At a glance.
- Australian incident reporting law comes into effect.
- UK agencies recommend (strongly) against paying ransom.
Australian incident reporting law comes into effect.
A law came into effect on Friday requiring critical infrastructure operators in Australia to report all security incidents to the Australian Cyber Security Centre within twelve hours. The measure impacts all organizations operating any of the twenty-two assets defined as critical under the Security Legislation Amendment (Critical Infrastructure Bill) 2020, which includes broadcasting, banking, hospitals, education, freight, energy markets, and aviation. The law applies to critical incidents like ransomware attacks, while less significant incidents like individual data exposures do not have to be reported until the seventy-two-hour mark. CRN Australia notes that, depending on the severity of the incident, the Australian Signals Directorate can use intervention powers, such as installing reporting software on the victim’s systems, to allow the directorate oversight of the incident response.
Some experts say the new rules could reshape the way IT resellers advise their clients about risk management. Nick Milan, managing director at Cytrack Intelligence, stated, “Engaging with the customer will elevate to discussing aspects such as their risk appetite and the appropriate calibration of systems to mitigate those risks in line with the business appetite…The harsh reality of underestimating risk, or failing to mitigate against it adequately, can have substantial financial and reputational consequences for both the reseller and the customer.”
UK agencies strongly urge lawyers to stop advising their clients to pay ransom.
In an attempt to deter ransomware victims from giving in to their attackers’ ransom demands, the heads of the UK’s National Cyber Security Centre (NCSC) and Information Commissioner’s Office (ICO) have submitted a letter to the Law Society implying paying a ransom could become a crime. Information Commissioner John Edwards and NCSC chief executive Lindy Cameron warned that companies who chose to pay up could face legal trouble for violating sanctions or failing to adequately secure their data. The letter reads, “While payments are not usually unlawful, payers should be mindful of how relevant sanctions regimes (particularly those related to Russia) – and their associated public guidance – may change that position… UK data protection law requires organisations to take appropriate technical and organisational measures to keep personal information secure and to restore information in the event of an information security incident.”
There’s some evidence to suggest that British businesses are more likely than most to pay ransom. A 2021 survey conducted by Proofpoint found that, compared to an international average of 58%, a whopping 82% of UK businesses hit by ransomware chose to pay the ransom. What’s worse, in most cases, paying did little good, as the survey found that only 4% of organizations that paid actually recovered access to their data. However, some experts feel criminalizing ransom payments could have an adverse effect. Charl van der Walt, head of security research at Orange Cyberdefense,told the Stack, “…Criminalising ransom payments could shift the focus of criminality from the perpetrator to the victim, and set off a chain of unintended consequences, such as a reluctance to report breaches. Combined, this could force the issue underground and make the practice more lucrative for cybercriminals.”