Australia is seeking to be the first country to require that ransoms paid to cybercriminals be reported to the government.

If the Cyber Security Legislative Package introduced to federal parliament last week is passed, mandatory reporting of such payments within 72 hours will apply to organisations with annual revenue above $3 million.

The Insurance Council of Australia has applauded the measures and says cybersecurity requires a “team Australia approach”.

“We welcome the reporting obligation and encourage the government to consider how data collected under the obligation can be shared with industry to assist with threat landscape analysis. This includes cyber insurers,” an ICA spokesperson told insuranceNEWS.com.au.

WTW cyber and technology risk specialist Ben Di Marco says compulsory reporting of ransom payments will bring “both good and bad impacts” for insurers.  

“Complying with the law will increase the costs of incident response ... The counterpoint to this is it will increase the discipline and rigour of the assessment processes that insureds go through when they have a cyber extortion event,” he told insuranceNEWS.com.au.  

“One of the most difficult elements for insurers is assessing how their policies respond to cyber ransoms, and also how to cover the reimbursement of ransom payments under their policies. The additional rigour may help insurers.

“We’re putting in place more discipline around what is a really complex issue dealing with a cyber extortion, whether you will or won't pay, or how you deal with the threat actor, and all of those things have a lot of long-term benefit.”

The cyber insurance market is profitable and expanding. Gross written premium in Australia is about $400 million a year, and the hard market has softened this year as insurers chase share.

The government has previously said people are increasingly “paying criminals money, and it is happening in the darkness”. It wants to make it easier to gather cyberattack information and to “direct entities to take or refrain from certain actions” during a serious incident.

Other reforms include new powers to direct organisations to address serious deficiencies in their risk management programs.  

Mr Di Marco says the laws have “much more of a stick than carrot approach”.  

“There is little in them in terms of delivering actual support or assistance to victim organisations,” he said.  

Victim businesses are dealing with “very horrible cybercriminals”, he says, and often lack the expertise to fully understand what’s going on.

“They don’t have a lot of guidance or clarity around what are the best decisions to make, because investigations can take a long time to complete.

“The organisations that suffer cyber events are inherently victims that have been attacked by criminals. Too often we think about the obligations we want the organisation to take without understanding they are in a very difficult situation and often are trying to make decisions with imperfect information and comply with suffocating time frames.”  

Cyber Security Minister Tony Burke says a standalone Cyber Security Act is a “long-overdue step for our country”.

“We must harden our systems and legislation to keep ahead. We can’t do it alone ... we need the unified effort of government, industry and the community.”

The legislation will introduce minimum cybersecurity standards for all smart devices, including watches, televisions, speakers and doorbells. To be sold in Australia, such devices must include secure default settings, unique passwords, regular security updates and encryption of sensitive data.

Critical infrastructure organisations in energy, transport, communications, health and finance will be required to strengthen programs used to secure individuals’ private data.  

Mr Di Marco says the ransom reporting law is unlikely to change whether victims decide to pay or not, but it will “serve a wider purpose of making the government more informed”.  

“A strong policy component of this law is giving the government better insight into the cyber extortion threat actors that target Australia and how the overall economy and community can be more resilient. This will help the government get more insight into groups that conduct cyber extortion at scale.”