Ransomware reporting rules require all businesses to do a risk assessment

Australian businesses with an annual turnover of more than $3 million and entities responsible for critical infrastructure must report to the government within 72 hours of making a ransomware payment, or becoming aware that one has been made on their behalf, under the Ransomware Reporting Rule of the Cyber Security Act 2024.

Effective 30 May 2025, payment reports will not be limited to direct payments but will also include those made by third parties, such as insurers and incident response firms, on behalf of the covered entity.

Organisations must submit their reports within 72 hours of making or becoming aware of the payment, using a dedicated online portal managed by the Australian Cyber Security Centre (ACSC).

The report must include details such as the business’ contact and ABN information, a description of the cyber incident and its business impact, specifics of the extortion demand and the amount and method of payment, including cryptocurrency details. They are also obliged to report any other communications or negotiations that they’ve had with the attackers.

The legislation captures both monetary and non-monetary benefits that are given or exchanged to an extorting entity as being ransomware or cyber extortion payments.

For example, this may include the exchange of gifts, services or other benefits to an entity in respect of the demand.

Trustwave Pacific director of consulting and professional services Craig Searle told ARN these mandatory reporting regimes for ransomware and cyber extortion payments moves the nation much closer to a comprehensive regulatory framework for cyber risk management.

“Fundamentally, the scheme is intended to address longstanding underreporting of ransomware incidents, as opposed to providing any sort of meaningful protection to reporting organisations,” he said. “The scheme will provide the Australian government with a better understanding of the threat landscape if it is successful over the long term and will support more effective disruption of the ransomware business model.

“Civil penalties of up to $19,800 apply for non-compliance. However, it is unlikely that these will be enforced in the near term, though the government has indicated an education-first approach to enforcement.”

Searle noted that similar regimes are being adopted internationally.

“Certain entities in the US must report ransom payments to federal authorities within 24 hours,” he said. “While the UK is considering a model where organisations report their intention to pay before making any payment, letting authorities provide guidance and potentially block illegal transactions.

“There is a clear global trend toward discouraging ransom payments, with some countries even prohibiting payments by public sector entities.”

FortiGuard Labs Australia and New Zealand (A/NZ) director of threat intelligence Glenn Maiden told ARN that the government has previously considered banning ransomware payments.

However, this could be problematic in that in certain worst-case scenarios, paying the ransom may result in less harm.

“Mandatory reporting of payments is a massive step forward. Many, if not most ransomware incidents in Australia, remain unreported,” he said. “Complicating the problem is that historically there wasn’t really a central agency to report to, whether that be state police, federal police or the ACSC for example.

“This resulted in a profound lack of visibility into the activities, targets and tactics, techniques and procedures of this most brutal of adversary.”

By requiring reporting, authorities will have a much clearer picture into the activity and impact of ransomware attacks, which will lead to better prosecution, prevention, and harm reduction, said Maiden.

Security leaders in Australia however are grappling with a unique set of challenges spurred on by moving regulatory goalposts, compliance scrutiny and an uptick of ransomware attacks targeting our shores, said Arctic Wolf A/NZ director of security services Mark Thomas.

The ransomware reporting rules will “add a layer of complexity that businesses must consider when facing ransom demands”, he noted.

“Businesses simply [pay] ransoms as a matter of protocol, organisations will need to reassess their security protocols and weigh up the financial, legal and reputational consequences of coughing up,” said Thomas.

While the rules only apply to businesses over a certain size, businesses of all sizes, even small- to medium-sized businesses (SMB), although not bound by the same requirements, shouldn’t be quick to dismiss what is happening in the cyber security landscape.

Thomas said SMBs need to take the opportunity to review their risk environment and strengthen their overall cyber resilience as a critical business function.

“Ransomware isn’t an issue that only large enterprises face,” he said. “Australia’s security industry needs to ensure that the SMB community – the lifeblood of our economy – isn’t left behind as cybercriminals evolve their tactics.”

According to the Department of Home Affairs, this is the first phase of Part 3 of the Cyber Security Act 2024, which prioritises an education-first approach period for the first six months after commencement, to socialise the reporting form with regulated entities, manage any challenges and identify key compliance barriers.

This will take the Department to Phase two in January 2026, where more advanced guidance resources will be disseminated incorporating feedback from the initial implementation of the Ransomware Reporting Rules.