New mandatory ransomware payment reporting obligations now in force

Introduction

Australia has taken a bold step in strengthening its cyber resilience with the introduction of the mandatory ransomware and cyber extortion payment reporting regime under Part 3 of the Cyber Security Act 2024 (Cyber Security Act).

Effective from 30 May 2025, this new regime requires certain entities – including businesses with an annual turnover exceeding $3 million and entities responsible for critical infrastructure assets – to report any ransomware or cyber extortion payments made, or known to have been made on their behalf, within 72 hours of payment.

These new mandatory requirements come as a response to the growing threat of ransomware attacks in Australia.  According to the Annual Cyber Threat Report 2023-2024, over 70% of extortion-related cyber security incidents to which the Australian Signals Directorate responded in FY 2023-2024 involved ransomware.

When did the obligations commence?

The mandatory ransomware and cyber extortion reporting regime commenced on 30 May 2025. From this date, all reporting business entities are required to commence ransomware and cyber extortion reporting using the Australian Signals Directorate’s form.

Implementation of the reporting obligation will occur in two stages to allow for a period of familiarisation with the regime:

• Phase 1: Education First Approach (30 May 2025 to 31 December 2025 – 6 months)

During this first 6-month period, the Department of Home Affairs will prioritise an ‘education-first’ approach and will aim to pursue regulatory action only in cases of egregious non-compliance against businesses that report on incidents.

• Phase 2: Compliance and Enforcement Approach (1 January 2026 onwards)

As the reporting regime strengthens and regulated entities familiarise themselves with their mandatory reporting requirements, the Department of Home Affairs will move to an active regulatory focus.

Who do the reporting requirements apply to?

Obligations apply to reporting business entities, as defined under the Cyber Security Act.

Under Section 26 of the Cyber Security Act, the following entities are classified as reporting business entities and must report ransomware or cyber extortion payments:

• Entities operating in Australia with an annual turnover of AUD $3 million or more within the last financial year (except State and Commonwealth bodies).

If you have only carried on business for part of a financial year, you must use the formula in section 6 of the rules to determine your annual turnover threshold proportionate to the time you have been carrying on business.

• Responsible entities for critical infrastructure assets, as defined under Part 2B of the Security of Critical Infrastructure Act 2018 (Cth).

What cyber security incidents need to be reported?

Reporting obligations apply to relevant entities when:

• a cyber security incident has occurred, is occurring or is imminent;
• that cyber security incident had, is having or could reasonably be expected to have an impact (direct or indirect) on a reporting business entity;
• an extorting entity has made a demand to benefit from that cyber security incident or its impact on the reporting business entity; and
• the reporting business entity provided (or is aware another entity provided on their behalf) a benefit (e.g. payment, services or data) to the extorting entity directly related to the demand.

Key reporting requirements

If you are a reporting business entity and:

• you have made a ransomware or cyber extortion payment, or
• you are aware a payment has been made on your behalf,

you have 72 hours to make a ransomware or cyber extortion payment report from the time when you make the payment, or from the time you are aware a payment has been made on your behalf.

Reporting obligations apply to both monetary and non-monetary benefits. If you have given or exchanged gifts, services or other benefits in respect of a ransomware or cyber extortion payment demand, you still have a responsibility to report this under the mandatory reporting regime.

Reports must be made using the reporting form on the Australian Signals Directorate’s (ASD) website, see here.

The report must include:

• contact and business details of the entity that made the payment, including an Australian Business Number (ABN);
• details of the incident (e.g., date, impact on infrastructure/customers);
• nature of the demand (amount demanded, monetary or non-monetary);
• payment details (type, amount, method);
• information about the extorting entity, if known; and
• any communications or negotiations with the extorting entity.

Reporting entities should note that, under section 32 of the Cyber Security Act, information provided in a ransomware payment report is not admissible in evidence against the reporting entity in civil or criminal proceedings. There are, however, some exceptions, including cases involving false or misleading information.

What are the penalties for non-compliance?

Under the Cyber Security Act, reporting business entities that fail to report ransomware payments within the required 72-hour timeframe may face civil penalties up to 60 penalty units (currently $19,800).

Beyond legal penalties, non-compliance may expose organisations to reputational damage and loss of trust from customers, partners, and investors.

What should affected organisations do if they are subject to a ransomware attack?

Organisations require a swift and structured approach to respond to cyber incidents and ransomware attacks.

Organisations should consider the following in response to cyber incidents (including those involving ransomware and cyber extortion):

1. Incident response plans: A detailed cyber incident responses plan (which includes steps to follow in the event of a ransomware attack) is a must and will assist your business to respond to cyber security threats from an operational, legal and regulatory perspective. Ensure your plan is up to date (for example, to include the recent mandatory reporting requirements) and regularly tested.
2. Risk mitigation is key: Understand the risks to your business, and ensure you have an appropriate and tailored cyber security strategy to implement risk mitigation measures. This includes training for staff, “phishing expeditions” with staff to raise their awareness, and a holistic approach to privacy and data security at all levels of your business.
3. Carefully consider the payment of ransoms: The Australian Cyber Security Centre (ACSC) strongly advises against paying ransoms, noting that there is no guarantee that your files will be restored, nor does it prevent the publication or use of stolen data. Payment may also make your business a likely target for future attacks. Your business should consider its position in relation to ransomware and cyber extortion and the relevant risks associated with paying a ransom.
4. Record important details: In the event of a ransomware attack or cyber extortion event, take screenshots to capture as much information as quickly as possible. Record whether your files have been affected by ransomware that have a new extension, the name of any new file extension, the ransom note, and anything else that has changed since the attack. Ensure your business has the contact details of appropriate providers (such as IT service providers, insurers, legal advisors etc) at the ready so that it can quickly implement measures to contain any cyber incidents.
5. Check your backups: Ensure ongoing and regular backups of your data. The ACSC advises that if you have backups that are free from ransomware, make sure you don’t connect them to your infected device or network. Remove the ransomware from the infected device or network first. If you think your backups may be infected with ransomware, don’t try to access them, ask an IT professional for support.

If you found this insight article useful and you would like to subscribe to Gadens’ updates, click here.

Authored by:
Dudley Kneller, Partner
Eve Lillas, Senior Associate
Jayarupi Pahala Vithana, Graduate