Australian Signals Directorate (ASD) regarding a cyber incident can only be recorded, used and disclosed by those entities for limited purposes.

Crucially, it guarantees that information which is provided voluntarily or in response to a request within the framework of the limited use regime cannot later be used against the entity by a regulator.

The ‘limited use’ obligation will apply to information provided to, acquired or prepared by the National Cyber Security Coordinator or ASD by an impacted entity during a cyber security incident, as well information which is provided on behalf of the impacted entity (such as by its external advisors).

Mandatory security standards for smart devices

The Cyber Security Bill also establishes a framework under which mandatory security standards for smart devices will be issued.

Suppliers of smart devices will be prevented from supplying devices which do not meet these security standards, and will be required to provide statements of compliance for devices manufactured in Australia or supplied to the Australian market.

The Secretary of Home Affairs will be given the power to issue enforcement notices (including compliance, stop and recall notices) if a certificate of compliance for a specific device cannot be verified.

Security of Critical Infrastructure

The Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024 will amend the Security of Critical Infrastructure Act 2018, by giving effect to the legislative reforms contained in the 2023-2030 Australian Cyber Security Strategy.

The changes are designed to strengthen the security and resilience of critical infrastructure assets in Australia. 

The key change to note for regulated entities is that secondary assets which hold ‘business critical data’ may also be captured as critical infrastructure assets, regardless of the primary purpose of the asset. This is not intended to capture all non-operational systems which hold business critical data, but rather those where there is a material risk that a hazard to the data storage system could have an adverse impact on a critical infrastructure asset.

Other changes to the Security of Critical Infrastructure Act 2018 include the provision of further clarity on the secrecy and disclosure provisions, and the implementation of new powers for the Secretary of the Department of Home Affairs.

We will provide further updates once these Bills are passed.