Recent Australian legislation now mandates disclosure of ransomware and extortion payments. The Cyber Security Act 2024 (assented Nov 2024) established this requirement as part of the 2023–2030 Cyber Security Strategy. Subordinate Cyber Security (Ransomware Payment Reporting) Rules 2025 came into force 30 May 2025. Under the Act, covered entities making or arranging any ransomware/cyber-extortion payment (monetary or non-monetary) must file a Ransomware Payment Report to the Australian Signals Directorate (ASD) within 72 hours. This mandate aligns Australia with emerging international best practice and responds to underreported high-impact breaches in the private sector.
Scope of Reporting Obligations
Covered incidents include any malicious cyber intrusion resulting in a demand for payment. The rules explicitly capture both cash and “non-monetary benefits” (e.g. services or other goods) provided to extorters. Reports must detail key incident and payment information, including:
- Entity details: ABN and contact info of the party that made the payment.
- Incident specifics: timing and impact of the breach (e.g. when it occurred/was detected, systems affected, data or service impact), malware variant, and exploited vulnerabilities.
- Extortion demand: the ransom demand (amount and form, including non-cash components) and payment provided (amount and method).
- Communications: all communications with the attacker (nature, timing, and summary of negotiations).
This information is prescribed by section 27 of the Act and the supporting rules. The goal is to give government agencies insight into threat actors’ tactics, targets and impacts. (Reported data may be used only for assisting incident response or intelligence – it is not admissible in civil or criminal proceedings under strict protections.)
Covered Entities
The reporting obligation applies to:
- Large businesses: Any business carried on in Australia with annual turnover ≥ AUD 3 million in the most recent financial year (a pro-rata formula applies for partial-year businesses).
- Critical infrastructure operators: Any entity defined as a responsible entity for a covered critical infrastructure asset under the Security of Critical Infrastructure Act 2018 (Part 2B).
Notably, Commonwealth or State government bodies and most not-for-profit organisations are exempt. This threshold (~top 6.5% of firms) and the inclusion of all major infrastructure sectors means roughly half of Australia’s economy is captured. All such “reporting business entities” must establish processes to detect any ransom payment event and trigger the reporting process immediately.
Reporting Timelines and Implementation
The rules commenced on 30 May 2025. From that date, any covered entity that makes (or becomes aware a ransom was paid on its behalf) must submit a report within 72 hours. The report is submitted via the ASD’s online form on the Australian Cyber Security Centre website.
Compliance will be phased:
- Phase 1 (Education/Engagement, 30 May–31 Dec 2025):The Department of Home Affairs (DHA) adopts an “education-first” approach. It will onboard entities to the reporting portal, publish FAQs/factsheets, and hold industry briefings. During this period DHA will only pursue regulatory action in clear cases of intentional non-reporting, so as not to divert attention from active incident response.
- Phase 2 (Active Enforcement, from 1 Jan 2026): After year-end, as organizations are familiar with the regime, DHA will step up compliance monitoring and enforcement. Advanced guidance (updated playbooks, tools) will be issued based on Phase 1 feedback.
These staged timelines are intended to balance initial learning with eventual accountability. (Entities should not assume indefinite leniency; the 72-hour rule applies immediately.)
Enforcement and Penalties
Enforcement responsibility rests with the Department of Home Affairs, which administers the Cyber Security Act. ASD itself is not a regulator and will not police compliance. DHA may invoke powers under the Regulatory Powers (Standard Provisions) Act 2014 as needed. Civil penalties for failing to report include fines up to 60 penalty units (currently several thousand AUD) per offence. During 2025 only the most egregious breaches will be targeted, but from 2026 standard enforcement action (inspections, fines) is expected.
Implications for Incident Response
These rules impose new incident-response requirements. Organizations should update their IR playbooks now to incorporate the 72-hour reporting duty. In practice this means: identifying who will submit the report, gathering requisite data (incident timeline, communications, payment details) rapidly, and liaising with legal counsel early. Notably, victims must also consider trade-sanctions law before paying: the obligation applies to all payments, but any transaction violating autonomous sanctions may have additional legal consequences. MSPs and security teams are advised to test their ability to meet the 72h deadline in drills, and to remind clients that paying ransom is not a “last-minute” decision but a planned contingency. In all cases, the report itself cannot be used against the victim in court (subject to narrow exceptions) and does not waive legal privilege, encouraging prompt cooperation.
Sources: Australian Cyber Security Act 2024 and Ransomware Payment Reporting Rules; Australian Home Affairs factsheets; reporting guidance from ASD/ACSC; security news analyses.
