Businesses with more than $3 million a year in revenue will be obliged to reveal any ransoms paid to cybercriminals under proposed new laws.

Victim organisations would have to submit a ransomware payment report via the Australian Signals Directorate portal, with details including use of any third-party ransom negotiator, the value of the demand and any communications with the criminals. Fines of close to $19,000 could apply for non-reporting.

The information must not be used for civil or regulatory action against the reporting entity, according to the new Cyber Security Legislative Package introduced to federal parliament last week. 

If passed, the package will create Australia’s first standalone Cyber Security Act, aimed at plugging gaps in laws relating to tackling cybercrime.

The government says it is “landmark” legislation that brings Australia in line with international best practice and closer to its goal of becoming a world leader in cybersecurity by 2030.

Cyber Security Minister Tony Burke says it reflects the government’s “deep concern and focus on these threats”. 

“This legislation ensures we keep pace with emerging threats, positioning individuals and businesses better to respond to, and bounce back from, cybersecurity threats,” he said.

The package also proposes a Cyber Incident Review Board with powers to make organisations produce information, review significant cybersecurity incidents and make public findings. 

See Analysis.