But new cybersecurity laws that passed parliament late last year mean businesses that pay a ransom after being attacked and threatened by cyber criminals must report it to authorities, but the Australian Signals Directorate and National Cyber Security Co-ordinator will be restricted with how they can use the information – offering a degree of comfort to victims.

The new laws will also beef-up the power of the Cyber Incident Review board, which will conduct “no-fault” investigations after significant cyber attacks.

The board will then share anonymised insights about the incidents, to help businesses improve security protocols while protecting the identities of victims.

Holding Redlich general counsel Lyn Nicholson said there would be two key benefits to the laws.

She said the Australian Cyber Security Centre had reported in the last six months “that people are lawyering up and not wanting to admit that they’ve had incidents, because there’s victim shaming”.

Ms Nicholson said the new laws had “two really good aspects. The first is making it mandatory to report ransomware payments means that there will be reporting … so it’s increasing the knowledge about what’s happening in the system.

“The other thing is a cyber incident review board. So now there is a formal mechanism by which, when we have a major cyber incident, there can be a review and a report and recommendations about how to improve into the ­future.”

Home Affairs Minister Tony Burke did not respond to a request for comment by deadline.

The new laws came after a global tech outage – considered the largest ever – was sparked by a botched software update to CrowdStrike. The hit to the cloud provider took out banks, hospitals and grounded airlines with fallout similar to a cyber attack.

As well, several high-profile hacks in the past few years have seen personal information belonging to thousands of people leaked to the dark web, including hacks of Medibank and Optus.

After those cyber attacks, the government raised the cap of fines for breaches of privacy from $3m to $50m in line with competition law, Ms Nicholson said.

While welcoming the laws, Ms Nicholson said some in the industry considered they could have gone further to give businesses “immunity from prosecution”, particularly with the mandatory reporting of ransomware payments.

“If I tell you I’ve had a ransomware (attack), if I tell you something has happened, I don’t want there to be any adverse consequences. I don’t want my insurer to be able to say that they’re not going to cover it,” she said.

“The place where we are is that you don’t lose legal professional privilege if you report to the government your ransomware payment. If you do report, we’ve got these things called limited use protection, so they can only use it for investigating the ransomware incident.”

But Ms Nicholson said some businesses had a healthy mistrust of the government and how it might share information, and had “valid” concerns that “once you’ve given something away, you can’t get it back”.

“I think the implications for lawyers is it can only mean more work, and for risk-based managers it means there’s more work,” she said.

It could be useful for authorities to know what industries were being targeted by cyber attacks, and if there were common access methods. With mandatory reporting and the Cyber Incident Review Board, that information would theoretically be shared among authorities and would provide with a snapshot of threat levels across the economy.

Ms Nicholson also said the new laws, combined with reporting that came from the board, would mean businesses would be better able to manage risks in their companies.

“Once you have guidance, you can do a better due diligence and a [better] risk management position,” she said.

Originally published as More work for lawyers under new cyber laws as businesses seek to avoid ‘victim shaming’